Georg Philip Krog started a post on LinkedIN with an interesting overview of EU policies, directives and regulations…
While the post is still under development (and growing), it might be interesting to get some more information on the list that Georg Philip created.
Furthermore the original list is not clear on which legislation is in force or in proposal / draft state.
Applicability to your business
Please consider that many of the rules and regulations below might apply directly to your business.
If not , then you might be impacted indirectly via the supply chain where your customer or supplier is impacted by the legislations. In that case, it’s very likely that you will be forced to apply the rules by delegation or obligation of your customer/supplier.
In many cased the supply chain security will impose these rules to you, one way or another. Be ready.
The chapters below contain, in most cases, a short description or extract of introduction to evaluate what
the act is about and
if it applies to your business
More info on the list below
The list below is not maintaining the same positioning as originally posted by Georg Philip.
There is a split in
laws, regulations and directives focusing on cybersecurity
A “regulation” is a binding legislative act. It must be applied in its entirety across the EU.
For example: GDPR (General Data Protection Regulation
A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
EU primary law
CFREU (Charter of Fundamental Rights of the EU)
Reference by Georg Philip: Articles 7 and 8 CFREU
Article 7 – Respect for private and family life
“1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Article 8 – Protection of personal data
“1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.”
“The Digital Markets Act (DMA) establishes a set of narrowly defined objective criteria for qualifying a large online platform as a so-called “gatekeeper”. This allows the DMA to remain well targeted to the problem that it aims to tackle as regards large, systemic online platforms.
These criteria will be met if a company:
has a strong economic position, significant impact on the internal market and is active in multiple EU countries
has a strong intermediation position, meaning that it links a large user base to a large number of businesses
has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years”
Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
1. The Competence Centre shall have the overall objective of promoting research, innovation and deployment in the area of cybersecurity in order to fulfil the mission as set out in Article 3.
2. The Competence Centre shall have the following specific objectives:
(a)
enhancing cybersecurity capacities, capabilities, knowledge and infrastructure for the benefit of industry, in particular SMEs, research communities, the public sector and civil society, as appropriate;
(b)
promoting cybersecurity resilience, the uptake of cybersecurity best practices, the principle of security by design, and the certification of the security of digital products and services, in a manner that complements the efforts of other public entities;
(c)
contributing to a strong European cybersecurity ecosystem which brings together all relevant stakeholders
“
Intelligent Transport Systems (ITS) directive (2010/40/EU)
“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.”
Proposed EU Cyber Solidarity initiative and cyber reserve
EHDS “is a health-specific data sharing framework establishing clear rules, common standards and practices, infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes“
A while ago Microsoft moved from Docs (Docs.microsoft.com) to Learn (Learn.microsoft.com), but still some older information might point to the Docs links. In case the redirect fails, replace the docs prefix in the URL to learn an try again. If it still fails, Bing it and let me know.
Below you’ll find some useful collateral (add-on, extra) information for the #PECB #ISO27005 Lead Risk manager course, that you can use for extra learning, deep dive, or educational support.
The MD:26 Issue 2 is published on 15 feb 2023, a few months after the publication of ISO 27001:2022 in October 2022. Main issue: the previous issue was already published in august, before the final version of ISO 27001…
So obviously an update was required.
[For your info: If you need some help on acronyms, see the end of this article…]
Some thing were updated, but some were not.
The key topics to remember
What changed (green highlight) and what did not change (red highlight)?
Transition period is kept 3 years (36 months)
Initial certification and recertification by CAB to begin no later than 18 months (was: 12 months) after end of month of publication, (oct 2022).
This means that you can still certify against the old standard (ISO 27001:2013) until 30 April 2024
After 30 april 2024 you can only certify against the ISO27001:2022.
(4.2 CAB actions)
Certification transition assessment shall include minimum
an additional 1/2 dayfor recertification audit
an additional 1 day for surveillance or separate audit
All ISO 27001:2023 shall expire or be witdrawn at the end of the transition period (3 years, October 2025)
But of course, I don’t need to tell you : as soon as your CAB is ready, better upgrade your current certification to the newest version 2022.
A quick recap
A bit more details of the MD 26 document
Ch1. Introduction
Normative Document:
ISO/IEC 27001:2022
Replacing:
ISO/IEC 27001:2013
Current Status (at time of MD publication):
IS
Transition Period:
3 Years (36 months)
Ch2. Summary of key changes
§2.1 Background
Contains overview of ISO publication agenda from FDIS to IS
Did you know that
No more than two separate documents in the form of amendments shall be published modifying a current International Standard (see ISO/IEC Directive Part 1, 2022, Clause 2.10.3), therefore, the new edition of ISO/IEC 27001 had to be published after the preparation of ISO/IEC 27001:2013/DAmd1.
Source: IAF MD 26:2023
§2.2 Key changes (in ISO27001)
Source: MD26:2023
Annex A references the information security controls in ISO/IEC27002:2022, which includes the information of control title and control.
The notes of Clause 6.1.3 c) are revised editorially, including deleting the control objectives and using “information security control” to replace “control”.
The wording of Clause 6.1.3 d) is re-organized to remove potential ambiguity.
Adding a new item 4.2 c) to determine the requirements of the interested parties addressed through an information security management system(ISMS).
Adding a new subclause 6.3 – Planning for changes, which defines that the changes to the ISMS shall be carried out by the organization in a planned manner.
Keeping the consistency in the verb used in connection with documented information, for example, using “Documented information shall be available as evidence of XXX” in clauses 9.1, 9.2.2, 9.3.3 and 10.2.
Using “externally provided process, products or services” to replace “outsourced processes” in Clause 8.1 and deleting the term “outsource”.
Naming and reordering the subclauses in Clause 9.2 – Internal audit and 9.3- Management review.
Reorder of the two subclauses in Clause 10 – Improvement.
Updating the edition of the related documents listed in Bibliography, such as ISO/IEC 27002 and ISO 31000.
Some deviations in ISO/IEC 27001:2013 to the high-level structure, identical core text, common terms and core definitions of MSS are revised for consistency with the harmonized structure for MSS, for example, Clause 6.2 d)
$2.3 Impact
New annex A (as ISO 27002:2022 is published)
Annex is normative
Updated harmonized structure
Ch3. Key time scale
AB
ready to assess : 30 apr 2023
initial assessment by AB: 30 apr 2023
AB transition of CAB completed by 31 oct 2023
CAB
initial and recert of ISO27001:2022 no later than 30 april 2024
transition of certified clients: 36 months, 31 october 2025
Ch4. Transition action process
§4.1 AB Action
Only interesting if you are an AB, see MD 26
§4.2 CAB Action
Is extra time likely to be needed for the transition? Yes.
1) Minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.
2) Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with
a surveillance audit or
as a separate audit.
Important note:
When the certification document is updated because the client successfully completed only the transition audit, the expiration of its current certification cycle will not be changed.
All certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.
§4.3 Other
TLDR…
Acronyms
AB = Accreditation Body
CAB = Conformity Assessment Body, certification body
Ever thought to outsmart phishing exercises and have Microsoft Outlook alerting you for phishing, upfront?
You can.
In short
Set a mail rule that
inspects the mail headers for X-PHISH and/or PHISHINGTEST tags…
Moves the incoming mail to a folder
Optionally flag the mail or set a category
Steps
Create a mail rule
Step 1: Select condition
Set : “specific words in the message header”
Set the tags
X-PHISH
PHISHTEST
There might be some variations on these tags.
Additionally, if you know phishing test mails are sent from specific domains… add the domain/mail server
Step 2: move it to specified folder in your mailbox
Other options
Some other ideas: set mail alerts or use Power Automate to alert you… (but that’s for another article)
Disclaimer
Obviously it only works for these specific mail header tags, if phishing tests use different headers or other approach, you’ll need to adapt. Don’t take this solution for granted.
And worse, the real stuff… is still out there attacking you.
Stay alert, don’t click on mails and links you don’t expect!
Advanced
While you never should click on any suspicious mail, suspicious links or links in these mails… it still might be a good exercise and learning item to inspect the mail header info.
Look for anomalies in
mail sender name and published address mismatch with mailbox listed
sender vs reply-to mismatch
mail server mismatch with originating server
mail domain mismatch with originating domain
Advisory – Best practice
If you suspect a mail to be the real thing, actual phishing, better report the mail as spam and forward it to your local CERT or local cybersecurity authority for analysis (and domain URL blocking)…
And message your security team they failed the phishing test 😉
Early last year ISO updated the ISO27002 to version 2022, putting the previous version to rest after almost 10 years.
The ISO27002:2022, “Information security, cybersecurity and privacy protection — Information security controls”; This document provides a set of guidelines for generic information security controls. And in fact, it’s the foundation of the ISO27001 Annex (remember the annex is derived from the ISO27002).
The ISO27001:2022, published in october 2022, is a new land mark for information security and governance best practices and basics.
With the launch, there has been a lot of articles explaining what changed.
In numbers we went from 114 controls to 93, which looks like a compression but there are also 11 new controls added.
I explained this situation in an article I wrote early last year in #PECB Insights Magazine: here is the link
Most important : section “New controls in ISO/IEC 27002:2022”:
New as in, new named controls in ISO27002 version 2022… with explicit requirements. But if you look into them, you’ll discover you can perfectly fit them in the existing ISO27001:2013 version to protect your environment.
And you should have them implemented already a long time ago.
They are not new to protect your current environment against the current cyber threats.
But how do you map these new ISO27002/ISO27001:2022 controls in the existing 2013 implementation?
The quick and dirty overview
A bit more details
A bit more explanation needed, check this XLS Spread Sheet.
For the hardcore perfectionistas: yes, the ISO27002 does update and change some the security controls, to be more modern.
Also the structural approach in the ISO27002 is now PPT, correction PPPT: Physical, People, Process and Technology (logical security tools).
But more important, major changes are actually present in the ISO27001 management clauses, not really in the ISO27002 (considering a reshuffle). The most important update on the level of governance, compliance and audit DOES contain some important updates.
And it will be more result based, related to risk.
Do you want to know what has changed significantly, in de management processes, have a look at the presentation I hosted with PECB:
So, there is some work to do, moving from ISO27001:2013 to ISO27001:2022…
But make your life easy, fix the ISMS implementation now, update your SoA using the ISO27002 translation tables. Watch out for the extra requirements in ISO27001 (As Koenraad Béroudiaux rightfully mentions on LinkedIn: check clause 4.4 and 8.1).
More info in the webinar.
Get ready!
It’s not perfect, send your feedback.
If you got improvement suggestions, let me know.
We can always make it better, together.
I’ll update the blog post and files with constructive suggestions.
Need more?
If you are curious about the topics below, let me know.
personal use spreadsheet for SoA mapping 2022 and 2013 version
personal use spreadsheet ISO27002:2022 categories to keep using the ISO27001, the same way you did before (organizing your ISMS with 14 business functions like management, HR, CISO, dev, legal, operations, …)
You know were to find me here on LinkedIn, here on Twitter, by mail, or direct messaging via Signal and other.
When you have smart devices at home, like smart TVs, you might notice that they are bypassing your internal DNS server, by using public internet DNS (like Google DNS).
And if you use a DNS black hole server like PI-Hole, to protect your network against adware, malware, phishing this is not a healthy situation, as these smart devices bypass your security.
Originally, I tried to implement the solution proposed and documented by Scott Helme.
But I ended up with DNS lockdown (and killing my entire internet connection, due to blockage of DNS.)
The solution documented by “Fiction becomes Fact” on this page, did the trick.
Apparently, since the 2018 version, some configuration items like the folder locations have changed…
Important: carefully verify the site folder location mentioned in the posts, to upload the config file. It has changed in newer Ubiquity versions. (Currently : unifi/unifi/data/sites/default/)
Older articles might point to wrong folders (I suppose it has recently changed with new versions of Ubiquiti…)
Just a few more important attention points:
in the newer version (dd oct 2022) of the Ubiquity interface, it looks like the topology does not support upload of maps anymore… so you can’t auto-create the site folder… (to be confirmed). You need to create the folders manually. And set the owner/group permission of the folders and config file yourself.
explicitly verify the owner settings of the newly created folders too
You can of course, apply this approach to other security solutions.
In essence:
all DNS traffic through your firewall must come from your (PiHole) DNS server
DNS traffic from any other device is redirected to the DNS server
DNS server logs and manages and filters (blocks/allow) the DNS requests
If you’re in my community and professional network you must have witnessed a wave of Microsoft MVP #mvpbuzz announcements and notifications, early july on the various social media, Twitter, LinkedIN, blogs… a bit later than usual this year.
I was part of it, but due to personal reasons and summer vacation early July, I only had time till now to process it…
Certainly this year is a special year for me, a lot of things have changed professionally. And when another special award disk dropped in the mail box just a few days ago, I can proudly announce that I’m honored to be awarded the Microsoft MVP award for the 10th time. You work hard for it, hope for it, but never know if you have met the tough expectations.
[If you want to know more about the Microsoft MVP award, check this page on the MVP site. It’s a reward for a select expert community with great passion for Microsoft technologies, for all community efforts for last year.]
Honestly, it’s not about these white and blue glass disks, but appreciation for the passion and effort in the Microsoft community, to be recognized for the passion in Microsoft Security, more specifically Identity & Access.
And I certainly welcome the program change where the group of MVP “Enterprise Mobility” now moved to MVP Security, which aligns better with reality, what I stand for.
But I could never have achieved this with the great help and support of you, my audience. So want to thank you, more than 10x for this.
You must be logged in to post a comment.