Speakers
Synopsis
There’s an art to reading between the lines whenever a security framework receives a major update – after all, each modified control is the output of a million little shifts in technology, threat actors, adversary behaviours, geopolitics, vendor offerings, operational limitations, and business processes.
As such, when ISO 27001, PCI DSS and the NIST CSF all receive their first major overhaul in a decade, there’s a wealth of value in dissecting the common trends – and differences – between each in their approach.
As an IRAP Assessor, PCI QSA, and ISO 27001 Lead Auditor, I spend much of my time helping organisations meet these compliance mandates in the most cost-effective manner possible. Key to this is understanding the intersection between a business’s unique risk exposure, and the common requirements of a myriad of security frameworks and compliance standards.
This session will look at the common themes in the 2022, 2023 and 2024 updates to ISO 27001, PCI DSS and the NIST CSF respectively, including enhanced governance at the System Owner and administrator level, an increasing emphasis on threat intelligence, more focus on communications (the eternally underappreciated security control!), clearer guidance on performance metrics, more consideration of third parties, and a more pragmatic approach to deviating from ‘defined approaches’ where cyber risk is well understood and managed.
If you have to comply with these frameworks, are wondering what’s on the horizon, are looking to implement ISO 27001, PCI DSS or NIST CSF in your organisation, or just want to know what might be behind all these control changes – then this session is for you!
