A18 Compliance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
11.14
00:05
18 Compliance.
00:11
In this video, we will cover an understanding of control. Sit A 18.
00:17
The controls that make up this controls it and what they entail,
00:22
as well as examples off evidence and documentation that will support audits
00:28
related to your ISMs
00:37
controls it. A 18 compliance
00:41
is made up of two control areas.
00:44
The first one is a 18.1
00:48
compliance with legal and contractual requirements.
00:52
This is made up of five controls.
00:56
The first control is
00:58
a 18.1 point one
01:00
identification off applicable legislation and contractual requirements.
01:07
What this control says
01:10
is that all relevant legislative, statutory, regulatory and contractual requirements,
01:17
as well as how your organization will meet these requirements,
01:21
must be explicitly defined and documented.
01:27
This must be done. I d. D for each information system
01:32
and must be kept up to date
01:34
if you remember all the way back to close four in your eyes. So 27,001 standard.
01:42
One of the requirements there was to identify your contractual and legal requirements
01:48
so you can see how they are elements off the management system,
01:52
which leverages off existing controls in your control set
01:59
18.1 point two
02:00
intellectual property rights.
02:05
It is important for your organization
02:07
to determine appropriate procedures
02:09
and implement these procedures to ensure compliance
02:14
with legislative, regulatory and contractual requirements
02:19
that pertain to intellectual property rights
02:22
as well as the use of proprietary software products.
02:27
So this control will relate to how you, as an organization,
02:30
protect your own intellectual property rights.
02:35
This is how you ensure that you don't in
02:39
interfere on the property rights off other companies.
02:44
Infringe. That was the word I was looking for.
02:47
Um,
02:49
it is important that you don't permit Pirated software within your organization
02:54
and that proprietary software that you make use off is appropriately licensed and valid. We use
03:05
18.1 point three
03:07
protection of records.
03:10
Records must be protected from Los
03:14
destruction
03:15
falsification,
03:17
unauthorized access
03:21
disclosures,
03:23
and this must be done in accordance
03:25
with legislator, regulatory contractual as well as business requirements.
03:32
This is an especially important control area now,
03:36
given all of the privacy legislation
03:38
that has come out in recent years,
03:44
this control is a broad control in nature,
03:49
and it basically states that for your organization, you need to identify any external regulation or legislation
03:57
regarding your protection or records, whether it is proprietary information
04:01
or personally identifiable information,
04:08
a 18.1 point four
04:11
privacy and protection off personally identifiable information.
04:15
As we can see because this is such an important topic, there is a control dedicated to the specifically,
04:23
even though some elements off this overlap into other controls as well.
04:29
It is important it is important to understand which privacy legislation is applicable to your organization.
04:36
It is not necessarily just the privacy legislation within your own country that you need to worry about.
04:44
If you're interacting with information from citizens from different countries,
04:49
you may need to comply to the privacy legislation off those specific countries.
04:56
This is true
04:57
for the European Union. Most notably
05:01
with the implementation of GDP are
05:08
a 18.1 point five
05:11
regulation of cryptographic controls.
05:15
Again, here is another control pertaining to cryptography.
05:21
The previous section,
05:24
which was control, said a 10 cryptography
05:29
pertains to how you as an organization set your policies and manage your own cryptographic controls.
05:34
The difference between a 10 and A 18.1 point five
05:42
is your organization needs to determine
05:46
what the relevant agreements, compliance or legislation and regulations are with regards to cryptographic controls
05:54
and to ensure that your organization is using these controls in line with these
05:59
requirements,
06:02
The second control area is a 18.2
06:06
information security reviews.
06:11
This consists of three controls.
06:14
The first control is 18.2 point one
06:18
independent review off information security.
06:26
This control specifies
06:28
that the organization's approach to managing information security and its implementation
06:34
must be reviewed
06:36
independently
06:39
planned intervals or when significant changes occur.
06:46
This covers any type of independent review that your organization would need to undertake With regards to information security.
06:54
It is important that key controls receive an independent review
06:59
so that you can improve these controls were necessary
07:02
and identify potential shortcomings
07:05
that are difficult to identify.
07:09
Being within your own organization,
07:14
18.2 point two
07:16
is compliance with security policies and standards.
07:21
Managers shall regularly review the compliance off information processing and procedures within their area of responsibility
07:30
with the appropriate security policies, standards and any other security requirements.
07:38
What does control says simply,
07:41
is that your managers in various departments
07:44
need to have a role to actively review and ensure compliance to the various policies and procedures,
07:51
an information security requirements that your organization has set forth
08:00
18.2 point three
08:03
technical compliance review.
08:05
This control states that information's
08:09
must be regularly reviewed for compliance with the organization's information security policies and standards.
08:18
We normally rely on orders to tell us this information,
08:22
but it is important that your organization establishes its own compliance monitoring function
08:28
to make sure the compliance checks are regularly performed
08:33
and that personal departments, hardware and software
08:39
are all remaining compliant to the various policies
08:41
and security baselines that have been established to govern them.
08:56
In this lesson,
08:58
we covered the to control areas that make up control, said a 18 complaints.
09:05
We examine the various controls contained in this clause
09:09
and what these controls mean,
09:11
and we covered a couple of examples for each of these controls.
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By