In this video, we will cover an understanding of control. Sit A 18.
The controls that make up this controls it and what they entail,
as well as examples off evidence and documentation that will support audits
related to your ISMs
controls it. A 18 compliance
is made up of two control areas.
The first one is a 18.1
compliance with legal and contractual requirements.
This is made up of five controls.
The first control is
identification off applicable legislation and contractual requirements.
What this control says
is that all relevant legislative, statutory, regulatory and contractual requirements,
as well as how your organization will meet these requirements,
must be explicitly defined and documented.
This must be done. I d. D for each information system
and must be kept up to date
if you remember all the way back to close four in your eyes. So 27,001 standard.
One of the requirements there was to identify your contractual and legal requirements
so you can see how they are elements off the management system,
which leverages off existing controls in your control set
intellectual property rights.
It is important for your organization
to determine appropriate procedures
and implement these procedures to ensure compliance
with legislative, regulatory and contractual requirements
that pertain to intellectual property rights
as well as the use of proprietary software products.
So this control will relate to how you, as an organization,
protect your own intellectual property rights.
This is how you ensure that you don't in
interfere on the property rights off other companies.
Infringe. That was the word I was looking for.
it is important that you don't permit Pirated software within your organization
and that proprietary software that you make use off is appropriately licensed and valid. We use
protection of records.
Records must be protected from Los
and this must be done in accordance
with legislator, regulatory contractual as well as business requirements.
This is an especially important control area now,
given all of the privacy legislation
that has come out in recent years,
this control is a broad control in nature,
and it basically states that for your organization, you need to identify any external regulation or legislation
regarding your protection or records, whether it is proprietary information
or personally identifiable information,
privacy and protection off personally identifiable information.
As we can see because this is such an important topic, there is a control dedicated to the specifically,
even though some elements off this overlap into other controls as well.
It is important it is important to understand which privacy legislation is applicable to your organization.
It is not necessarily just the privacy legislation within your own country that you need to worry about.
If you're interacting with information from citizens from different countries,
you may need to comply to the privacy legislation off those specific countries.
for the European Union. Most notably
with the implementation of GDP are
regulation of cryptographic controls.
Again, here is another control pertaining to cryptography.
The previous section,
which was control, said a 10 cryptography
pertains to how you as an organization set your policies and manage your own cryptographic controls.
The difference between a 10 and A 18.1 point five
is your organization needs to determine
what the relevant agreements, compliance or legislation and regulations are with regards to cryptographic controls
and to ensure that your organization is using these controls in line with these
The second control area is a 18.2
information security reviews.
This consists of three controls.
The first control is 18.2 point one
independent review off information security.
This control specifies
that the organization's approach to managing information security and its implementation
planned intervals or when significant changes occur.
This covers any type of independent review that your organization would need to undertake With regards to information security.
It is important that key controls receive an independent review
so that you can improve these controls were necessary
and identify potential shortcomings
that are difficult to identify.
Being within your own organization,
is compliance with security policies and standards.
Managers shall regularly review the compliance off information processing and procedures within their area of responsibility
with the appropriate security policies, standards and any other security requirements.
What does control says simply,
is that your managers in various departments
need to have a role to actively review and ensure compliance to the various policies and procedures,
an information security requirements that your organization has set forth
technical compliance review.
This control states that information's
must be regularly reviewed for compliance with the organization's information security policies and standards.
We normally rely on orders to tell us this information,
but it is important that your organization establishes its own compliance monitoring function
to make sure the compliance checks are regularly performed
and that personal departments, hardware and software
are all remaining compliant to the various policies
and security baselines that have been established to govern them.
we covered the to control areas that make up control, said a 18 complaints.
We examine the various controls contained in this clause
and what these controls mean,
and we covered a couple of examples for each of these controls.