A18 Compliance

00:02

11.14

00:05

18 Compliance.

00:11

In this video, we will cover an understanding of control. Sit A 18.

00:17

The controls that make up this controls it and what they entail,

00:22

as well as examples off evidence and documentation that will support audits

00:28

related to your ISMs

00:37

controls it. A 18 compliance

00:41

is made up of two control areas.

00:44

The first one is a 18.1

00:48

compliance with legal and contractual requirements.

00:52

This is made up of five controls.

00:56

The first control is

00:58

a 18.1 point one

01:00

identification off applicable legislation and contractual requirements.

01:07

What this control says

01:10

is that all relevant legislative, statutory, regulatory and contractual requirements,

01:17

as well as how your organization will meet these requirements,

01:21

must be explicitly defined and documented.

01:27

This must be done. I d. D for each information system

01:32

and must be kept up to date

01:34

if you remember all the way back to close four in your eyes. So 27,001 standard.

01:42

One of the requirements there was to identify your contractual and legal requirements

01:48

so you can see how they are elements off the management system,

01:52

which leverages off existing controls in your control set

01:59

18.1 point two

02:00

intellectual property rights.

02:05

It is important for your organization

02:07

to determine appropriate procedures

02:09

and implement these procedures to ensure compliance

02:14

with legislative, regulatory and contractual requirements

02:19

that pertain to intellectual property rights

02:22

as well as the use of proprietary software products.

02:27

So this control will relate to how you, as an organization,

02:30

protect your own intellectual property rights.

02:35

This is how you ensure that you don't in

02:39

interfere on the property rights off other companies.

02:44

Infringe. That was the word I was looking for.

02:47

Um,

02:49

it is important that you don't permit Pirated software within your organization

02:54

and that proprietary software that you make use off is appropriately licensed and valid. We use

03:05

18.1 point three

03:07

protection of records.

03:10

Records must be protected from Los

03:14

destruction

03:15

falsification,

03:17

unauthorized access

03:21

disclosures,

03:23

and this must be done in accordance

03:25

with legislator, regulatory contractual as well as business requirements.

03:32

This is an especially important control area now,

03:36

given all of the privacy legislation

03:38

that has come out in recent years,

03:44

this control is a broad control in nature,

03:49

and it basically states that for your organization, you need to identify any external regulation or legislation

03:57

regarding your protection or records, whether it is proprietary information

04:01

or personally identifiable information,

04:08

a 18.1 point four

04:11

privacy and protection off personally identifiable information.

04:15

As we can see because this is such an important topic, there is a control dedicated to the specifically,

04:23

even though some elements off this overlap into other controls as well.

04:29

It is important it is important to understand which privacy legislation is applicable to your organization.

04:36

It is not necessarily just the privacy legislation within your own country that you need to worry about.

04:44

If you're interacting with information from citizens from different countries,

04:49

you may need to comply to the privacy legislation off those specific countries.

04:56

This is true

04:57

for the European Union. Most notably

05:01

with the implementation of GDP are

05:08

a 18.1 point five

05:11

regulation of cryptographic controls.

05:15

Again, here is another control pertaining to cryptography.

05:21

The previous section,

05:24

which was control, said a 10 cryptography

05:29

pertains to how you as an organization set your policies and manage your own cryptographic controls.

05:34

The difference between a 10 and A 18.1 point five

05:42

is your organization needs to determine

05:46

what the relevant agreements, compliance or legislation and regulations are with regards to cryptographic controls

05:54

and to ensure that your organization is using these controls in line with these

05:59

requirements,

06:02

The second control area is a 18.2

06:06

information security reviews.

06:11

This consists of three controls.

06:14

The first control is 18.2 point one

06:18

independent review off information security.

06:26

This control specifies

06:28

that the organization's approach to managing information security and its implementation

06:34

must be reviewed

06:36

independently

06:39

planned intervals or when significant changes occur.

06:46

This covers any type of independent review that your organization would need to undertake With regards to information security.

06:54

It is important that key controls receive an independent review

06:59

so that you can improve these controls were necessary

07:02

and identify potential shortcomings

07:05

that are difficult to identify.

07:09

Being within your own organization,

07:14

18.2 point two

07:16

is compliance with security policies and standards.

07:21

Managers shall regularly review the compliance off information processing and procedures within their area of responsibility

07:30

with the appropriate security policies, standards and any other security requirements.

07:38

What does control says simply,

07:41

is that your managers in various departments

07:44

need to have a role to actively review and ensure compliance to the various policies and procedures,

07:51

an information security requirements that your organization has set forth

08:00

18.2 point three

08:03

technical compliance review.

08:05

This control states that information's

08:09

must be regularly reviewed for compliance with the organization's information security policies and standards.

08:18

We normally rely on orders to tell us this information,

08:22

but it is important that your organization establishes its own compliance monitoring function

08:28

to make sure the compliance checks are regularly performed

08:33

and that personal departments, hardware and software

08:39

are all remaining compliant to the various policies

08:41

and security baselines that have been established to govern them.

08:56

In this lesson,

08:58

we covered the to control areas that make up control, said a 18 complaints.

09:05

We examine the various controls contained in this clause

09:09

and what these controls mean,