A5 Information Security Policies

Video Activity
Start your free 3-day trial and become one of the 3 million Cybersecurity professionals advancing their career goals
Sign up with
OR

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
module 11
00:06
during Module 11 will cover an extra A,
00:09
which is all about the controls in ISO 27,000 and two.
00:14
There are a total of 114 controls in this section
00:19
and something worthwhile to note here. Is that your eye? So 27,000 and one auditors
00:24
may want to see any other orders that you have been through.
00:28
For example, information security controls, audits
00:32
or I T orders.
00:34
The outcome of these orders and their reflection on your current control landscape and strength
00:39
will be affected in your auditors. I. So 27,001 ordered results
00:45
having a robust ice amiss. But controls that are not adequately designed, implemented or operating effectively,
00:53
especially if this is true for the majority of controls,
00:56
could be a concern for your auditor.
01:03
Listen. 11.1
01:07
a five Information security policies
01:14
In this video, we will cover on understanding of Control. Set a five in relation to your ice Amis.
01:22
A five is the first control set in the ice 0 27,002 controls framework.
01:36
So I think we all pretty much know that every information security program will have some or other information security policy.
01:44
You've probably seen those policies in your organizations whether you work in the security team or not
01:49
control A 5.1 point one
01:53
is the first control in the in extra A off controls,
01:57
which is also known as ISIS 27,000 and two.
02:01
The states. That organization should have an information security policy in place
02:07
as well as other necessary policies to address the other areas of information security.
02:15
It is up to you to decide if you want one large policy, which includes policy statements for all areas of information security
02:23
or if you want to split these areas up.
02:28
A 5.1
02:30
consists of two controls
02:32
being a 5.1 point one policies for information security
02:38
and a 5.1 point two
02:40
review off the policies for information security,
02:46
the auditors during your eyes, so internal audits as well as your external certification orders.
02:53
We'll want to see the evidence around these policies.
02:58
The Second Control, which is the review of Policies for Information security,
03:02
pertains to the review off policies
03:06
as well as ensuring that the policies are communicated on a regular basis to employees.
03:12
The relevant policy should also be made available to staff.
03:15
Generally, this is done through your organization's Internet or document portal.
03:21
During the orders,
03:23
the orderto will want to see a history of the policies being reviewed.
03:27
How you do this is up to you.
03:29
One of the most common examples of this is maintaining a review and history on the document itself,
03:35
which details when the document was reviewed
03:38
by whom
03:38
the changes that were made, if there were any
03:42
as well as the approval,
03:45
the order to almost likely want to review a sample of your policy documents
03:49
for this, So be sure to be consistent in recording and maintaining this information.
03:55
The auditor will also want to see evidence that you have communicated this policy to staff
04:00
and that there has been some kind of acknowledgement by staff
04:04
that they understand and accept the contents off the policy.
04:10
This can be done by an electronic sign off
04:13
similar to win, you accept the terms and conditions off a product that you're using
04:18
or through a formal,
04:20
physically based document. Sign off
04:31
to summarize.
04:33
We looked at the control area that makes up control, said a five information security policies
04:40
and that it is not just about having policies in place
04:43
but ensuring that these policies are regularly reviewed and communicated to staff.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By