during Module 11 will cover an extra A,
which is all about the controls in ISO 27,000 and two.
There are a total of 114 controls in this section
and something worthwhile to note here. Is that your eye? So 27,000 and one auditors
may want to see any other orders that you have been through.
For example, information security controls, audits
The outcome of these orders and their reflection on your current control landscape and strength
will be affected in your auditors. I. So 27,001 ordered results
having a robust ice amiss. But controls that are not adequately designed, implemented or operating effectively,
especially if this is true for the majority of controls,
could be a concern for your auditor.
a five Information security policies
In this video, we will cover on understanding of Control. Set a five in relation to your ice Amis.
A five is the first control set in the ice 0 27,002 controls framework.
So I think we all pretty much know that every information security program will have some or other information security policy.
You've probably seen those policies in your organizations whether you work in the security team or not
control A 5.1 point one
is the first control in the in extra A off controls,
which is also known as ISIS 27,000 and two.
The states. That organization should have an information security policy in place
as well as other necessary policies to address the other areas of information security.
It is up to you to decide if you want one large policy, which includes policy statements for all areas of information security
or if you want to split these areas up.
consists of two controls
being a 5.1 point one policies for information security
review off the policies for information security,
the auditors during your eyes, so internal audits as well as your external certification orders.
We'll want to see the evidence around these policies.
The Second Control, which is the review of Policies for Information security,
pertains to the review off policies
as well as ensuring that the policies are communicated on a regular basis to employees.
The relevant policy should also be made available to staff.
Generally, this is done through your organization's Internet or document portal.
the orderto will want to see a history of the policies being reviewed.
How you do this is up to you.
One of the most common examples of this is maintaining a review and history on the document itself,
which details when the document was reviewed
the changes that were made, if there were any
as well as the approval,
the order to almost likely want to review a sample of your policy documents
for this, So be sure to be consistent in recording and maintaining this information.
The auditor will also want to see evidence that you have communicated this policy to staff
and that there has been some kind of acknowledgement by staff
that they understand and accept the contents off the policy.
This can be done by an electronic sign off
similar to win, you accept the terms and conditions off a product that you're using
or through a formal,
physically based document. Sign off
We looked at the control area that makes up control, said a five information security policies
and that it is not just about having policies in place
but ensuring that these policies are regularly reviewed and communicated to staff.