A5 Information Security Policies

00:01

module 11

00:06

during Module 11 will cover an extra A,

00:09

which is all about the controls in ISO 27,000 and two.

00:14

There are a total of 114 controls in this section

00:19

and something worthwhile to note here. Is that your eye? So 27,000 and one auditors

00:24

may want to see any other orders that you have been through.

00:28

For example, information security controls, audits

00:32

or I T orders.

00:34

The outcome of these orders and their reflection on your current control landscape and strength

00:39

will be affected in your auditors. I. So 27,001 ordered results

00:45

having a robust ice amiss. But controls that are not adequately designed, implemented or operating effectively,

00:53

especially if this is true for the majority of controls,

00:56

could be a concern for your auditor.

01:03

Listen. 11.1

01:07

a five Information security policies

01:14

In this video, we will cover on understanding of Control. Set a five in relation to your ice Amis.

01:22

A five is the first control set in the ice 0 27,002 controls framework.

01:36

So I think we all pretty much know that every information security program will have some or other information security policy.

01:44

You've probably seen those policies in your organizations whether you work in the security team or not

01:49

control A 5.1 point one

01:53

is the first control in the in extra A off controls,

01:57

which is also known as ISIS 27,000 and two.

02:01

The states. That organization should have an information security policy in place

02:07

as well as other necessary policies to address the other areas of information security.

02:15

It is up to you to decide if you want one large policy, which includes policy statements for all areas of information security

02:23

or if you want to split these areas up.

02:28

A 5.1

02:30

consists of two controls

02:32

being a 5.1 point one policies for information security

02:38

and a 5.1 point two

02:40

review off the policies for information security,

02:46

the auditors during your eyes, so internal audits as well as your external certification orders.

02:53

We'll want to see the evidence around these policies.

02:58

The Second Control, which is the review of Policies for Information security,

03:02

pertains to the review off policies

03:06

as well as ensuring that the policies are communicated on a regular basis to employees.

03:12

The relevant policy should also be made available to staff.

03:15

Generally, this is done through your organization's Internet or document portal.

03:21

During the orders,

03:23

the orderto will want to see a history of the policies being reviewed.

03:27

How you do this is up to you.

03:29

One of the most common examples of this is maintaining a review and history on the document itself,

03:35

which details when the document was reviewed

03:38

by whom

03:38

the changes that were made, if there were any

03:42

as well as the approval,

03:45

the order to almost likely want to review a sample of your policy documents

03:49

for this, So be sure to be consistent in recording and maintaining this information.

03:55

The auditor will also want to see evidence that you have communicated this policy to staff

04:00

and that there has been some kind of acknowledgement by staff

04:04

that they understand and accept the contents off the policy.

04:10

This can be done by an electronic sign off

04:13

similar to win, you accept the terms and conditions off a product that you're using

04:18

or through a formal,

04:20

physically based document. Sign off

04:31

to summarize.

04:33

We looked at the control area that makes up control, said a five information security policies

04:40

and that it is not just about having policies in place