Awareness with Regards to the ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 5.3 awareness
00:06
In this video we will cover awareness and what the standard requires with regards to awareness
00:12
awareness regarding nonconformity, ease
00:15
and the required documentation for awareness.
00:22
So in the previous section we spoke about competence and one of the ways to achieve this was through information security awareness sessions.
00:31
No.
00:32
My personal point of view is that there could be two flavors of information security awareness within a nice mess. Aligned to Isis 27,001,
00:41
there would be your usual information security awareness training
00:45
and then the standard requires specific activities to be performed with regards to maintaining awareness
00:51
with regards to the isthmus. Specifically,
00:55
the lines in this can, of course, be blurred.
00:58
And awareness on risks and controls can most certainly also cover elements off the ice mess.
01:03
It is up to you how you want to split up your awareness training.
01:07
The auditor, if you're going for certification ordered,
01:11
would want to see evidence that staff are being made aware of your information security controls in general,
01:18
as well as progress on
01:19
key items in your isom s implementation and maintenance.
01:26
For example,
01:27
communication to your staff regarding the SMS at regular intervals is a good way to demonstrate this
01:34
training and discussions of staff on how to perform their responsibilities with regards to the ice mess is another example.
01:42
For example,
01:44
if your Finance Department has given specific goals to achieve with regards to information security,
01:49
it is important that they firstly understand what these girls mean.
01:53
That they understand how to implement and enforce these goals within their processes
01:59
and that they are equipped with the knowledge of how to monitor the achievement of these goals.
02:05
This touches on many other closes to,
02:07
but it is important that personal design
02:12
designated story with reporting the up was supporting the ice mess in some or other way or made aware of what this entails,
02:19
as well as how to practically deliver on this.
02:23
It is also important that personal understand where the information security policy is located,
02:28
what the policy entails,
02:30
and that they must also sign some form of document either people Elektronik,
02:35
which shows that the user has confirmed understanding off the policy content.
02:40
Just to recap on the two types of awareness,
02:44
there is awareness regarding the information security in general.
02:47
For example, fishing risks
02:51
malicious software.
02:52
Your controls in place risks, policies, etcetera
02:55
and more specialized awareness sessions relating to the ice, a mist directly
03:00
in ways in which personal are required to support the achievement of ice mess goals and objectives.
03:09
There is also awareness regarding nonconformity.
03:14
It is important to ensure that the audience understands. Firstly, when a non conformity is,
03:21
you would then want them to understand what a nonconformity means to them as an individual.
03:25
This would generally be handled by your disciplinary procedures related to the nature of the non conformity.
03:32
It is important to make users and participants in the ice melts away. That nonconformity is have ripple effects greater than just disciplinary action.
03:42
Major nonconformity is can put the information security posture off the organization at risk.
03:50
So nonconformity is basically an instance where a requirement off the ice miss specifically the ice or 27,001 standard
03:59
or a specific control has not been met.
04:03
Non conformity is can occur simply by people not doing their jobs, not communicating When delays with it, things have occurred
04:12
or not maintaining appropriate documentation.
04:15
Often they would be disciplinary actions for nonconformity, ease
04:20
relevant to the level of non conformity
04:25
that occurred.
04:28
It is also important for people to understand what the repercussions of non conformity
04:33
for the organization as a whole law.
04:40
What documentation is required
04:43
for clothes? 7.3
04:46
wireless specific document is not specified as mandatory.
04:49
It is generally mandatory to keep information on the activity that demonstrates some form of awareness training.
04:56
In terms of the SMS in information, security in general is taking place.
05:00
The information must be sufficient in nature that it will provide your certification auditors with comfort that you're performing This required task
05:09
as per your documented frequency
05:11
evidence of attendance and that there is some form of off assessment at intervals that demonstrates verification and understanding off the knowledge and participants after the training or awareness session.
05:24
So again,
05:26
you need evidence of your training material. Whether this was a presentation, poster, Web page, online video,
05:33
whatever it WAAS
05:35
attendance registers or some other form off
05:40
verification of attendance online or in classroom based trainings
05:46
matrix associated with awareness training, such as assessment results, feedback scores and so forth
05:51
as well as budgets and plans for ongoing awareness and training activities
06:00
to summarize
06:00
in this lesson recovered the requirements of awareness that this extends to not just general information, security awareness and training, but also awareness specific to the ice. Um, s
06:13
we discussed awareness regarding nonconformity ease.
06:16
We also examine some examples of documentation that could support the awareness activities
06:21
and be used as evidence during an audit.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By