Frameworks: ISO 27000 Series

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> In the last section,
00:00
we talked about the CMMI framework
00:00
that's provided by ISACA that
00:00
contains a set of steps and requirements to be
00:00
evaluated at certain levels of the CMMI models,
00:00
certain levels of maturity.
00:00
Well, another framework that we want to
00:00
look at comes to us from ISO,
00:00
and it's ISO's 27000 Series.
00:00
Well, ISO indicates
00:00
the International Organization of Standards.
00:00
In the 27000 series,
00:00
they have various standards
00:00
relating to information security.
00:00
Now the very first,
00:00
this is the actual framework,
00:00
so as an organization,
00:00
we would get certified as ISO 27001 compliant.
00:00
Ultimately, this framework provides us with
00:00
the steps to develop, implement,
00:00
operate, improve, manage an ISMS,
00:00
an Information Security Management System.
00:00
This is based on the plan,
00:00
do, check, act cycle.
00:00
This is a cycle that's been around for years and years.
00:00
It was first designed by Walter Shewhart and then
00:00
Deming made it popular based
00:00
on using the PDCA with quality management.
00:00
But at any rate, the plan, do, check,
00:00
act cycle says that you start with planning,
00:00
you figure out what your objectives are in
00:00
a broad directive on how to get there.
00:00
You implement through the do phase.
00:00
Then you monitor and check the results,
00:00
and then you act upon what you find.
00:00
Plan, do, check, act.
00:00
Now what's important about
00:00
this is this is an indication that
00:00
risk management is certainly not
00:00
a onetime set of processes.
00:00
It's not a one-and-done.
00:00
We're never done with risk management.
00:00
We're never done managing
00:00
security or implementing security.
00:00
We're always plan, do, check, act.
00:00
We're always following that model.
00:00
ISO 27001 advises us to
00:00
develop a security an ISMS based on the plan,
00:00
do, check, act model.
00:00
ISO 27001 also talks about risk management as part of
00:00
the decision-making and ISO
00:00
27005 is specifically about risk management.
00:00
We'll look that just a second.
00:00
But ultimately, it puts
00:00
the responsibility on senior management.
00:00
It's their job to insure, of course,
00:00
that their organizational assets are protected.
00:00
And it's their responsibility to make
00:00
sure that underneath the governing entity that
00:00
there's a management group that provides
00:00
the instructions on how to
00:00
accomplish the strategy determined by governance.
00:00
That's always going to be our difference.
00:00
Governance is going to tell us what needs to be done.
00:00
Management's going to figure out how.
00:00
There's a shared responsibility.
00:00
Now, ISO 27001, again,
00:00
is all about develop, build,
00:00
implement, assess, and improve an ISMS.
00:00
That's pretty broad.
00:00
What it's going to do is it's going to break down
00:00
the requirements for an ISMS into 14 domains.
00:00
If you take a look at ISO 27002,
00:00
there will be particular controls that are referenced.
00:00
Those controls are referenced in
00:00
the appendix of ISO 27001.
00:00
They're developed in ISO 27002.
00:00
The controls appear in both locations,
00:00
but the primary explanation
00:00
of what the information security controls
00:00
should be and what they should look
00:00
like, that's ISO 27002.
00:00
27003 gives us practical implementation.
00:00
How do we implement these controls?
00:00
You can say that we've got
00:00
a category of control called access control,
00:00
but what does that mean?
00:00
Well, ISO 27003 talked about
00:00
ways to implement multi-factor authentication, for instance.
00:00
Then we have ISO 27004 that
00:00
provides information on how
00:00
to evaluate our security controls.
00:00
So this would be things like monitoring.
00:00
This would be testing pen test vulnerability assessments.
00:00
Then ISO 27005, again,
00:00
like we said, addresses
00:00
risk management in relation to an ISMS.
00:00
Now you don't have to do a lot of
00:00
memorization for this exam.
00:00
I would definitely know ISO 27001.
00:00
I would know that it's
00:00
the most commonly used framework and that's important.
00:00
But it's also obvious because
00:00
all these other frameworks are for
00:00
specific industries or
00:00
specific countries or specific environments.
00:00
Whereas when you look at ISO
00:00
27000 and specifically 27001,
00:00
ISO, International Organization of Standards.
00:00
So it's not just for one environment or
00:00
one nation or it's not specific.
00:00
ISO 27001 can be introduced and
00:00
evaluated and operated in many environments.
00:00
Now I mentioned that there are 14 separate domains.
00:00
These are the domains again,
00:00
you don't need to worry about memorizing.
00:00
They're not going to say what are
00:00
the 14 domains of ISO 27001.
00:00
Like I said, they're really more developed in ISO 27002.
00:00
But this just gives you an idea.
00:00
Start out structuring, get your policy,
00:00
asset management, operations, security, physical screen.
00:00
I'm just reading off some of these,
00:00
but these are the main categories.
00:00
These are the main elements of security that has to be
00:00
managed and evaluated with
00:00
an Information Security Management System.
00:00
Again, don't get too
00:00
detailed with this particular framework.
00:00
But I would definitely know
00:00
the purpose of a framework to provide that structure.
00:00
Usually, governing entities determine
00:00
a framework as a result
00:00
of analyzing what their strategy should be.
00:00
Usually by the time they have their strategy,
00:00
that end point of that strategy might be to be certified,
00:00
but according to ISO 27001.
00:00
That might wind up being desired state.
00:00
That strategy gives a broad look at how to get there.
00:00
That's one of the frameworks that we'll look at.
00:00
We still have a couple of more we want to examine.
Up Next