Important Terms and Concepts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
less than 1.4.
00:04
During this lesson, we're going to cover some important terms and concepts specific to the ISO 27,000. Siri's
00:15
in this lesson. We're going to cover some important terms and concepts that you will come across
00:20
specifically in the are so 27,000 and one standard.
00:23
It is important to be familiar with these terms and concepts and understand what is meant by them in the context of an icy mess and becoming I. So. 27,001 compliant
00:41
thes terms have come from the ice 0 27,000 Siri's,
00:46
which is a standard that provides information around
00:52
what the 27,001 standard contains as well as's, provides a glossary of important terms and concepts. For the entire 27,000 Siri's.
01:04
We'll start with ordered scope.
01:07
This is defined in the standard
01:10
as the extent and boundaries of an audit.
01:14
Why is it important to understand this concept?
01:17
If you're going for certification, your order scope means
01:21
what will be covered as part of your orders.
01:27
This would be similar to your isom s scope
01:30
in that you would want your SMS scope to be covered by the orders
01:36
here, you would define what
01:38
is going to be covered by the audit on what's going to be covered by the audit.
01:44
Conformity is defined as the fulfillment of a requirement
01:49
each of the eye. So 27,000 and one closes have one or multiple requirements that need to be fulfilled
01:57
in order for your ice. A mist to be deemed compliant with the standard
02:04
when you feel fuller requirement.
02:06
This is noted as a conformity.
02:09
It is important to understand the term conformity
02:13
as its opposite. Nonconformity is used a lot in the standard
02:20
continual improvement
02:22
we have already seen this
02:24
term used previously.
02:28
This is a recurring activity to enhance performance
02:42
control.
02:43
A measure that is modifying risk
02:46
can include processes, policies, devices, practice
02:50
or other action which modifies risk.
02:53
We should all be familiar with what our control is.
02:58
A control is basically something you put in place to mitigate risk.
03:02
A control objective is a statement that describes what needs to be achieved as a result of implements in controls
03:12
direction.
03:13
This is an action to eliminate a detected nonconformity.
03:17
Previously, we had mentioned implementing corrective actions.
03:22
This pertains to close 10
03:23
in your eyes miss
03:25
when areas off non compliance or non conformity or requirements not being fulfilled are identified.
03:32
Corrective actions need to be put in place.
03:39
Documented information
03:44
This is defined as information required to be controlled and maintained by an organization can be in any format and media and from any source
03:54
you'll see later on. In this course, we go into documented information quite a lot.
04:00
Information being documented on being able thio be presented or demonstrated toe auditors
04:08
and stakeholders in your eye. Smith is really important for your ice mess.
04:13
You need to be able to show people
04:15
that is operating,
04:16
and having things documented will enable you to
04:20
track performance. Better know, does nonconformity ease more easily and obviously communicate to people more easily?
04:30
Documented information doesn't have to mean piles and piles of paperwork or files.
04:35
It can be made quite simple and easy to manage with
04:42
document management systems,
04:44
using things like Google Cloud and cleverly
04:48
broken down file structures and accessing methods so that you can keep certain documentation separate from others and only certain people accessing what they should end
05:00
have access to and not what they should not have access to
05:04
external context. This is the finest external environment in which the organization seeks to achieve its objectives.
05:14
We've already touched on this term. Previously.
05:16
External context would cover all of the external factors that could influence your organization.
05:23
Things like
05:24
politics,
05:26
terrorism, natural disasters.
05:29
Whatever the case may be,
05:30
the most prevalent external context example of 2020 definitely has to be peak over 19. Virus
05:40
indicator is defined as a measure that provides an estimate or evaluation.
05:46
We all have heard the term
05:47
k p I will key performance indicator.
05:50
This is what that pertains to
06:00
interested party.
06:01
This is a defined as a personal organization that can affect, be affected by
06:06
he perceived itself to be affected by a decision
06:11
or activity.
06:14
Earlier on, we touched on two concepts. Internal interested parties and external interested parties.
06:21
These are stakeholders that have some sort of interest or benefit
06:27
decision making ability related to your ice Amis.
06:32
One example of an interested party would be a customer that wants to procure services from your organization,
06:40
but only on the condition that you have a profit ice miss implemented
06:45
and then it is certified within a certain period of time.
06:49
The internal context
06:51
is to find this internal environment in which the organization seeks to achieve its objectives.
07:00
This is basically everything within the control of the organization.
07:04
Organizational policies,
07:06
employees, technology, processes, procedures.
07:11
All of the existing context
07:14
internal to the organization must be considered
07:16
at all times during the operation
07:19
and maintenance off your ice miss
07:24
level of risk
07:25
is defined as magnitude of a risk expressed in terms of the combination, off consequences
07:31
and their likelihood.
07:34
If you've ever done a risk assessment before, you would know that at
07:40
at the end of it, once you've gone through all of your risks and determined their levels of impact and likelihood,
07:46
you would provide the risk and overall rating off
07:49
low, medium or high. As a basic example,
07:59
monitoring is defined as determining the state of a system process or an activity
08:07
a non conformity is to find as a non fulfillment of a requirement.
08:13
We'll touch on this later in the course.
08:15
But a nonconformity, especially when you are being audited for your certification ordered,
08:20
can be a game changer
08:22
or a shark stopper
08:24
for your ice. Um, s certification results.
08:28
A major nonconformity
08:30
would basically mean that you would not be certified,
08:35
so it is important to monitor for nonconformity, ease
08:37
and make sure that they're addressed in a timely manner.
08:41
Performance
08:43
is defined as a measurable results
08:46
can relate to either quantitative or qualitative. Findings
08:50
can also relate to management of activities, processes, products and so forth.
08:58
A requirement. This is defined as need or an expectation that is stated
09:03
generally implied or public obligatory
09:07
residual risk.
09:09
This is a risk that remains after risks have been treated.
09:16
This can contain an unidentified risk.
09:18
This is also known as a retained risk
09:22
review is defined as an activity undertaken to determine the suitability, adequacy and effectiveness off the subject matter to achieve established objectives.
09:39
To summarize
09:41
in this lesson
09:43
this in 1.4, we went over 18 terms and concepts that are important to understand while working with
09:50
a nice miss.
09:50
We examine the definition as per I so 27,000.
09:56
We also talked about these concept in a practical sense,
10:00
on what is meant by each of the terms
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By