Video Activity

Information Security Frameworks: ISO 27001

Video Transcript

We've discussed senior leadership and their role and how we can address risks and develop our security programs, protect our assets ultimately is our goal. One of the things we want to examine now is the role that  frameworks play within our organization. The first framework we'll look at is the 27001 Framework.  But really just to discuss the need for these, is going to be one of the first pieces. An idea about a framework is it provides the structure. Frameworks don't give you a lot of details. Frameworks you can almost align with goals for the organization. Like a framework might say we need strong access control.  How we get to that is going to be up to our methodology.  But the framework is going to provide the structure.

Here's what I mean. Now in the neighborhood I used to live in, all the houses were built in the 1940s, by the same company and every single house looked just like every other house. It was like somebody took a cookie cutter and went [NOISE] and every now and then they get fancy and turn the cookie cutter around, so maybe the kitchen was on the right side instead of the left. But, again, the framework, the foundation, the structure of every house was the same. That was the framework. The foundation, the structure it was all the same. Now without that framework, we have no house, so the framework is critical. But what makes the house mine.

When you walk in the door, the furniture, the color scheme. Some people in my neighborhood would knock down a wall or they brick over a door or they customize it based on their needs. That's what your methodology does. We're going to focus on framework. We're going to focus on these external sources that provide us with frameworks that we can adhere to. The CISSP exam is not going to get detailed into methodology because methodology really has to be unique to every organization. The idea about frameworks is that they should be generic  enough to be used across various industries. This first framework we're going to look at is going to be ISO 27001. Whether you're a bank or a construction company or any organization, you can adhere to that 27001 standard. We're also going to look at NIST Cybersecurity Framework, and we'll look at GDPR as well. Looking at ISO 27001 Framework. Ultimately what they provide us with is 14 domains. Like I said, these domains are desirable end results. Not the steps on how to get there, but just ultimately broad guidelines for what our security policies should consist of, how we handle organizational security roles listed.

But if you take a look at them, it's not a coincidence, but you can see a direct correlation between what we study on the CISSP exam to those mentioned in ISO 27002 as the controls. We'll talk about cryptography. We'll talk about operational security and communications and access control. A big foundation for what ISC squared uses as their common body of knowledge is some of these major frameworks and 27001 being the most commonly used. They have these various controls that basically set out standards that we need to attain within an organization and ultimately, an organization might have the goal of being 27001 certified. Certified is adhering to this framework and a lot of times, an organization is going to have that goal based on some external driver.

What I mean by that is customers look for assurance before choosing who they do business with. I know absolutely nothing about automobiles, so when my car breaks, I go to a mechanic that's ASC certified. I don't even know what ASC stands for to tell you the truth, but there is assurance and confidence in certification. Now, is that always right? No, it's not. But with all things being equal, certification is often exciting business for deciding criteria for customers. We, as an organization, may want to be 27001 certified or some other framework certified to give confidence to our stakeholders. This framework gives me a checklist on what I want to attain. Our frameworks provide a structure and they provide us a basis to build our information security program on.  ISO 27001 Framework is the most common. Also like I said, every organization will have different methodologies to accomplish the framework. But the framework in being compliant within that framework is usually what my goal is.

Intermediate
Intermediate
Course link:
Certified Information Systems Security Professional (CISSP)
CISSP certification is essential for cybersecurity professionals aiming to move up in their career. This course will cover all aspects of security, risk management, and architecture to help you prepare for the CISSP exam. Learn from experienced professionals and gain the knowledge needed to become a certified security expert.
Instructed by
Senior Instructor
Kelly Handerhan

I am the owner of CyberTrain.IT, and I have over twenty years of experience in information assurance and cybersecurity. I am one of the Top 100 Trainers World-Wide. I hold the PMP, CISSP, CISM, CRISC, Security+, and CCSP certifications.