Information Security Frameworks: ISO 27001
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've discussed senior leadership and their role and
00:00
how we can address risks
00:00
and develop our security programs,
00:00
protect our assets ultimately is our goal.
00:00
One of the things we want to
00:00
>> examine now is the role that
00:00
>> frameworks play within our organization.
00:00
The first framework we'll look at
00:00
>> is the 27001 Framework.
00:00
>> But really just to discuss the need for these,
00:00
is going to be one of the first pieces.
00:00
An idea about a framework is it provides the structure.
00:00
Frameworks don't give you a lot of details.
00:00
Frameworks you can almost align
00:00
with goals for the organization.
00:00
Like a framework might say we
00:00
>> need strong access control.
00:00
>> How we get to that is going to
00:00
>> be up to our methodology.
00:00
>> But the framework is going to
00:00
provide the structure. Here's what I mean.
00:00
Now in the neighborhood I used to live in,
00:00
all the houses were built in the 1940s,
00:00
by the same company and
00:00
every single house looked just like every other house.
00:00
It was like somebody took a cookie cutter and went
00:00
[NOISE] and every now
00:00
and then they get fancy
00:00
and turn the cookie cutter around,
00:00
so maybe the kitchen was on
00:00
the right side instead of the left.
00:00
But, again, the framework, the foundation,
00:00
the structure of every house was the same.
00:00
That was the framework.
00:00
The foundation, the structure it was all the same.
00:00
Now without that framework,
00:00
we have no house,
00:00
so the framework is critical.
00:00
But what makes the house mine.
00:00
When you walk in the door,
00:00
the furniture, the color scheme.
00:00
Some people in my neighborhood would knock
00:00
down a wall or they
00:00
brick over a door or they
00:00
customize it based on their needs.
00:00
That's what your methodology does.
00:00
We're going to focus on framework.
00:00
We're going to focus on
00:00
these external sources that
00:00
provide us with frameworks that we can adhere to.
00:00
The CISSP exam is not going to get detailed into
00:00
methodology because methodology really
00:00
has to be unique to every organization.
00:00
The idea about frameworks is
00:00
>> that they should be generic
00:00
>> enough to be used across various industries.
00:00
This first framework we're going to look at
00:00
is going to be ISO 27001.
00:00
Whether you're a bank or
00:00
a construction company or any organization,
00:00
you can adhere to that 27001 standard.
00:00
We're also going to look at
00:00
NIST Cybersecurity Framework,
00:00
and we'll look at GDPR as well.
00:00
Looking at ISO 27001 Framework.
00:00
Ultimately what they provide us with is 14 domains.
00:00
Like I said, these domains are desirable end results.
00:00
Not the steps on how to get there,
00:00
but just ultimately broad guidelines
00:00
for what our security policies should consist of,
00:00
how we handle organizational security roles listed.
00:00
But if you take a look at them,
00:00
it's not a coincidence,
00:00
but you can see a direct correlation
00:00
between what we study on
00:00
the CISSP exam to those mentioned in
00:00
ISO 27002 as the controls.
00:00
We'll talk about cryptography.
00:00
We'll talk about operational security and
00:00
communications and access control.
00:00
A big foundation for what ISC squared
00:00
uses as their common body of knowledge is
00:00
some of these major frameworks and
00:00
27001 being the most commonly used.
00:00
They have these various controls that basically set out
00:00
standards that we need to attain
00:00
within an organization and ultimately,
00:00
an organization might have the goal
00:00
of being 27001 certified.
00:00
Certified is adhering to
00:00
this framework and a lot of times,
00:00
an organization is going to have
00:00
that goal based on some external driver.
00:00
What I mean by that is customers
00:00
look for assurance before
00:00
choosing who they do business with.
00:00
I know absolutely nothing about automobiles,
00:00
so when my car breaks,
00:00
I go to a mechanic that's ASC certified.
00:00
I don't even know what ASC
00:00
stands for to tell you the truth,
00:00
but there is assurance and confidence in certification.
00:00
Now, is that always right?
00:00
No, it's not.
00:00
But with all things being equal,
00:00
certification is often exciting business
00:00
for deciding criteria for customers.
00:00
We, as an organization,
00:00
may want to be 27001 certified or some other
00:00
framework certified to give
00:00
confidence to our stakeholders.
00:00
This framework gives me
00:00
a checklist on what I want to attain.
00:00
Our frameworks provide a structure and they provide
00:00
us a basis to build our information
00:00
>> security program on.
00:00
>> ISO 27001 Framework is the most common.
00:00
Also like I said,
00:00
every organization will have
00:00
different methodologies to accomplish the framework.
00:00
But the framework in being compliant within
00:00
that framework is usually what my goal is.
Up Next
Instructed By
Similar Content
