Information Security Objectives and Planning to Achieve Them Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
listen four point in
00:03
information, security objectives and planning to achieve it.
00:10
In this video, we will cover
00:13
understanding the I. So 27,001 Close 6.2
00:18
Understanding what makes up a good objective
00:21
as well as the required documentation.
00:28
The I. So 27,000 and one close 6.2 somewhat vaguely calls for the organization to establish information security objectives and plans to achieve them. A drill, a vint functions and levels
00:41
I. So 27,000 and three is a great guidance document on the standard, which gives a bit more detail as to what the clause stipulations actually want to feel free to reference that during your implementation and maintenance processes.
01:00
So the information security objectives that your organization defines must be aligned to the stipulations in the eye. So 27,001 standard
01:10
these stipulations are
01:11
your objectives must be consistent with your information security policy.
01:17
They must be measurable.
01:19
There must be linked to your risk assessments and information security requirements.
01:23
They must be communicated to relevant parties
01:26
and there must be updated when required.
01:30
What these information security objectives, essentially all
01:34
its objectives and actions for the various departments within your organization to work towards achieving
01:41
and monitor the progress of doing so.
01:44
These objectives must obviously support the enforcement off confidentiality, integrity and the availability of information within your organization,
01:53
especially the information that falls directly within the scope of the ice mess.
01:59
Your business objectives, conservative base and your information security objectives could be there to support those business objectives.
02:07
Your information security policy
02:09
would have strategic information security objectives,
02:14
such as ensuring systems are kept operational and available to those that need it with minimal downtime.
02:21
As one of the key components for objective is measure ability
02:24
to make this actionable, it would be tailored to something more like
02:29
systems must be available for 95% of the time,
02:32
with any downtime being restored within a five hour window.
02:38
This can then be assigned to the relevant I T team and monitored on a monthly basis for compliance.
02:45
The subjective helps to satisfy and availability requirement off the organization
02:53
just to repeat that
02:55
a strategic information security objective
02:59
could be in sharing systems are kept operational and available to those that needed with minimal downtime
03:07
because an information security objective
03:10
as per the standard must be measurable.
03:14
They support actionable objective to support the strategic objective.
03:19
Would be
03:20
systems must be available for 95% of the time,
03:24
with any downtime being restored within a five hour window.
03:30
That's measurable.
03:36
So basically your information security objectives need to specify the following.
03:42
Firstly, what will be done?
03:44
Try and be as specific as possible here.
03:46
Make the objective and action that needs to be achieved.
03:52
You also need to specify the resource is required.
03:57
Will the objective require funding
03:59
additional personal time software?
04:02
External experts? What if the cases documented here so that
04:09
everyone involved can see what additional resource is will be required?
04:15
We also need to note and define who is responsible.
04:20
We need to ensure that the action,
04:24
the objective is action and looked after
04:27
someone must be designated responsible.
04:30
This responsible person does not necessarily have to do the action
04:34
and achievement off the object of themselves,
04:36
their arm or the ones that will be monitoring the objective and ensuring that it is action
04:43
and carried out by whatever team is associated with the responsible person.
04:50
Objectives can be actions that need to be completed
04:55
or implemented and then have ongoing maintenance or monitoring,
05:00
so specify whether or not it has a completion date. If it's something that needs to be implemented
05:04
and then indicate if it is an ongoing objective when it's in its monitoring phase,
05:11
you will also need to evaluate the results of the objective.
05:15
Each objective requires a measurable key performance indicator,
05:19
and as such you will need to have regular monitoring and reporting on the progress of achieving this objective.
05:29
So what is the required documentation?
05:32
All of the standard stipulates is to retain documented information on the information security objectives,
05:39
so you can decide how you want to document things in this clause.
05:43
But bear in mind that is important that the documents for monitoring progress and updates are not stagnant.
05:48
It should be evident.
05:50
But there is active monitoring, regular meetings and updates to the plans when required to meet objectives.
05:58
The details that we covered on the previous slide should also be documented,
06:03
so basically you're want a list of your information security objectives.
06:09
You want evident plans on how these objectives will be achieved, including the dates responsible people.
06:15
Resource is involved in many metrics that will be used to monitor
06:20
as well as the evidence of the metrics
06:24
reports, meeting minutes, updates to project trackers and so
06:30
to summarize, in this season, we covered what information security objectives are.
06:36
We looked at the information that you need to establish each objective,
06:42
and we also covered the mandatory documentation that is required by Isil 27,001
06:47
for clothes 6.2.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By