Resources Required for Maintaining an ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
moving on to module five.
00:05
Module five will be covering Clause seven, which pertains to support for your SMS.
00:13
Listen 5.1
00:15
resource is required for maintaining an icy mess
00:22
In this lesson.
00:23
Well, we will covet the resource is required for a nice mess, implementation
00:28
or maintenance, as well as becoming certified
00:33
as what is the required documentation.
00:41
Now the standard doesn't say much about resource is.
00:44
In essence, the standard says two lines to be specific and they are as follows.
00:50
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement off the information security management system.
01:04
So why are resource is important,
01:07
what resources are actually required and what should be documented? Our equations. We will answer here.
01:14
The why is pretty simple
01:15
without resource is having a properly functioning and continually improving ice mess would be quite challenging.
01:23
Your level of resource is needs to match your information security risk, posture,
01:27
the size and nature of your organization
01:30
as well as the goals of the SMEs.
01:33
If you want to have your ice miss certified against Isil, 27,000 and one,
01:38
you're going to require additional budgetary resources to pay for the certification audits,
01:44
of which there are two.
01:46
You could do three if you want to be extra prepared,
01:49
but we'll get into that later on in the course when we cover the ordered process in a bit more detail.
01:57
So, of course, you need information. Security resource is
02:00
both to run your information security components and controls,
02:06
as well as a dedicated resource to oversee your eye. So 27,001 implementation and remaining compliant efforts
02:15
you need to determine where your existing resource is need to take on additional responsibilities.
02:21
For example, your HR team, your operational team, your finance team, your I t team.
02:27
They would all have an additional role to play with the implementation of a nice amis
02:32
and managing that change
02:35
culturally and getting them to be open and accepting of the change is the trick.
02:42
You will also require monetary resource is
02:45
for the implementation of a nice miss
02:47
as we mentioned the external certification orders.
02:52
This happened as a once off certification ordered split into two stages
02:57
as well. A subsequent
02:59
surveillance or it's
03:00
and re certification orders.
03:04
There are also internal, or it's to consider
03:09
another consideration is your investment of time. Resource is
03:14
especially the time from top management.
03:16
We all know how difficult it is to get time with top management for anything.
03:22
And a nice um is generally requires quite a bit of time from them
03:25
just to be on top of things, making sure they understand what's going on, sending out the communication as and when required.
03:40
So what evidence or documentation should one maintain
03:46
when it comes to an audit? And if it is your goal to have your eye Smith certified against Isil 27,001,
03:53
I would recommend having some sort of documentation
03:55
or proof to show in orderto off the resource is that have been set aside for the ice mess.
04:00
The Standard does not specify anything
04:03
specific per se pertaining to documented information,
04:08
merely that the necessary resource is to appropriately support and manage the isthmus exist.
04:15
So what could this include?
04:17
This can include job roles and descriptions for your dedicated SMS personal.
04:24
Your information security team structure and head count of resource is
04:29
minutes attendant registers and agendas off ice mess related meetings that involved top management specifically
04:38
as well as any budgets or purchases that have been made for the ISMs.
04:45
Your documentation here can also include resource is that have been discussed as previous poses.
04:50
Such is the breakdown of roles and responsibilities pertaining to the ISMs.
04:56
Keep it simple and straightforward, but also include enough information to show that you have put sufficient thought and effort behind mobilizing the required teams to support the ice Amis.
05:08
Naturally, one of the focus points will be the information security resource is that you have within your organization
05:14
and how these resources support your eyes. Miss
05:18
Other Resource is such as the budget that top management have approved for the ice Miss are great to show,
05:25
as mentioned earlier.
05:26
This demonstrates both top management commitment as well as concrete funding for the items and its continual improvement
05:35
Meeting minutes that involved top management while also being useful for other clauses could, in this instance, show the time investment made by top management into the ice mess.
05:48
As mentioned
05:50
time of top management is ready to come by as their attention is generally wanted in multiple avenues across the organization,
05:58
so showing that that their time has been invested into the project
06:01
and the ice miss
06:03
demonstrates another angle of resource is committed to the SMEs
06:09
any additional resources that have been used to secure or balls to the information security posture off the organization
06:15
and also come in handy here.
06:17
External consultant, project specific for information security,
06:21
independent penetration tests,
06:24
Internal audits of the isthmus and so forth are all examples of this.
06:30
He's probably won't be asked for in your certification ordered, but depending on orderto, it's always handed to have more information available than not
06:43
to summarize.
06:45
We covered the types of resources that are required to support you in Ice Amis,
06:49
as well as the documentation that is required by the standard.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By