The ISO 27001:2013 Standard Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
less than 1.2.
00:03
So what is included in Esso 27,001 Part one?
00:13
In this video,
00:14
we will cover up what an information security management system is.
00:18
Also, look at the clothes is that are contained in the eye. So 27,001 standard
00:24
and we'll have a high level look at each of these closes as well as there's some requirements.
00:30
If you're not familiar with the standard, we're going to take a look at an overview of the standard
00:34
as well as the closed it contains, and we'll take a brief look at what each close contains.
00:40
We'll get into more detail on each clause later on. In this course,
00:45
as this lesson, 1.2 is quite long,
00:48
the lesson has been split into three parts.
00:55
It is important to become familiar with each of these closes and what they require
01:00
when you are in the process of planning and implementing your ice, Um, s
01:03
it is a good idea to have a copy of the standard
01:07
and any of the supporting standards handy
01:08
to keep you on check and ensure that your meeting all the requirements,
01:19
a nice mess is essentially a risk based approach for managing information security within an organization.
01:26
The continual feedback loop allows the continuous improvement off the information security program.
01:33
There are multiple factors to take into consideration when it comes to information security.
01:40
Often,
01:41
many of these factors are looked at in isolation and not in conjunction with the context of the organized. That
01:49
a key area off a nice AMIS is understanding the information security risk profile often organization
01:56
in order to better prioritize and direct efforts to the highest risk areas identified.
02:04
It is impossible to protect everything in an organization to 100% level, and there are constant moving targets in the information security space.
02:14
Why is that
02:15
threat? Actors are learning new techniques. Attacks are constantly evolving.
02:21
Often the risks. These present to an organization within the context of the organization operates, is not assessed,
02:30
understood
02:30
and acted upon.
02:32
An ice amaze seeks to put in place
02:36
the foundation's toe, understand this,
02:38
and to drive if it's in favor of reducing risk to an acceptable level,
02:43
as well as to continually improve in line with changing threat and risk landscapes.
02:51
Why is it important to take into account the context of an organization. When assessing risk,
02:58
different organizations and different industries
03:02
affect the inherent risks to present.
03:07
Pardon me,
03:08
a financial services firm such as a major bank will face far more risks than a corner bakery will,
03:15
purely because of the high profile nature off the company, which exposes the company to farm or Attackers.
03:23
Larger organizations will also have more technology and people,
03:27
which means a larger tax service
03:30
on a larger area for the information security team to manage and protect.
03:38
Here is the list of clauses that are contained within the eye. So 27,001 standard for implementing and maintaining a nice mess.
03:47
There is a lot of detail in each of these closes,
03:51
and this detail will be covered in the subsequent videos in the ice. Miss Siri's
03:57
in a natural and Ice miss looks at the context of the organization.
04:02
Top management commitment and support
04:04
is crucial to the success of a nice mess.
04:10
The planning close covers a large portion of risk management
04:14
and helps prioritize the direction off the ice. Miss
04:18
support is required for the ice mess. In terms of resource is awareness,
04:25
communication and documentation.
04:30
The Ice Amis will go through a phase of operation
04:32
and then into performance evaluation
04:34
where the metrics are assessed and interpreted.
04:39
Based on the performance evaluation,
04:41
areas of improvement are identified and implemented.
04:46
Let's take a look at each of these closes
04:48
in more detail,
04:54
plausible the context of the organization
04:59
to properly frame the SMS and ensure it's aligned to the organization.
05:03
There are a couple of factors that should first be completed.
05:09
Boss 4.1, which is understanding the organization and its context
05:14
is an overarching clause, which means that the context of the organization should fully be understood in order to better focus and implement the SMS.
05:24
The standard itself does not give much guidance here,
05:27
except that internal and external factors must be understood.
05:31
This can include a variety of factors which could influence the scope of the ice mess.
05:36
The risks faced by the organization,
05:41
some of which have been listed here.
05:44
Internal policies, processes and procedures,
05:47
existing technologies,
05:50
personnel and capacity, including the skills of these resource is
05:56
as well as existing risk management processes and previous risk assessment results.
06:02
There are also some external factors to consider,
06:05
including local and global customers,
06:09
competitors and if there are any legal or regulatory requirements,
06:14
was 4.2.
06:15
Understanding the needs and expectations of interested parties?
06:20
This clause requires that the needs and expectations of interested parties are identified, understood and documented.
06:28
Interested parties can be anyone that is internal or external to the organization,
06:33
which interacts with the organization in some way.
06:38
Needs and expectations of customers, for example,
06:41
would be that the organization complies with the relevant privacy legislation to safeguard personal data.
06:47
In essence,
06:49
this is to identify what requirements must be met by the organization in the eyes of any internal or external parties.
06:58
These needs and expectations will form part of risk assessments
07:01
and control implementations later on.
07:05
Close 4.3.
07:08
Determining the scope of the ice miss
07:12
for organizations working towards becoming I so 27,000 and one certified.
07:16
This is a key component.
07:18
A nice um is cannot be limited to systems or technology alone.
07:23
Rather, it should consider items identified and closes one in 4.1 and 4.2
07:29
and be defined around those requirements.
07:31
The scope would therefore include technology,
07:34
information personnel and any interfaces or dependencies with external parties.
07:43
The last sub clause is 4.4 information security management system.
07:48
This simply states that the standard requires that a nice um it should not just be implemented within an organization
07:55
but also continuously improved through the use of iterative processes.
08:01
It was five leadership.
08:03
The first sub clause here, 5.1 leadership and commitment.
08:09
This close is a requirement that there must be a strong, genuine and demonstrate herbal commitment to the ice mess
08:16
and supporting the related efforts throughout the organization
08:22
that is specifically from top management.
08:26
It's a pretty much known caveat In information security.
08:30
Failure is likely if top management is not committed to the efforts.
08:35
Whatever the if it's maybe
08:37
the reasons behind this is simple.
08:39
Top management is responsible for setting the tone at the top
08:43
and are therefore instrumental in driving the required culture change within the organization.
08:50
Top management also controls the purse strings of an organization.
08:54
No, Byeon often means no budget, and no resource is to implement and maintain the isthmus as required.
09:03
Besides this, top management is also keen understanding the strategic direction of the organization
09:09
no, therefore, in a critical position to ensure the directives and objectives for the ice m s are aligned to those of the organization as a whole.
09:20
It was 5.2.
09:22
Policy
09:24
top management probably won't be the ones writing the supporting policies.
09:28
A knish. Your organization is fortunate enough to have a C so
09:31
and while stopped information security teams,
09:35
however, top management still need to understand the policies being written and provide their stamp of approval.
09:41
Top management once again sets the tone of the top for driving commitment to operating within the principles defined in the policies.
09:52
Users will be more likely to follow and adhere to a policy that has endorsed, understood and followed by top management
10:01
5.3 organizational roles, responsibilities and authorities.
10:07
Top management is a broad term and implies coverage across the organization.
10:13
A nice Um s cannot be implemented and maintained by one person or team alone.
10:18
It will require a collective effort from across the organization.
10:22
Top management is therefore instrumental in assisting with the assignment of roles and responsibilities
10:28
within the organization
10:30
related to the support and operation off the ice mess.
10:33
Each department would have a role to play,
10:37
and it is the responsibility of top management to ensure that this is being executed effectively.
10:45
To summarize in this lesson, we talked about what a nice um esses
10:48
And then it's fundamentally a risk based approach to managing information, security, risks and controls.
10:56
We also looked at some of the clauses contained in the eye, So 27,001 standard,
11:01
specifically up to close five.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By