So what is included in Esso 27,001 Part one?
we will cover up what an information security management system is.
Also, look at the clothes is that are contained in the eye. So 27,001 standard
and we'll have a high level look at each of these closes as well as there's some requirements.
If you're not familiar with the standard, we're going to take a look at an overview of the standard
as well as the closed it contains, and we'll take a brief look at what each close contains.
We'll get into more detail on each clause later on. In this course,
as this lesson, 1.2 is quite long,
the lesson has been split into three parts.
It is important to become familiar with each of these closes and what they require
when you are in the process of planning and implementing your ice, Um, s
it is a good idea to have a copy of the standard
and any of the supporting standards handy
to keep you on check and ensure that your meeting all the requirements,
a nice mess is essentially a risk based approach for managing information security within an organization.
The continual feedback loop allows the continuous improvement off the information security program.
There are multiple factors to take into consideration when it comes to information security.
many of these factors are looked at in isolation and not in conjunction with the context of the organized. That
a key area off a nice AMIS is understanding the information security risk profile often organization
in order to better prioritize and direct efforts to the highest risk areas identified.
It is impossible to protect everything in an organization to 100% level, and there are constant moving targets in the information security space.
threat? Actors are learning new techniques. Attacks are constantly evolving.
Often the risks. These present to an organization within the context of the organization operates, is not assessed,
An ice amaze seeks to put in place
the foundation's toe, understand this,
and to drive if it's in favor of reducing risk to an acceptable level,
as well as to continually improve in line with changing threat and risk landscapes.
Why is it important to take into account the context of an organization. When assessing risk,
different organizations and different industries
affect the inherent risks to present.
a financial services firm such as a major bank will face far more risks than a corner bakery will,
purely because of the high profile nature off the company, which exposes the company to farm or Attackers.
Larger organizations will also have more technology and people,
which means a larger tax service
on a larger area for the information security team to manage and protect.
Here is the list of clauses that are contained within the eye. So 27,001 standard for implementing and maintaining a nice mess.
There is a lot of detail in each of these closes,
and this detail will be covered in the subsequent videos in the ice. Miss Siri's
in a natural and Ice miss looks at the context of the organization.
Top management commitment and support
is crucial to the success of a nice mess.
The planning close covers a large portion of risk management
and helps prioritize the direction off the ice. Miss
support is required for the ice mess. In terms of resource is awareness,
communication and documentation.
The Ice Amis will go through a phase of operation
and then into performance evaluation
where the metrics are assessed and interpreted.
Based on the performance evaluation,
areas of improvement are identified and implemented.
Let's take a look at each of these closes
plausible the context of the organization
to properly frame the SMS and ensure it's aligned to the organization.
There are a couple of factors that should first be completed.
Boss 4.1, which is understanding the organization and its context
is an overarching clause, which means that the context of the organization should fully be understood in order to better focus and implement the SMS.
The standard itself does not give much guidance here,
except that internal and external factors must be understood.
This can include a variety of factors which could influence the scope of the ice mess.
The risks faced by the organization,
some of which have been listed here.
Internal policies, processes and procedures,
personnel and capacity, including the skills of these resource is
as well as existing risk management processes and previous risk assessment results.
There are also some external factors to consider,
including local and global customers,
competitors and if there are any legal or regulatory requirements,
Understanding the needs and expectations of interested parties?
This clause requires that the needs and expectations of interested parties are identified, understood and documented.
Interested parties can be anyone that is internal or external to the organization,
which interacts with the organization in some way.
Needs and expectations of customers, for example,
would be that the organization complies with the relevant privacy legislation to safeguard personal data.
this is to identify what requirements must be met by the organization in the eyes of any internal or external parties.
These needs and expectations will form part of risk assessments
and control implementations later on.
Determining the scope of the ice miss
for organizations working towards becoming I so 27,000 and one certified.
This is a key component.
A nice um is cannot be limited to systems or technology alone.
Rather, it should consider items identified and closes one in 4.1 and 4.2
and be defined around those requirements.
The scope would therefore include technology,
information personnel and any interfaces or dependencies with external parties.
The last sub clause is 4.4 information security management system.
This simply states that the standard requires that a nice um it should not just be implemented within an organization
but also continuously improved through the use of iterative processes.
It was five leadership.
The first sub clause here, 5.1 leadership and commitment.
This close is a requirement that there must be a strong, genuine and demonstrate herbal commitment to the ice mess
and supporting the related efforts throughout the organization
that is specifically from top management.
It's a pretty much known caveat In information security.
Failure is likely if top management is not committed to the efforts.
Whatever the if it's maybe
the reasons behind this is simple.
Top management is responsible for setting the tone at the top
and are therefore instrumental in driving the required culture change within the organization.
Top management also controls the purse strings of an organization.
No, Byeon often means no budget, and no resource is to implement and maintain the isthmus as required.
Besides this, top management is also keen understanding the strategic direction of the organization
no, therefore, in a critical position to ensure the directives and objectives for the ice m s are aligned to those of the organization as a whole.
top management probably won't be the ones writing the supporting policies.
A knish. Your organization is fortunate enough to have a C so
and while stopped information security teams,
however, top management still need to understand the policies being written and provide their stamp of approval.
Top management once again sets the tone of the top for driving commitment to operating within the principles defined in the policies.
Users will be more likely to follow and adhere to a policy that has endorsed, understood and followed by top management
5.3 organizational roles, responsibilities and authorities.
Top management is a broad term and implies coverage across the organization.
A nice Um s cannot be implemented and maintained by one person or team alone.
It will require a collective effort from across the organization.
Top management is therefore instrumental in assisting with the assignment of roles and responsibilities
within the organization
related to the support and operation off the ice mess.
Each department would have a role to play,
and it is the responsibility of top management to ensure that this is being executed effectively.
To summarize in this lesson, we talked about what a nice um esses
And then it's fundamentally a risk based approach to managing information, security, risks and controls.
We also looked at some of the clauses contained in the eye, So 27,001 standard,
specifically up to close five.