This lesson is a continuation
off what is included in the ice 0 27,001 standard.
In this video, we will cover the clauses that are contained in the eye. So 27,001 standard
continuing from where we left off in the previous lesson,
where we ended on Clause five,
we will take a high level look
at the close is in the standard
as well as their sub requirements.
This is made up of two sub courses,
with the first one being further divided into three more sub clauses.
Actions to address risks and opportunities.
Close six is quite a big close when it comes to practically performing
the 1st 16.1 point one general.
This clause stipulates that an organization should plan to handle risks and opportunities relevant to the context of the organization.
So, in other words, considering the risks and opportunities that could be applicable based on the information identified in the exercises performed within the clause for
now, if you remember, because four is understanding the context of the organization,
another angle to this clause is to use the information to assess any risks that could impact the implementation of the ice mess
or impact the ice mess, achieving its intended outcomes.
This is a preventative action
where risks that could derail if it's later on are identified, and measures that can be taken to manage these risks should they occur,
can be identified and implemented as appropriate.
Information Security Risk assessment.
If an information security risk assessment has not been performed before,
it can be quite intimidating. Exercise.
Remember the threats, vulnerabilities, technology?
all of those factors that we discussed in the previous lesson.
These come into play quite strongly in this clause.
We won't be going into details of how to perform an information security risk assessment as part of this video,
but we'll cover it in videos to come later on in this course.
Ultimately, what this clause states is that there should be a defined information security risk management process in place.
A lot of organizations think that their I T risk management procedures are sufficient to cover information, security, risk assessments and management.
But this is not always the case
most I t risk assessments. Scratch the surface of risks
where an information security risk assessment seeks to tie a number of factors together,
such as information, assets,
various levels of impact and so forth.
This helps to get a clearer picture of risk levels at a more granular level of detail.
Information security risk treatment
where risks are identified and fall outside of the acceptable level of risk.
A risk treatment plan must be developed and defined.
In essence, the treatment plan takes note of the areas of improvement
and the types of controls selected to address the risk.
The risk treatment plan should be detailed in nature
and ideally, should include allowances for monitoring and tracking progress.
One of the main outputs from the initial risk treatment process
is the statement of applicability.
This is something that shows which controls are applicable to the environment
and which controls are not applicable.
Based on the risk assessment completed prayer.
You know, when you are audited
and the orderto asks for something that is just not relevant because of reasons X, y and Z.
This is basically where you justify those instances
is known as an extra day off is a 27,001
I saw. A 27,000 and two contains a list of controls which are generally used to select from for the statement of applicability.
Organizations are not, however, limited to this,
and any other control framework can be used,
but this is generally the preferred one
for is a 27,001 compliance.
Organizations can and should also include any unique controls which aren't listed explicitly in a control framework
but which exists in the environment off the organization to mitigate some type of risk.
information security objectives and plans to achieve them.
Ideally, your eyes mess needs to be working towards achieving specific objectives within the organization.
Often these pertain directly to improving the organization's information security posture to some extent.
For example, on organization has a repeat ordered finding relating to poor user access. Management
with the appropriate user access management procedure is not consistently performed.
An objective of the ice mess for the I T and related departments
would be to eradicate this
and achieve a 99% compliance rate with any deviations being appropriately tracked,
the objectives must be considered in terms of what needs to be done.
For this, the risk assessment security policy and the organizational context can be taken into consideration.
the target date of achievement must be defined.
The resource is that would be required to achieve. These objectives must also be defined
in our earlier example.
Let's say that the issues were occurring due to it being a paper based system,
and it was therefore easy to bypass the controls due to poor oversight and workflow management.
One of the resource is required to then achieve the objective of reaching a 99% compliance to the user. Access management procedure
would be a digital workflow management
which handles the process from start to finish.
we have to find an objective
we have defined by when the objective must be achieved.
The resource is required to achieve this.
We will also need to define how the process of this will be measured
and who the responsible resource for making it happen is
This clause basically stipulates the support requirements for a nice um s to function correctly.
this close includes the following
resource is a required for the ice mess. To achieve its stated objectives
and to show continual improvement.
Resource is should include personal which are assigned or designated to work on the ice mess.
This also includes budget set aside for the ice mess.
The budget can go towards resource is such as additional technologies, training, user awareness efforts and so forth.
The resource is required would vary from organization to organization
based on its context and the goals of the ice mess.
for the resource is assigned to oversee the ice mess and work on ice mess initiatives directly.
There must be some level of competence with regards to understanding of a nice miss
and experience in implementing and maintaining an ice miss.
This extends into multiple levels of understanding, including I T operations, governance, risk management,
technical security controls
Typically, for a certification audit,
the auditors would want to see some sort of credential or certification pertaining directly
to I. So 27,001 implementer, or auditor,
that certification of specific now to an individual to show that the individual has knowledge off implementing or auditing
awareness is closely related to competence.
This is much broader than just the team directly assigned to working with the ice mess.
This pertains to the awareness for all within the organization.
Personnel that work within an organization must be made aware of the information security policy and its contents.
What their personal role to play with regards to the ice miss is
and what the implications of nonconformity is mean to the ice amiss as well as to the users themselves.
It is important to maintain communication throughout the ice maze cycles.
What must be communicated
to whom it must be communicated
when communication must take place
and how communication must take place
must all be determined and formally documented,
which key external stakeholders would require updates on the ice mess? And how often?
What information would internal users need to know
This is something that could be different for each organization.
It is important that this is formally documented for ordered purposes
and that all supporting information is maintained.
Lastly, 7.5 documented information.
I said 27,001 is very strong and documentation
there are many mandatory documents and records required to be maintained.
This clause basically requires that organizations to find how documented information will be created
by whom and how the updating and revisions will be controlled
all evidence of activities pertaining to the SMEs.
We need to be appropriately documented and retained as evidence.
This is especially important for internal audits as well as external certification. Audits
Operational planning and control
risks are often not treated quickly,
with the risk treatment plans often being a longer term project of some sort.
if there is a persistent risk off improper user access due to a lack of centralized viewing off user access across the systems within an organization,
the treatment plan would probably involve some type of identity and access management solution.
This would not be an overnight implementation nor a cheap one.
This would be a treatment requiring ongoing supervision and monitoring.
So in addition to the treatment of risk,
there will also be the ongoing operation of the ice, a mist processes and procedures
relates to the operation of the ice Miss and ensuring that any deviations or changes which may occur
are probably planned for and managed
Information security risk assessment.
There is no once or first assessment in a nice mess.
As an organization continues to operate unevolved,
there are likely changes in the risks faced by the organization.
A nice, Um S stipulates that information security risk assessments
must be performed at regular intervals
or according to the bus specific criteria, as defined by the organization as part of Clause six.
This assessment will help to see whether or not any completed risk treatment activities
have been effective in appropriately treating a specific risk
or if additional treatment activity is required
as organizations become more mature. The initial risk treatment that was sufficient at a particular point in time
might not be efficient anymore due to changes in the organizational context or maturity. Lip
8.3 Information security risk treatment.
As for the iterative risk assessment, risk treatment must also be performed in conjunction with the risk assessments.
All treatment plants must be implemented and assessed to determine whether or not the treatment has been adequate. In addressing the risk
we looked at some more of the closes that are contained in the 27,001 standard.
We specifically looked at clauses 6 to 8.