The ISO 27001:2013 Standard Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
less than 1.2.
00:03
Part two.
00:04
This lesson is a continuation
00:07
off what is included in the ice 0 27,001 standard.
00:15
In this video, we will cover the clauses that are contained in the eye. So 27,001 standard
00:21
continuing from where we left off in the previous lesson,
00:25
where we ended on Clause five,
00:27
we will take a high level look
00:30
at the close is in the standard
00:32
as well as their sub requirements.
00:37
Close. Six.
00:39
Planning.
00:41
This is made up of two sub courses,
00:44
with the first one being further divided into three more sub clauses.
00:49
Let's start at 6.1
00:51
Actions to address risks and opportunities.
00:57
Close six is quite a big close when it comes to practically performing
01:03
the 1st 16.1 point one general.
01:06
This clause stipulates that an organization should plan to handle risks and opportunities relevant to the context of the organization.
01:15
So, in other words, considering the risks and opportunities that could be applicable based on the information identified in the exercises performed within the clause for
01:26
now, if you remember, because four is understanding the context of the organization,
01:33
another angle to this clause is to use the information to assess any risks that could impact the implementation of the ice mess
01:42
or impact the ice mess, achieving its intended outcomes.
01:48
This is a preventative action
01:49
where risks that could derail if it's later on are identified, and measures that can be taken to manage these risks should they occur,
01:57
can be identified and implemented as appropriate.
02:05
6.1 point two
02:07
Information Security Risk assessment.
02:10
If an information security risk assessment has not been performed before,
02:16
it can be quite intimidating. Exercise.
02:21
Remember the threats, vulnerabilities, technology?
02:24
It's such a
02:27
all of those factors that we discussed in the previous lesson.
02:30
These come into play quite strongly in this clause.
02:35
We won't be going into details of how to perform an information security risk assessment as part of this video,
02:40
but we'll cover it in videos to come later on in this course.
02:45
Ultimately, what this clause states is that there should be a defined information security risk management process in place.
02:53
A lot of organizations think that their I T risk management procedures are sufficient to cover information, security, risk assessments and management.
03:01
But this is not always the case
03:05
most I t risk assessments. Scratch the surface of risks
03:08
where an information security risk assessment seeks to tie a number of factors together,
03:15
such as information, assets,
03:16
threats,
03:17
vulnerabilities, controls,
03:21
various levels of impact and so forth.
03:24
This helps to get a clearer picture of risk levels at a more granular level of detail.
03:32
6.1 point three
03:35
Information security risk treatment
03:38
where risks are identified and fall outside of the acceptable level of risk.
03:44
A risk treatment plan must be developed and defined.
03:47
In essence, the treatment plan takes note of the areas of improvement
03:53
and the types of controls selected to address the risk.
03:58
The risk treatment plan should be detailed in nature
04:00
and ideally, should include allowances for monitoring and tracking progress.
04:05
One of the main outputs from the initial risk treatment process
04:10
is the statement of applicability.
04:13
This is something that shows which controls are applicable to the environment
04:16
and which controls are not applicable.
04:18
Based on the risk assessment completed prayer.
04:24
You know, when you are audited
04:26
and the orderto asks for something that is just not relevant because of reasons X, y and Z.
04:31
This is basically where you justify those instances
04:36
I saw a 27,002
04:40
is known as an extra day off is a 27,001
04:45
I saw. A 27,000 and two contains a list of controls which are generally used to select from for the statement of applicability.
04:53
Organizations are not, however, limited to this,
04:56
and any other control framework can be used,
04:59
but this is generally the preferred one
05:01
for is a 27,001 compliance.
05:06
Organizations can and should also include any unique controls which aren't listed explicitly in a control framework
05:14
but which exists in the environment off the organization to mitigate some type of risk.
05:23
So I was 6.2
05:25
information security objectives and plans to achieve them.
05:30
Ideally, your eyes mess needs to be working towards achieving specific objectives within the organization.
05:38
Often these pertain directly to improving the organization's information security posture to some extent.
05:45
For example, on organization has a repeat ordered finding relating to poor user access. Management
05:51
with the appropriate user access management procedure is not consistently performed.
05:59
An objective of the ice mess for the I T and related departments
06:02
would be to eradicate this
06:05
and achieve a 99% compliance rate with any deviations being appropriately tracked,
06:14
the objectives must be considered in terms of what needs to be done.
06:17
For this, the risk assessment security policy and the organizational context can be taken into consideration.
06:26
Then
06:27
the target date of achievement must be defined.
06:30
The resource is that would be required to achieve. These objectives must also be defined
06:34
in our earlier example.
06:36
Let's say that the issues were occurring due to it being a paper based system,
06:42
and it was therefore easy to bypass the controls due to poor oversight and workflow management.
06:48
One of the resource is required to then achieve the objective of reaching a 99% compliance to the user. Access management procedure
06:58
would be a digital workflow management
07:00
application
07:02
which handles the process from start to finish.
07:06
So now
07:08
we have to find an objective
07:10
we have defined by when the objective must be achieved.
07:14
The resource is required to achieve this.
07:16
We will also need to define how the process of this will be measured
07:20
and who the responsible resource for making it happen is
07:30
47
07:30
support.
07:32
This clause basically stipulates the support requirements for a nice um s to function correctly.
07:39
In brief,
07:40
this close includes the following
07:43
7.1.
07:44
Resource is
07:46
resource is a required for the ice mess. To achieve its stated objectives
07:50
and to show continual improvement.
07:54
Resource is should include personal which are assigned or designated to work on the ice mess.
07:59
This also includes budget set aside for the ice mess.
08:03
The budget can go towards resource is such as additional technologies, training, user awareness efforts and so forth.
08:11
The resource is required would vary from organization to organization
08:16
based on its context and the goals of the ice mess.
08:20
7.2
08:22
Competence
08:24
for the resource is assigned to oversee the ice mess and work on ice mess initiatives directly.
08:31
There must be some level of competence with regards to understanding of a nice miss
08:35
and experience in implementing and maintaining an ice miss.
08:39
This extends into multiple levels of understanding, including I T operations, governance, risk management,
08:46
technical security controls
08:48
and so forth.
08:50
Typically, for a certification audit,
08:54
the auditors would want to see some sort of credential or certification pertaining directly
09:00
to I. So 27,001 implementer, or auditor,
09:05
that certification of specific now to an individual to show that the individual has knowledge off implementing or auditing
09:13
a nice miss
09:16
7.3.
09:18
Awareness
09:20
awareness is closely related to competence.
09:22
This is much broader than just the team directly assigned to working with the ice mess.
09:28
This pertains to the awareness for all within the organization.
09:33
Personnel that work within an organization must be made aware of the information security policy and its contents.
09:39
What their personal role to play with regards to the ice miss is
09:45
and what the implications of nonconformity is mean to the ice amiss as well as to the users themselves.
09:50
7.4
09:52
Communication.
09:56
It is important to maintain communication throughout the ice maze cycles.
10:01
What must be communicated
10:03
to whom it must be communicated
10:05
when communication must take place
10:07
and how communication must take place
10:09
must all be determined and formally documented,
10:13
for example,
10:15
which key external stakeholders would require updates on the ice mess? And how often?
10:20
What information would internal users need to know
10:24
and how often?
10:26
This is something that could be different for each organization.
10:28
It is important that this is formally documented for ordered purposes
10:33
and that all supporting information is maintained.
10:37
Lastly, 7.5 documented information.
10:41
I said 27,001 is very strong and documentation
10:46
there are many mandatory documents and records required to be maintained.
10:50
This clause basically requires that organizations to find how documented information will be created
10:56
and updated
10:58
by whom and how the updating and revisions will be controlled
11:01
all evidence of activities pertaining to the SMEs.
11:05
We need to be appropriately documented and retained as evidence.
11:09
This is especially important for internal audits as well as external certification. Audits
11:18
closed. Eight
11:20
Operation
11:24
8.1.
11:24
Operational planning and control
11:28
risks are often not treated quickly,
11:31
with the risk treatment plans often being a longer term project of some sort.
11:35
For example,
11:37
if there is a persistent risk off improper user access due to a lack of centralized viewing off user access across the systems within an organization,
11:46
the treatment plan would probably involve some type of identity and access management solution.
11:52
This would not be an overnight implementation nor a cheap one.
11:56
This would be a treatment requiring ongoing supervision and monitoring.
12:01
So in addition to the treatment of risk,
12:05
there will also be the ongoing operation of the ice, a mist processes and procedures
12:09
in essence
12:11
48
12:13
specifically, 8.1
12:15
relates to the operation of the ice Miss and ensuring that any deviations or changes which may occur
12:20
are probably planned for and managed
12:26
8.2
12:26
Information security risk assessment.
12:30
There is no once or first assessment in a nice mess.
12:33
As an organization continues to operate unevolved,
12:37
there are likely changes in the risks faced by the organization.
12:41
A nice, Um S stipulates that information security risk assessments
12:45
must be performed at regular intervals
12:48
or according to the bus specific criteria, as defined by the organization as part of Clause six.
12:54
This assessment will help to see whether or not any completed risk treatment activities
13:00
have been effective in appropriately treating a specific risk
13:03
or if additional treatment activity is required
13:07
as organizations become more mature. The initial risk treatment that was sufficient at a particular point in time
13:15
might not be efficient anymore due to changes in the organizational context or maturity. Lip
13:22
8.3 Information security risk treatment.
13:28
As for the iterative risk assessment, risk treatment must also be performed in conjunction with the risk assessments.
13:35
All treatment plants must be implemented and assessed to determine whether or not the treatment has been adequate. In addressing the risk
13:46
to summarize,
13:48
we looked at some more of the closes that are contained in the 27,001 standard.
13:52
We specifically looked at clauses 6 to 8.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By