The ISO 27001:2013 Standard Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 1.2 Part three.
00:05
What is included in ISO 27,001
00:10
in the previous lesson
00:13
we covered poses 6 to 8.
00:16
During this lesson,
00:18
we will be covering the closes remaining in the 27,001 standard,
00:23
and we will also be taking a look at each of these closes. And there's some requirements
00:33
Clause known. Performance evaluation
00:37
9.1.
00:39
Monitoring, measurement, analysis and evaluation.
00:47
This is a two fold clause.
00:49
The standard requires monitoring and measurement of key information, security controls and processes.
00:55
So
00:56
for each of these key areas, specific metrics and monitoring processes need to be defined.
01:03
Some existing ones that you may already have in place
01:07
can include vulnerability management,
01:10
an analysis and monitoring of the re mediation.
01:15
In addition,
01:15
the performance of the ice maze itself must be monitored.
01:19
This can include monitoring compliance with the I. So 27,001 standard
01:26
preventive actions in response to specific events or trends being detected
01:32
to what extent the information, security policy
01:34
and objectives are being achieved,
01:38
and so forth.
01:40
Monitoring is a critical element in a nice mess,
01:44
as it is only through monitoring that one can see where the performance is declining or improving
01:49
as an icy mess drives a continual improvement mindset. Monitoring and measuring is a key component to accurately assess whether or not improvement is being achieved.
02:02
9.2
02:04
internal audits.
02:07
An internal order. It is a requirement within the eye. So 27,001 standard,
02:13
especially if the organization is working towards becoming ice. 0 27,001. Certified.
02:20
An internal audit specific towards covering the prose is often ice mess
02:24
to assess compliance to the requirements stipulated within the eye. So 27,001 standard
02:32
the intern ordered will also look at the control stipulated within the organizations statement of applicability.
02:39
The auditors performing the internal order. It must be independent and have no conflict of interest.
02:47
Internal audits do not necessarily have to be performed by external companies.
02:53
Internal personal who are completely independent from the process of implementing and maintaining the ice mess
03:00
and who are appropriately skilled and qualified can perform the internal audit.
03:07
There are also reciprocal agreements that could be entered into with the external parties who are also implementing or maintaining an ice amiss
03:15
who themselves need an intern order.
03:19
These two companies can perform the independent orders for one another.
03:25
9.3
03:27
Management review
03:30
The management review here is not just the reviews that manage would that management would perform as part of their daily tasks of ensuring processes and controls are done as required.
03:40
A management review is required specifically for the ice mess
03:45
to ensure that the ice maze is still suitable,
03:49
adequate and effective for the needs of the organization In supporting information security,
03:55
this review must be performed at planned intervals
04:00
and must have involvement from across the organization as well as top management.
04:05
The status of actions identified in previous reviews should be revisited in each review to ensure that they are either properly closed out
04:14
or re prioritized for completion.
04:16
Any shortcomings of the ice mess must be noted. An appropriate improvement action items noted and assigned to personal
04:26
all items discussed and actions agreed upon during the reviews must be retained as documented. Information.
04:38
Close. 10.
04:39
Continual improvement.
04:42
This is the last close in the eye. So 27,001 standard
04:46
It is all about continual improvement.
04:50
What can we do better and make better?
04:55
The first sub clause 10.1
04:58
nonconformity and corrective action.
05:01
This is another important aspect of a nice mess.
05:06
Again, an icy mess drives continual improvement.
05:11
To continually improve, you have to recognize when there are deviations or breakdowns in the way things should be operating.
05:18
Identifying the root cause for these would assist
05:23
in driving an improvement.
05:25
This would prevent the same breakdowns from occurring again. In future
05:30
nonconformity. Ease must be identified
05:32
and they should trigger corrective actions.
05:35
Nonconformity, ease and corrective actions
05:39
should be appropriately logged and retain audit ability and tracking purposes.
05:45
Once corrective actions have been completed and implemented,
05:48
the effectiveness of these must be assessed and noted.
05:54
Second sub clause is 10.2
05:57
Continual improvement
06:00
as we've mentioned, continual improvement is a key aspect off the ice miss,
06:04
especially in the effort to achieve and maintain the suitability, adequacy and effectiveness off the ice mess in line with the organization, strategic direction and objectives.
06:24
To summarize
06:25
in this video,
06:27
we wrapped up
06:28
the clauses that are contained in the eye. So 27,001 standard
06:32
during part three of less than 1.2 we specifically covered close nine and closed him
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By