Listen 1.2 Part three.
What is included in ISO 27,001
in the previous lesson
we covered poses 6 to 8.
we will be covering the closes remaining in the 27,001 standard,
and we will also be taking a look at each of these closes. And there's some requirements
Clause known. Performance evaluation
Monitoring, measurement, analysis and evaluation.
This is a two fold clause.
The standard requires monitoring and measurement of key information, security controls and processes.
for each of these key areas, specific metrics and monitoring processes need to be defined.
Some existing ones that you may already have in place
can include vulnerability management,
an analysis and monitoring of the re mediation.
the performance of the ice maze itself must be monitored.
This can include monitoring compliance with the I. So 27,001 standard
preventive actions in response to specific events or trends being detected
to what extent the information, security policy
and objectives are being achieved,
Monitoring is a critical element in a nice mess,
as it is only through monitoring that one can see where the performance is declining or improving
as an icy mess drives a continual improvement mindset. Monitoring and measuring is a key component to accurately assess whether or not improvement is being achieved.
An internal order. It is a requirement within the eye. So 27,001 standard,
especially if the organization is working towards becoming ice. 0 27,001. Certified.
An internal audit specific towards covering the prose is often ice mess
to assess compliance to the requirements stipulated within the eye. So 27,001 standard
the intern ordered will also look at the control stipulated within the organizations statement of applicability.
The auditors performing the internal order. It must be independent and have no conflict of interest.
Internal audits do not necessarily have to be performed by external companies.
Internal personal who are completely independent from the process of implementing and maintaining the ice mess
and who are appropriately skilled and qualified can perform the internal audit.
There are also reciprocal agreements that could be entered into with the external parties who are also implementing or maintaining an ice amiss
who themselves need an intern order.
These two companies can perform the independent orders for one another.
The management review here is not just the reviews that manage would that management would perform as part of their daily tasks of ensuring processes and controls are done as required.
A management review is required specifically for the ice mess
to ensure that the ice maze is still suitable,
adequate and effective for the needs of the organization In supporting information security,
this review must be performed at planned intervals
and must have involvement from across the organization as well as top management.
The status of actions identified in previous reviews should be revisited in each review to ensure that they are either properly closed out
or re prioritized for completion.
Any shortcomings of the ice mess must be noted. An appropriate improvement action items noted and assigned to personal
all items discussed and actions agreed upon during the reviews must be retained as documented. Information.
This is the last close in the eye. So 27,001 standard
It is all about continual improvement.
What can we do better and make better?
The first sub clause 10.1
nonconformity and corrective action.
This is another important aspect of a nice mess.
Again, an icy mess drives continual improvement.
To continually improve, you have to recognize when there are deviations or breakdowns in the way things should be operating.
Identifying the root cause for these would assist
in driving an improvement.
This would prevent the same breakdowns from occurring again. In future
nonconformity. Ease must be identified
and they should trigger corrective actions.
Nonconformity, ease and corrective actions
should be appropriately logged and retain audit ability and tracking purposes.
Once corrective actions have been completed and implemented,
the effectiveness of these must be assessed and noted.
Second sub clause is 10.2
as we've mentioned, continual improvement is a key aspect off the ice miss,
especially in the effort to achieve and maintain the suitability, adequacy and effectiveness off the ice mess in line with the organization, strategic direction and objectives.
the clauses that are contained in the eye. So 27,001 standard
during part three of less than 1.2 we specifically covered close nine and closed him