What is ISO 27001

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Hello and welcome to the ice. 0, 27,001 course.
00:10
This is the introductory video for this course, and there's a couple of things that we're going to cover just so that you feel comfortable and know that this is the right place for you to be.
00:19
A couple of prerequisites that you need for this course include a basic information,
00:25
security terms and concepts understanding.
00:29
This is probably one of the most important things to have, as we won't be stopping in particular in this course to discuss your basic terms of, um,
00:39
terms and concepts for information security such as Thesis E a Triad.
00:44
Um so it's important just to understand sort of things like that so that you
00:50
are comfortable during this course,
00:53
have an understanding off basic risk management terms in a concept.
00:58
Have a basic understanding off your environment and assets that would be in scope for 27,001. So this is specific for people that are
01:07
attending this course to get in understanding of how to practically implement a nice amiss in their organization,
01:15
as well as to become certified against 27,001.
01:21
Another thing to have is an inquisitive mind set
01:23
and know that the roads acidification is a process that can be challenging.
01:29
But overall, it's very rewarding.
01:33
Also a basic understanding off cyber security governance concepts
01:38
and
01:40
know why you are attending this course. So
01:44
if you're looking Thio, implement a nice miss in your own organization,
01:49
get your existing isom s certified against Isil 27,001. Or if you yourself are looking to become an isil 27,000 and one
01:59
feed implementer or a nice Oh, auditor,
02:05
There are a couple of overall learning objectives that we would like this course to leave with you when you're done.
02:12
And these include having a detailed understanding off the ice, Miss closes and what they entail.
02:17
So I so as a standard, is prescriptive in what it wants. But it's vague in doing so.
02:24
Um, the standard will tell you
02:28
what
02:29
it would like vaguely and leave it up to you to interpret
02:34
what this actually means in practicalities and how to go about doing it. And that's where a lot of people can become unstuck
02:40
and
02:42
mm, yeah, lose their way.
02:47
We would like to leave you with an ability to demonstrate knowledge often information security, risk management process. This is one of the most important concept and processes in your SMS
03:00
having the ability to demonstrate knowledge of the required documentation to support a nice Miss
03:06
and I suggest, if you don't know, is extremely documentation intensive.
03:10
So we just wanna help clarify what type of documentation is required and what would really be useful if you're going through a certification audit.
03:23
We would also like to cover
03:24
how to monitor, measure and evaluate the performance off a nice mess through various processes
03:30
well touched on this. Briefly,
03:31
there is a full standard dedicated to the monitoring and measurement off a nice miss.
03:37
So it's quite a chunk of information on its own,
03:40
an ability to demonstrate knowledge off nonconformity, ease and the continual improvement cycle,
03:46
and also better understanding off governance in the cybersecurity landscape.
03:58
My name is Judy Win.
04:00
I'm in information security specialist, and I will be your instructor for this course.
04:04
I am a certified I. So 27,001 lead implementer and I also hold assist certification
04:12
in my spare time. I really enjoy riding horses and playing computer games,
04:16
Um,
04:18
and my main focus area in horse riding is showjumping.
04:23
A lot of show jumping, as you can see from the picture included here.
04:30
So how do you know if this course is right for you?
04:32
Well,
04:33
this course will provide value to anyone in the information security sphere.
04:39
Or even if you are just in an organization wanting to understand a bit more about how better to energy information security, then you're in the right place.
04:46
Specifically, this course is intended for information security consultants, managers or analysts,
04:54
compliance managers and personal
04:57
information security risk managers and analysts,
05:00
senior managers or executives wanting to understand the 27,001 Standard
05:06
I t. Governance personal
05:10
or I T managers and operational stuff.
05:15
Yeah,
05:16
this course is broken down into
05:19
11 modules.
05:20
We will cover both the closes off the standard as well as give you some
05:26
practical
05:28
input and insight into what it actually means to go through the process off, implementing a nice mess and getting it certified against the standard. All of this information will also help you if you yourself are looking to become certified
05:43
as an icer implementer or in order, sir,
05:49
Go and have a look at the additional course resource is under the resource tab. There's some interesting stuff included there,
05:58
but primarily for this course.
06:00
You will obviously, um,
06:01
need the I. So 27,001 standard if you're looking to implement a nice um, it's within your own organization,
06:10
and another cool tool that we want to share with you during this course is something called simple risk.
06:16
This is a Web based
06:18
open source tool, so you can grab the files and the installer from
06:26
their website and deploy on your company's own Web server and keep it on your Internet.
06:31
Um,
06:32
there is certain limited functionality with the free version,
06:38
but the core functionality of what you need to dio
06:41
what you need to manage your risks is there
06:44
and will demo this to a bit later on. In the course.
06:50
Just thio summarize this introduction video. We have gone over what you need for
06:57
the course as a prerequisite understanding, which is your basic
07:01
information, security knowledge,
07:03
off terms and concepts and principles.
07:08
We've all selected the learning objectives and what you will get out of this course. At the end of the day,
07:14
we covered a little bit about me your instructor.
07:17
We also cover the target audience just to check if you're in the right place. And if this course is right for you.
07:25
We had a look at the syllabus and what will be covering in this course
07:29
as well as the supplementary course materials.
07:31
Let's jump straight into module one,
07:34
which contains an overview of what your ice mess is made up of.
07:39
Also gonna have a look at some of the history behind where I said 27,001 came from
07:44
and factors that can drive.
07:46
I said 27,001 compliance.
07:49
We're also gonna have a look at something that is called the plan. Do you check Act cycle?
07:56
But we'll get into all of that in the lessons contained in this module.
08:03
Our first listen, 1.1 let's have a look at the history off is so 27,001
08:09
the 2013 version.
08:13
The objectives for this lesson include covering a history off is a 27,001 understanding where it originated from
08:22
and where the standard is today.
08:24
We'll also have a look at some of the factors that can drive. I so 27,001 compliance specifically for an organization.
08:33
In other words, why would an organization want to become I? So, 27,001 compliant.
08:45
So I've put together a brief timeline just to show you
08:48
how much
08:50
the standard has gone through and how early on its it originated.
08:56
So I said 27,001 started off in three year 1995 where it was known as B. S 77 Double nine.
09:07
The standard was published by the BSE Group,
09:11
and it was originally written by the UK government's Department of Trade and Industry.
09:16
Later on, in 1999
09:20
b s, Double seven, Double nine, part two came out.
09:22
This was no NAS information security Management systems specifications with guidance for use
09:30
now. The first part of the standard,
09:31
which was the original component published in 1995
09:35
is what is known today. As I said, 27,000 and two
09:39
I said 27,002 is also known as an extra A
09:43
from the 27,000 and one standard.
09:46
It is essentially the isil recommended controls. Framework to implement along with your item is
09:54
your SMS is essentially your management system.
09:58
While your controls framework of the controls that you implement for the processes and procedures
10:05
in your day to day operations, depending on your risk profile in your organization. But we'll get into all of that later on. In this course,
10:13
the second part of the standard
10:16
Bs 77 Double nine Part two
10:20
is what is known today. As I said 27,000 and one,
10:24
the standard was adopted.
10:26
Bye, I, sir,
10:28
in the year 2000
10:31
and its name was changed. Icer one, Double seven, double nine.
10:37
Today, the most
10:39
known well known version of the standard is S 01 27,020 13.
10:46
That was quite a big change between the I, so 27,000 and 1 2000 and five version.
10:54
Currently, there is a European reversion of this
10:58
revision of the standard, which is 2017 version.
11:05
But there is no difference between
11:07
this version. In the 2013 version, The changes that were made to the 1 27,020 17 version include changes to the formatting off bullet points enclosed 6.1 point three. To make it more obvious.
11:22
What was required from that close
11:26
and some small wording changes
11:28
to the control objective in an extra A were made as well. This was specifically control a 8.1 point one
11:39
which relates to the inventory off assets.
11:43
So fundamentally, there's no difference between the two and this course is built upon. I saw 27,000 and one
11:50
version 2013.
11:58
So why do organizations need a nice miss? What is driving organizations to want Thio implement a Naismith or begrudging me go by becoming compliant to the standard?
12:11
So the first factor is there could be a legal or regulatory compliance need. This is quite prevalent in organizations
12:20
that are in the financial sector, government sector, healthcare sector and so forth.
12:26
There's obviously always a lot more legal and regulatory compliance pressure in these industries,
12:33
and third parties will often look to companies in these industries
12:37
and ask for what are they doing to be
12:41
secure? What assurance can they provide their third parties that they are secure? Are they aligning to a well known and globally recognized
12:50
industry leading standard around managing information, security and risks? Probably.
12:56
So this is one of the questions that I said 27,001 and specifically being certified against the standard can answer.
13:05
It provides some level of assurance to external stakeholders and
13:09
regulatory compliance bodies that specific standards are being met within the organization.
13:18
Another factor that could drive wanting to implement a nice miss and become
13:24
compliant to the standard is risks to business objectives
13:28
in the way the world is evolving.
13:31
Most of our risks have moved into the cyber and digital space, which has given rise to
13:37
information security risk management as opposed to just enterprise risk management or even I t risk management
13:45
information security. Risk management is a whole lot more intricate and detailed in terms of the factors it considers
13:50
with regards to your various risks. So
13:54
obviously, organizations that probably want to manage these risks
13:58
to their objectives would look to something that has an underpinning information security risk management principle.
14:05
Another factor could be
14:09
needs and expectations of your own internal parties. So people within your organization
14:15
would want to know, What are you doing to protect
14:18
the company's trade secrets?
14:20
Is this company going to be around? Is a cyberattack gonna end us tomorrow?
14:26
Is my personal information safe?
14:28
All of those kind of questions
14:30
can play a role in driving a company, Thio become
14:33
compliant and certified. This isn't one of the primary drivers that I've seen for organizations
14:39
wanting to go down this road,
14:41
but it is
14:43
a consideration that a lot of them make.
14:46
The last factor that we're gonna cover is the needs and expectations of external parties.
14:52
This is one of
14:54
the biggest
14:56
areas,
14:56
almost the same level as legal and regulatory compliance needs. If it's if your external party isn't a legal or regulatory
15:05
dr,
15:07
then it's generally a third party or a supply supplier,
15:11
someone that you really want to do business with.
15:15
That wants to know that you, as an organization, have a globally accepted level off information security management within your organization.
15:24
Um,
15:28
a lot of the Times clients will only buy products from
15:33
organizations that have specific measures in place and where they are
15:39
properly managing information Security risks are going down this route and having an independently verified and certified
15:46
um certification stating that you properly manage your information security risks is a big winning point
15:54
for a lot of organizations, and it's an easy sell to these external parties. You could give them their report. You can give them to go sort of certificate,
16:03
and there'll be a lot happier with something
16:06
that's independently verified against the global standard.
16:14
So in this video, we had a quick look at the timeline off B s, Double seven, double nine and how it has become known as I said 28,001 2013 today.
16:27
We also covered the four main factors that drive organizations to become ISO 27,001 complaint and certified.
16:36
But obviously there are many more factors Wine organization could want to go down the street besides those four groupings.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By