Hello and welcome to the ice. 0, 27,001 course.
This is the introductory video for this course, and there's a couple of things that we're going to cover just so that you feel comfortable and know that this is the right place for you to be.
A couple of prerequisites that you need for this course include a basic information,
security terms and concepts understanding.
This is probably one of the most important things to have, as we won't be stopping in particular in this course to discuss your basic terms of, um,
terms and concepts for information security such as Thesis E a Triad.
Um so it's important just to understand sort of things like that so that you
are comfortable during this course,
have an understanding off basic risk management terms in a concept.
Have a basic understanding off your environment and assets that would be in scope for 27,001. So this is specific for people that are
attending this course to get in understanding of how to practically implement a nice amiss in their organization,
as well as to become certified against 27,001.
Another thing to have is an inquisitive mind set
and know that the roads acidification is a process that can be challenging.
But overall, it's very rewarding.
Also a basic understanding off cyber security governance concepts
know why you are attending this course. So
if you're looking Thio, implement a nice miss in your own organization,
get your existing isom s certified against Isil 27,001. Or if you yourself are looking to become an isil 27,000 and one
feed implementer or a nice Oh, auditor,
There are a couple of overall learning objectives that we would like this course to leave with you when you're done.
And these include having a detailed understanding off the ice, Miss closes and what they entail.
So I so as a standard, is prescriptive in what it wants. But it's vague in doing so.
Um, the standard will tell you
it would like vaguely and leave it up to you to interpret
what this actually means in practicalities and how to go about doing it. And that's where a lot of people can become unstuck
mm, yeah, lose their way.
We would like to leave you with an ability to demonstrate knowledge often information security, risk management process. This is one of the most important concept and processes in your SMS
having the ability to demonstrate knowledge of the required documentation to support a nice Miss
and I suggest, if you don't know, is extremely documentation intensive.
So we just wanna help clarify what type of documentation is required and what would really be useful if you're going through a certification audit.
We would also like to cover
how to monitor, measure and evaluate the performance off a nice mess through various processes
well touched on this. Briefly,
there is a full standard dedicated to the monitoring and measurement off a nice miss.
So it's quite a chunk of information on its own,
an ability to demonstrate knowledge off nonconformity, ease and the continual improvement cycle,
and also better understanding off governance in the cybersecurity landscape.
My name is Judy Win.
I'm in information security specialist, and I will be your instructor for this course.
I am a certified I. So 27,001 lead implementer and I also hold assist certification
in my spare time. I really enjoy riding horses and playing computer games,
and my main focus area in horse riding is showjumping.
A lot of show jumping, as you can see from the picture included here.
So how do you know if this course is right for you?
this course will provide value to anyone in the information security sphere.
Or even if you are just in an organization wanting to understand a bit more about how better to energy information security, then you're in the right place.
Specifically, this course is intended for information security consultants, managers or analysts,
compliance managers and personal
information security risk managers and analysts,
senior managers or executives wanting to understand the 27,001 Standard
I t. Governance personal
or I T managers and operational stuff.
this course is broken down into
We will cover both the closes off the standard as well as give you some
input and insight into what it actually means to go through the process off, implementing a nice mess and getting it certified against the standard. All of this information will also help you if you yourself are looking to become certified
as an icer implementer or in order, sir,
Go and have a look at the additional course resource is under the resource tab. There's some interesting stuff included there,
but primarily for this course.
You will obviously, um,
need the I. So 27,001 standard if you're looking to implement a nice um, it's within your own organization,
and another cool tool that we want to share with you during this course is something called simple risk.
open source tool, so you can grab the files and the installer from
their website and deploy on your company's own Web server and keep it on your Internet.
there is certain limited functionality with the free version,
but the core functionality of what you need to dio
what you need to manage your risks is there
and will demo this to a bit later on. In the course.
Just thio summarize this introduction video. We have gone over what you need for
the course as a prerequisite understanding, which is your basic
information, security knowledge,
off terms and concepts and principles.
We've all selected the learning objectives and what you will get out of this course. At the end of the day,
we covered a little bit about me your instructor.
We also cover the target audience just to check if you're in the right place. And if this course is right for you.
We had a look at the syllabus and what will be covering in this course
as well as the supplementary course materials.
Let's jump straight into module one,
which contains an overview of what your ice mess is made up of.
Also gonna have a look at some of the history behind where I said 27,001 came from
and factors that can drive.
I said 27,001 compliance.
We're also gonna have a look at something that is called the plan. Do you check Act cycle?
But we'll get into all of that in the lessons contained in this module.
Our first listen, 1.1 let's have a look at the history off is so 27,001
The objectives for this lesson include covering a history off is a 27,001 understanding where it originated from
and where the standard is today.
We'll also have a look at some of the factors that can drive. I so 27,001 compliance specifically for an organization.
In other words, why would an organization want to become I? So, 27,001 compliant.
So I've put together a brief timeline just to show you
the standard has gone through and how early on its it originated.
So I said 27,001 started off in three year 1995 where it was known as B. S 77 Double nine.
The standard was published by the BSE Group,
and it was originally written by the UK government's Department of Trade and Industry.
b s, Double seven, Double nine, part two came out.
This was no NAS information security Management systems specifications with guidance for use
now. The first part of the standard,
which was the original component published in 1995
is what is known today. As I said, 27,000 and two
I said 27,002 is also known as an extra A
from the 27,000 and one standard.
It is essentially the isil recommended controls. Framework to implement along with your item is
your SMS is essentially your management system.
While your controls framework of the controls that you implement for the processes and procedures
in your day to day operations, depending on your risk profile in your organization. But we'll get into all of that later on. In this course,
the second part of the standard
Bs 77 Double nine Part two
is what is known today. As I said 27,000 and one,
the standard was adopted.
and its name was changed. Icer one, Double seven, double nine.
known well known version of the standard is S 01 27,020 13.
That was quite a big change between the I, so 27,000 and 1 2000 and five version.
Currently, there is a European reversion of this
revision of the standard, which is 2017 version.
But there is no difference between
this version. In the 2013 version, The changes that were made to the 1 27,020 17 version include changes to the formatting off bullet points enclosed 6.1 point three. To make it more obvious.
What was required from that close
and some small wording changes
to the control objective in an extra A were made as well. This was specifically control a 8.1 point one
which relates to the inventory off assets.
So fundamentally, there's no difference between the two and this course is built upon. I saw 27,000 and one
So why do organizations need a nice miss? What is driving organizations to want Thio implement a Naismith or begrudging me go by becoming compliant to the standard?
So the first factor is there could be a legal or regulatory compliance need. This is quite prevalent in organizations
that are in the financial sector, government sector, healthcare sector and so forth.
There's obviously always a lot more legal and regulatory compliance pressure in these industries,
and third parties will often look to companies in these industries
and ask for what are they doing to be
secure? What assurance can they provide their third parties that they are secure? Are they aligning to a well known and globally recognized
industry leading standard around managing information, security and risks? Probably.
So this is one of the questions that I said 27,001 and specifically being certified against the standard can answer.
It provides some level of assurance to external stakeholders and
regulatory compliance bodies that specific standards are being met within the organization.
Another factor that could drive wanting to implement a nice miss and become
compliant to the standard is risks to business objectives
in the way the world is evolving.
Most of our risks have moved into the cyber and digital space, which has given rise to
information security risk management as opposed to just enterprise risk management or even I t risk management
information security. Risk management is a whole lot more intricate and detailed in terms of the factors it considers
with regards to your various risks. So
obviously, organizations that probably want to manage these risks
to their objectives would look to something that has an underpinning information security risk management principle.
Another factor could be
needs and expectations of your own internal parties. So people within your organization
would want to know, What are you doing to protect
the company's trade secrets?
Is this company going to be around? Is a cyberattack gonna end us tomorrow?
Is my personal information safe?
All of those kind of questions
can play a role in driving a company, Thio become
compliant and certified. This isn't one of the primary drivers that I've seen for organizations
wanting to go down this road,
a consideration that a lot of them make.
The last factor that we're gonna cover is the needs and expectations of external parties.
almost the same level as legal and regulatory compliance needs. If it's if your external party isn't a legal or regulatory
then it's generally a third party or a supply supplier,
someone that you really want to do business with.
That wants to know that you, as an organization, have a globally accepted level off information security management within your organization.
a lot of the Times clients will only buy products from
organizations that have specific measures in place and where they are
properly managing information Security risks are going down this route and having an independently verified and certified
um certification stating that you properly manage your information security risks is a big winning point
for a lot of organizations, and it's an easy sell to these external parties. You could give them their report. You can give them to go sort of certificate,
and there'll be a lot happier with something
that's independently verified against the global standard.
So in this video, we had a quick look at the timeline off B s, Double seven, double nine and how it has become known as I said 28,001 2013 today.
We also covered the four main factors that drive organizations to become ISO 27,001 complaint and certified.
But obviously there are many more factors Wine organization could want to go down the street besides those four groupings.