Professional Documents
Culture Documents
27001.story
{bmp_6O6uMB6r07J} Welcome to the ISO 27001 Management System Standard online course.
In this module we will explore the ISO standard for an Information Security Management System (ISMS.)
{bmp_689Q2ISPUc4}
Essential guide
to ISO 27001.
{bmp_6MkvNOdBDru.Name} Welcome
{bmp_6MkvNOdBDru.Note} Welcome to this online course, an essential guide to ISO twenty-seven-thousand-and-one, Management System
Standard. In this module, we will explore the ISO standard for an Information Security Management System.
{bmp_68aZ5fsN3AS}
How to use the course
{bmp_5ocl3baLpHV} To help you navigate within the course, the tools shown here are designed for ease of use, without the need for added instructions. Roll
over each button now to familiarize yourself with each icon and what it does.
Now that you have an idea of what they do, you’ll see them throughout the course on the tool bar in the lower right part of the screen. For
simplicity they will only appear if they are relevant to the current screen.
This course is designed to be completed in a prescribed sequence. To ensure that you progress through the course as intended, you will
see that you can only step forward screen by screen without being able to jump ahead to other sections, or skip screens. However, you can
always select ‘Back’ to revisit a screen, or select previously visited screens from the menu.
The course has not been designed for you to complete in one sitting, therefore if you log out, you will be returned to the same spot where
you left off before your break.
If you have any questions about the content of the course, or about what you are asked to do in the exercises and activities, please contact
your designated tutor, who will provide further guidance.
{bmp_6pRbfNdwoC9.Note} To help you navigate within the course, the tools shown here are designed for ease of use, without the need for
added instructions. Roll over each button now to familiarize yourself with these tools. As you move through this
module, you’ll find Case Studies and ‘real-life’ Scenarios, as well as interactive Exercises and Quizzes to check your
{bmp_6GC72uVCAG7} Replay
{bmp_6FhgwVLyu5n} Voiceover
{bmp_64jf2waZU94} Interaction
{bmp_61pAeQm3N8r} Before we begin, it is important that you understand the requirements of this course.
Before you start, it is important for you to understand the requirements of this course. ISO 27001 Management System Standard
has been designed as a model of best practice already adopted by organizations that may or may not have already achieved
formal certification. This course is highly interactive, and intended
to guide you through the learning objectives, and relate this to
your own organization.
In order to successfully complete this eLearning module you MUST view all course content, undertake any quizzes and pass
the final assessment which has a pass grade of 80%….but don’t panic, you do have the option to retake it if you don’t quite make
the grade first time.
{bmp_6Mb5adn0vcS}
Course requirements
{bmp_5v2BAAn2TXP.Name} Course requirements
{bmp_5v2BAAn2TXP.Note} Before we begin, it is important for you to understand the requirements of this course. This course is highly
interactive, and intended to guide you through the learning objectives, and relate these to your own organization.
There is no specific time set for how long it should take you to go through the course - this will vary from one person
to the next. You can go at your own pace, and you don’t have to do it all in one sitting. To successfully complete this
course, you must view all content, undertake the quizzes and exercises, and pass the final assessment with a grade
of eighty percent. But don’t worry, you have the option to re-take the assessment if you don’t quite make the grade
the first time.
{bmp_6j6ORcEnWOz}
Aims and goals
{bmp_5kqjf7U2Hqx} Explain how the ISO 27001 and ISO 27002 approach strengthens defenses against the loss and theft of information
{bmp_6SRWSk2HPi8} Describe the key terminology used in ISO 27001 and ISO 27002
{bmp_6pTZfEGCMSc} Describe the core requirements of the standard and the links to the controls in Annex A of ISO 27001.
{bmp_5hC1MIdubrY} At the end of this module, you will be given a test of your understanding, with an 80% pass requirement. You will have an
opportunity to re-visit this module and re-take the test if needed.
{bmp_6FHjbSxKkKf.Note} By the end of this module, you should be able to explain how the framework aims to xxxxxxxxxxxxxxx, be familiar
with the terminology used in ISO 27001, and be able to identify the core requirements of the standard.
End of module.
{bmp_5wEICkqNQZB}
{bmp_5aHAiosusL9} This section summarizes what you have explored in this guide. You will also be given a short quiz to test your knowledge and
understanding of what you have learned.
{bmp_5XoYYLguuCH.Name} End of module
{bmp_5XoYYLguuCH.Note} In this final section, we’ll summarize what you’ve explored in this course, and you will be given a short quiz to test
your knowledge.
{bmp_6mzDRrYSDxt} Congratulations, you’ve reached the end of this Essential guide to ISO 27001 Management System Standard.
This Quiz has been created to test your knowledge and understanding of what you’ve learned in this module. Answer 80% of the
questions correctly to complete this course successfully. But don’t worry if you don’t get it quite right the first time; you can re-visit
the sections within the course and re-take the quiz if you need to.
{bmp_5v4sjoFXoPp}
End of module summary
{bmp_5h8u8asFJmc} Start Quiz
{bmp_6bpWbIM4wTO.Note} Congratulations! You’ve now completed this online module, ISO 27001 Management System Standard. To help you
test your knowledge and understanding of the material, we have created a short Quiz for you. The pass rate is
eighty percent. But don’t worry if you don’t get it right the first time; you can always re-visit the sections and re-take
the Quiz if you need to. When you’re ready, select the Start Quiz button to begin.
{bmp_5XdPL6xDcfi} To test your knowledge of what you’ve learned in this course there now follows a short knowledge check. Feel free to go back and review
what you have learned before continuing.
{bmp_5ZmwypENhz8}
End of module
knowledge check.
{bmp_6l9aOp4ilWy.Name} End of module knowledge check
{bmp_6CVeA8Z53Ow}
Question 1
{bmp_6p9LQU1awCr} Identify risks relating to the security of information
{bmp_5opE8BW9Han.Name} Question 1
{bmp_5n6vKQcPROO} ISO 27001 is an information security standard and therefore relates to identifying the
risks around the security of information.
{bmp_6QOeqS5m3MI} Incorrect
{bmp_5w5rAJHxeTo} You did not select the correct response.
{bmp_6COPsRrxHuX} Correct
{bmp_6CcMjCxzm5M}
Question 2
{bmp_5ds7nSeZHpf} ISO 27003
{bmp_5zuNA8TI3oi} ISO 27001 includes controls within Annex A. Which standard also includes the controls?
{bmp_5stEzhr5WMz.Name} Question 2
{bmp_65HBKJfmDg4} ISO 27002 is a supplementary standard that focuses on the information security
controls that organizations might choose to implement. These controls are listed in
Annex A of ISO 27001, which is what you'll often see information security experts refer
to when discussing information security controls.
{bmp_6cJFYPjiweg} Incorrect
{bmp_6i5MBpgj3kS} Correct
{bmp_6rnvujsGOID}
Question 3
{bmp_69QgBGryQBa} Size of assets
{bmp_6V868O1YP1B.Name} Question 3
{bmp_6UVv0u7gKQ5} Incorrect
{bmp_5dtHDeXV3sN} Correct
{bmp_6MzOfvEy5nF}
Question 4
{bmp_5tzOmxJ0LzW} An option
{bmp_6lP5EbPAZLX} A requirement
{bmp_6ZX1ia8YWhb.Name} Question 4
{bmp_5y7OfNfjj44} An ISO 27001 risk assessment helps organizations identify, analyze and evaluate
weaknesses in their information security processes. It's a requirement of ISO 27001
compliance, informing organizations' decisions regarding the risks that must be
addressed and how they should be tackled.
{bmp_6GJDVaYzCxP} Incorrect
{bmp_6oJniwYemVh} Correct
{bmp_5YH7tAos7VR}
Question 5
{bmp_5oQ5WofdwbH} Accept risks
{bmp_6jkHGl7GFyZ.Name} Question 5
{bmp_5oy76uw0smq} ISO 27001 treatment plans offer the opportunity to remove, accept and transfer risks.
{bmp_6CIEhq5w8fc} Incorrect
{bmp_6Z6RvghOAZQ} Correct
{bmp_6TgtZyZw1Ta}
Question 6
{bmp_5ySGqgf9JSG} Information Security Officers
{bmp_5ejd8piwxYS.Name} Question 6
{bmp_5qaQEJx4FNW} You do not necessarily need specific training or qualifications to carry out a risk
assessment. As an employer, however, you must appoint someone competent to help
you meet your information security duties. A competent person is someone with the
necessary skills, knowledge and experience to manage information security.
{bmp_6AZiKEjg3Py} Incorrect
{bmp_6OeY7hXo2w9} Correct
{bmp_6Zf64gzPAdS}
Question 7
{bmp_6rNnAdSGEEz} Internal and external interested parties
{bmp_6ljObY5CMxS.Name} Question 7
{bmp_6odlUrei1TZ} The organization must identify internal and external factors that influence its
objectives. An organization's internal context includes its internal stakeholders, its
approach to governance, its contractual relationships, and its capabilities, culture, and
standards.
{bmp_5pAifLhVVCI} Incorrect
{bmp_6V6rvO86ZoU} Correct
{bmp_6hEjIhfBaos}
Question 8
{bmp_67MxqhCCj79} Competence, Awareness, Annex A controls, Leadership
{bmp_5zBRFdKH0qS} Awareness, Competence, Leadership, Communication
{bmp_6n3UrnOgVVg} Section 7 of ISO 27001 relates to support processes. Which of the following are included within
section 7?
{bmp_5w52oLSliPe.Name} Question 8
{bmp_64wqPkxz2OY} Clause 7 is about support for the Information Security Management System. This
includes communication, awareness, competence and resources.
{bmp_5a1tzJFRGTe} Incorrect
{bmp_6BzeWaTR2lK} Correct
{bmp_6JXKRj9HW97}
Question 9
{bmp_6lkWMASZKFC} Maintained and filed
{bmp_6E6wB1MbOvk} Maintained and retained
{bmp_5f7FaQwaWfU} Documented information is a requirement of ISO 27001, what two specific requirements does ISO
27001 require for documented information?
{bmp_5cUH5QV3ya7.Name} Question 9
{bmp_5z9UKiKglwk} Incorrect
{bmp_5dUazGE6URc} Correct
{bmp_5j0GdaRPp8T}
Question 10
{bmp_6f54AaGUxlj} Civil Information Authority
{bmp_6nA0RGA1A5Z} One of the key elements of an effective ISMS is the phrase ‘CIA’, what does CIA stand for in the
context of an ISMS?
{bmp_5dSs0LCib1Z.Name} Question 10
{bmp_6Kdt7NSd6tM} In this context, confidentiality is a set of rules that limits access to information, integrity
is the assurance that the information is trustworthy and accurate, and availability is a
guarantee of reliable access to the information by authorized people.
{bmp_6aqO0zDXHEI} Incorrect
{bmp_5rn3byRuCow} Correct
{bmp_63aBg7qdpCR} Review
{bmp_6ScLh3X6C1l} Get the most from your online learning experience. Review your quiz results now,
revisit this section and retake the quiz to improve on your score and reinforce your
learning.
{bmp_5zCM7S6EMO6.Name} Overview
{bmp_6R8ZTAP6nNt}
Overview.
{bmp_69jc6or3JyK} In this section, we will explore the purpose of
ISO 27001, the background of the standard, and the key elements of information security.
{bmp_5n2Y9Jl6ayd.Name} Introduction
{bmp_5n2Y9Jl6ayd.Note} In this section, you’ll find out about the purpose of ISO 27001, it’s background, and the key elements of information
security.
{bmp_6aZefqQElR4} There are many standards in the ISO 27000 series. The main standards are:
ISO 27001 which are the requirements for an information security management system (ISMS) and
ISO 27002 27002 is a guide you help organizations interpret
the controls stipulated within Annex A of ISO 27001
{bmp_69LRdwP9Eye}
Background of the standards
{bmp_5mN9gqDH17K.Name} Background of the standards
{bmp_5mN9gqDH17K.Note} There are many standards in the ISO 27000 series, with the main standards being: ISO 27001, which are the
requirements for an information security management system (ISMS) and ISO 27002 which are a set of controls and
guidance to support the defense against loss or theft.
Information can be electronic data, written on paper, spoken, an image, video, etc.
Information is one of an organization’s most valuable assets. The objectives of information security are to protect the
confidentiality, integrity and availability of information, known as C.I.A.
{bmp_5bk3VBBwmnm}
What is information?
{bmp_6HZ9GmIdAjN.Name} What is information?
Availability
Ensures that information will be available to the organization and its users who are authorized to have access to it,
when and where they need to use and process it.
{bmp_6M3sZMkP0Gf} Roll over and click on each of the sections that make up the Information Security Triangle
{bmp_6E1CfAwO6PL} Availability
{bmp_6hzZjKya4d3} Integrity
{bmp_6YucjgNcENt} Confidentiality
{bmp_5V33BUrh5dv} Availability
{bmp_5YXwFE1gmdM} Ensuring that information in storage, being processed or communicated is protected to ensure it is only available to those that are
authorized by the organization or its owners to have access to and use of the information.
{bmp_61sSdNtDY13} Integrity
{bmp_5gTrUGnfIU6} Ensuring that information in storage, being processed or communicated is protected to ensure it is only available to those that are
authorized by the organization or its owners to have access to and use of the information.
Integrity controls need to be included at the procedural level to reduce the risks of human error, theft or fraud, e.g. controls for
input/output data validation, user training and other operational type controls.
{bmp_5vL5PGpcysL} Confidentiality
{bmp_63WsPL3sJHR} Information should be protected to ensure it is only available to those that are authorized by the organization or its owners to have access
to and use of information. Many forms of access control are about protecting confidentiality.
{bmp_5cACPBvuEjV} The C.I.A. elements of information security help to ensure that an organization can protect itself against information being:
{bmp_6cdcPbvZEw9}
C.I.A. - Protection
{bmp_5oUMsmeL7HW.Name} C.I.A. - Protection
{bmp_5oUMsmeL7HW.Note} The C.I.A. elements of information security help to ensure that an organization can protect itself against information
being leaked, modified, lost, or unavailable.
{bmp_6ckPG7R7Si0} Select each heading to reveal its definition
{bmp_6RcmDodZbvO} any important business information being rendered unavailable when needed
{bmp_6bWfGpyDMZS} Leaked
{bmp_5bGf1ost46N} Leaked
{bmp_5pvRqaJ7emL} Modified
{bmp_6nyJSBI9vCN} Modified
{bmp_6ba1gHNazK8} Lost
{bmp_6dGToiEacJ8} Lost
{bmp_6CDdB6Kq4MM} Unavailable
{bmp_6eaHyQjo2xp} any important business information being lost without trace or hope of recovery;
{bmp_60Jr6Qytimj} Modified
{bmp_68npXTuYgTB} Modified
{bmp_6V3hpmZgbb8} Lost
{bmp_6JTry2Pm0hG} Unavailable
{bmp_6kQpR5EhbA5} Unavailable
{bmp_6ZlnzkchjVH} Leaked
{bmp_6BnAOcEX9dS} Leaked
{bmp_5zioJhlR5cF} critical information being accidentally or intentionally modified without its knowledge;
{bmp_6hw7rMNnk1m} Modified
{bmp_5a1bYYJ2OWG} Lost
{bmp_5mYp1fKdHiR} Lost
{bmp_5zTtkjx5hYi} Unavailable
{bmp_6Tp4HtZrXg6} Unavailable
{bmp_5dDRvrIrSxG} Leaked
{bmp_6N955L91OJq} Leaked
{bmp_6ASaeP8gkFu} sensitive or confidential information being given away, leaked or disclosed both accidentally
or in an unauthorized way;
{bmp_64lzgVE6M2w} Leaked
{bmp_69ppsc0ILK8} Modified
{bmp_6lnkjxjUroZ} Modified
{bmp_5Zm4hz6lYmJ} Lost
{bmp_5tvQVjtkCMk} Lost
{bmp_6JJJ468rADd} Unavailable
{bmp_6YcqBNrn2yd} Unavailable
{bmp_68YwkxCSbsq}
Responsibilities
{bmp_5qqTK7aOGus.Name} Responsibilities
{bmp_5qqTK7aOGus.Note} Information security should be the responsibility of all managers, information systems owners or custodians, and
users in general, to make sure that their information is properly managed and protected from the risks and threats
faced by every organization.
Information security management is not just a one-off exercise; it is an on-going activity of continual improvement.
{bmp_5VjrGUUr0kD} Retake
{bmp_6o61wuEDWIE} %respquiz% / 5
{bmp_6YFa6teAPEk} Correct
{bmp_69lHym4PGeV} Incorrect
{bmp_5sCId73Rr8I} Ensuring information is protected to make sure it is only available to those that are authorized by the organization is:
{bmp_638atOA2FW5} Availability
{bmp_5acIIvB4ODw} Confidentiality
{bmp_5rsXJBPQ2bZ} Integrity
{bmp_6cXN1coyk4j} Submit
{bmp_6OHtDDpnujg} 5/5
{bmp_6HOI2KAHF3l} Correct
{bmp_6Z99M3tVCF0} Incorrect
{bmp_5zqdwnq2Ril} How should the use of ISO 27001 be viewed by senior managers within an organization?
{bmp_6gcKfxt3DPA} 4/5
{bmp_5k7nBcjRhXT} Correct
{bmp_5em9PYTvRVX} Incorrect
{bmp_6DglT1seFew} What are you protecting when ensuring the accuracy and completeness of assets?
{bmp_6N1TbA60bCZ} Confidentiality
{bmp_6lQatQDUHkt} Integrity
{bmp_6CotV3wQWaw} Submit
{bmp_605wXUdYBOM} 3/5
{bmp_6lNiyB0hKFw} Correct
{bmp_5kig61nKdMs} Incorrect
{bmp_68ZOcuGrIDV} Submit
{bmp_6qhE6Xq6DkD} 2/5
{bmp_6DgVuKLl5Vy} Incorrect
{bmp_6aQwcan7oII} You did not select the correct response.
The correct answer is all of the above.
{bmp_6LgNdxF27Qf} Correct
{bmp_6GzqqwRU2uu} Information, controlled within the scope of ISO 27001 includes what?
{bmp_6FlQyhtpiuf} Submit
{bmp_6rAvO9nRiYe} 1/5
Let’s summarize before you continue to the next section. In this section, you have explored:
{bmp_6pnRmWfrTYW} In this section we will explore some of the key terminology used in ISO 27001.
{bmp_6FKYkCzfzuE}
Terminology.
{bmp_6pDAX5F3Mva.Name} Introduction
{bmp_6pDAX5F3Mva.Note} In this section we will explore some of the key terminology used in ISO 27001.
{bmp_6U31cF6c7RA} Let’s look at some of the general terms from the guidance standard, ISO 27000.
{bmp_6cXSEyaSLeW}
General terms and definitions
{bmp_61oyNAjq0XY.Name} General terms and definitions
{bmp_61oyNAjq0XY.Note} Let’s look at some of the general terms from the ISO 27000 guidance standard.
{bmp_5t4w8xiwQhl} Confidentiality
{bmp_6NWaXKL7yKP} Confidentiality
{bmp_5kO1KjydUND} Integrity
{bmp_66U02WtkPjQ} Integrity
{bmp_5rmBgGJe8Cy} Availability
{bmp_5iskclSZdu7} Availability
{bmp_6iodNZ3oWu1} Control
{bmp_6KrxPTz5NMr} Property of being accessible and usable upon demand by an authorized entity
{bmp_6qy8SeVQGNk} Confidentiality
{bmp_6VpXBDBMJcE} Confidentiality
{bmp_6BUffqQ3Gra} Integrity
{bmp_6oPS93OGfmu} Integrity
{bmp_5wsplDyAM8o} Availability
{bmp_6A2lYjJ4hOc} Control
{bmp_5dKxr9UiEZX} Control
{bmp_6BBG9bXgvqi} Confidentiality
{bmp_6ij7O8WChyk} Confidentiality
{bmp_6FiQ0Bisfv6} Integrity
{bmp_6c8lNNn4Y4Y} Availability
{bmp_5oyJpoDnj4P} Availability
{bmp_6M1EbiezwEu} Control
{bmp_68Zvdv0xu19} Control
{bmp_6QOnN5BJziR} Property that information is not made available or disclosed to unauthorized individuals, entities, or processes
{bmp_6jYid4IMPQA} Confidentiality
{bmp_5mw4XHtQjCM} Integrity
{bmp_6IKyc9qeSPW} Integrity
{bmp_6SeabHbA9RI} Availability
{bmp_5qDW2svfcsS} Availability
{bmp_5qxQW0NzVRU} Control
{bmp_6GJOtz262i7} Control
{bmp_645xux6LcT3} Some terms used in ISO 27000 are information security threat specific.
{bmp_5hhPQ5uT9Pg}
Threat specific terms
{bmp_5p7vMkWW5ku.Name} Threat specific terms
{bmp_5p7vMkWW5ku.Note} Now let’s look at some of the terms that are threat specific.
{bmp_5jHYomLlz2v} Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business
operations and threatening information security
{bmp_5cXXlsRV6zo} Threat
{bmp_6loTRC6Chfr} Threat
{bmp_61o01keFfsP} Vulnerability
{bmp_6apz4eqf55I} Vulnerability
{bmp_5g2gzKGwifa} Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls,
or a previously unknown situation that may be security relevant
{bmp_5ZoImEm61WR} Threat
{bmp_6T479hX93GD} Threat
{bmp_6Ej6nF9sbYY} Vulnerability
{bmp_5vofg4u8wkq} Vulnerability
{bmp_6PrLx4PgDhU} Threat
{bmp_5rWUk1kMk6h} Threat
{bmp_61g5w6PrW4o} Vulnerability
{bmp_6lD9ZEkYBbz} Potential cause of an unwanted incident, which may result in harm to a system or organization
{bmp_6pkfC3YbamV} Threat
{bmp_6YmvjScUMzf} Vulnerability
{bmp_6fvttxkZXf8} Vulnerability
{bmp_5hRL5avnkUy} Other terms used in ISO 27000 are information security risk specific.
{bmp_6abvf1QithK}
Risk specific terms
{bmp_67mwwCOSbhO.Name} Risk specific terms
{bmp_67mwwCOSbhO.Note} Finally, let’s look at the risk specific terms, and their definitions.
{bmp_5XsMNiTVzmb} To remove the risk at its source e.g. stopping the activity altogether or terminating a contract with a supplier or even an employee.
{bmp_5mUfCt6Lk5H} Risk
{bmp_6gk1gWT2vTc} Risk
{bmp_6h37jzr8kJF} The transferal of associated risk to other parties e.g.. outsourcing, suppliers or insurers
{bmp_64tYSR2AbaS} Risk
{bmp_68vCHCezbSb} Risk
{bmp_5dG9934A2qF} Risk
{bmp_6LWWRLXaKQW} Process to comprehend the nature of risk and to determine the level of risk
{bmp_5fA5Su6oING} Risk
{bmp_6Fskt6TkUjJ} Risk
{bmp_5ix5DSp1Mj4} Risk
{bmp_5fF4kgLDmbw} Risk
{bmp_5YXPnd7dNqf} Risk
{bmp_5W7jTZOf7ZC} Risk
{bmp_6lo2CeR4ZWJ} Overall process of risk identification, risk analysis and risk evaluation
{bmp_6ex8riUDKGt} Risk
{bmp_6I39tyb3Ys1} Risk
{bmp_69MQZkVMyCP} Risk
{bmp_6GE6icDGR70} Threat
{bmp_5hCG66ntVVa} Potential cause of an unwanted incident, which may result in harm to a system or organization
{bmp_5mhmxV2eleu} Overall process of risk identification, risk analysis and risk evaluation
{bmp_5jrfViYZ1fA} Control
{bmp_5hL7JYCt46D} Vulnerability
{bmp_5xfat9dV7ry} Weakness of an asset or control that can be exploited by one or more threats
{bmp_6pvHRzAoqxQ} Check your knowledge of the terminology with this activity..
{bmp_5nTx6nWETNJ}
Definitions and terminology - exercise
{bmp_5rGVxbElIHj} Risk
{bmp_6Gq7noCHDZa.Note} Let’s review and check your knowledge of the Terminology with this activity.
{bmp_5Wq8hhCNv8J} Incorrect
{bmp_67nUWouuWwS} Drag and drop each description to lock it in to the term it refers to, then click the submit button
{bmp_6lj9u2BMVWt} Incorrect
{bmp_6FsGDaWUDaL} Correct
{bmp_5daKqae1qdi.6ZUQefHkdF8} Term
{bmp_5daKqae1qdi.5eCFI9Xq5Fk} Definition
{bmp_5daKqae1qdi.6SDAjlYk31r} Threat
{bmp_5daKqae1qdi.6hQv7OtQbyK} Potential cause of an unwanted incident, which may result in harm to a system or organization
{bmp_5daKqae1qdi.5agJ9QmtodB} Overall process of risk identification, risk analysis and risk evaluation
{bmp_5daKqae1qdi.5h3AQAvllXc} Control
{bmp_5daKqae1qdi.6c1SiEHafv5} Vulnerability
{bmp_5daKqae1qdi.6CtctMXyDak} Weakness of an asset or control that can be exploited by one or more threats
{bmp_5daKqae1qdi.6gToTteKyxW} Risk
{bmp_5daKqae1qdi.5ymtEoAWLFh} Effect of uncertainty on objectives
{bmp_6p5SPIZxiie} Here’s a quick recap of the terms with the correct definitions:
{bmp_66u9feKrZY7} You’ve reached the end of the Terminology section. Let’s summarize before you continue to the next section.
In this section, you have explored the key terminology used in ISO 27001, including:
{bmp_5v7WY6HTNPO}
Summary
{bmp_6VqWHzUxZsE.Name} Summary
{bmp_6OvnHcbHwNw}
Specific
requirements
{bmp_67u07EKpW8u} In this section we will look at the specific requirements of ISO 27001 within Clauses 1 to 10.
{bmp_5ysUDyrE98L.Name} Introduction
{bmp_5ysUDyrE98L.Note} In this section we will look at the specific requirements of ISO 27001.
{bmp_6cMCXz5ctox} The elements shown here are known as ‘information clauses’ and are not auditable requirements.
{bmp_67KPfccO483}
The Information Clauses
{bmp_5Wzkq5XnrFX.Name} The Information Clauses
Clauses 4 to 10 of ISO 27001 are the requirements of an ISMS that need to be implemented to meet the aims and
goals of the standard.
{bmp_5pvSxqCDA6K} Clause 3 is guidance, and references ISO 27000 as a support document which provides an overview of information security, and the
vocabulary used in ISO 27001.
{bmp_6Ig4VnoNPCu} Clause 2 is guidance, and references ISO 27000 as a support document which provides an overview of information security, and the
vocabulary used in ISO 27001.
{bmp_6kh7ADrYJR7} Clause 1 is the scope of ISO 27001, detailing what ISO 27001 covers, such as physical, personnel and information technology security.
The scope of ISO 27001 is primarily based on risk and can apply to all organizations no matter how big or small.
{bmp_6obWEsqn3bt} Like many other standards, section 4 requires us to identify the context of the organization, the scope and the main elements of
the ISMS.
Clauses 4 to 10 are known as the ‘auditable clauses’
{bmp_60XOkAAxGtv}
The Auditable Clauses
{bmp_6ZjKvHymhm6.Name} The Auditable Clauses
{bmp_6ZjKvHymhm6.Note} Like many other standards, section 4 requires us to identify the context of the organization, the scope, and the main
elements of the ISMS.
{bmp_65f1Vcg0KWC} “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve
the intended outcome(s) of its management system.” This requires identifying all internal and external interested parties and their
needs and expectations.
{bmp_6pI0i5xM9S1}
Context – external and internal issues
{bmp_5c2rj1k1Rfm} LRtraininggetin
{bmp_6fcaqFDdW8r.Note} The context section of ISO 27001 requires identification of internal and external issues affecting the business.
{bmp_5pASlpFGwuT} Roll over each of the surrounding images to identify the interested party
{bmp_5VAkIO2gveU}
Shareholders
{bmp_5gBKMLL3Kae}
Regulators
{bmp_6CdTEHIklMU}
Federations
{bmp_5aRsIrrMuhE}
Non-government
organizations
{bmp_5rVZRtqccQO}
Competition
{bmp_69aJQMLaI7f}
Insurance
{bmp_6Mkqq0rl8T6}
Pressure groups
{bmp_6GR369G9XAW}
Governments
{bmp_641WXF8waXM}
Science
{bmp_5ZlDpaZnzrE}
Academia
{bmp_5wxYfCEOmw8}
Media
{bmp_5ziLcrXUVDc}
Public
{bmp_5fFSKKaI6sI}
Banks
{bmp_5aBe49dAxBG}
Workers
{bmp_5cioux23qKi}
Customers
{bmp_68hN29y1pIA} All organizations have internal and external ‘interested parties’ and each of them has specific needs and expectations regarding
the security of information.
The context section also requires the identification of the business’ scope of their management system and the structure of the
management system itself.
{bmp_6Comhf5HFSq}
Interested parties and information security
{bmp_6Vyh3A8LbLZ} Employees
{bmp_6iNN3OUEo3e} Customers
{bmp_5XUyoMRISzd} Customers
Customers want their information, such as accounts, contact details, volume of purchases, to be safe.
{bmp_5Y7n07PpR22} Employees
Employees want their personal information, such as salary details, family information, disciplinary matters, to be secure from others.
{bmp_6ma201qcohL} Select each of the images to find out the specific needs of these interested parties.
{bmp_5pSqQWThxXu} Clause 5 refers to leadership and the role of top management within the business.
Top management are defined as the “person or group of people who direct and control an organization at the highest level.” Top
management are required to demonstrate leadership and commitment through:
{bmp_5qX0Y0DZlMk}
Leadership and top management
{bmp_5efJIIO5iuN.Name} Leadership and top management
{bmp_5efJIIO5iuN.Note} Clause 5 refers to leadership and the role of top management within the business. Top management are defined as
the “person or group of people who directs and controls an organization at the highest level”
You can see from the list here how top management are required to demonstrate leadership and commitment.
{bmp_6ewqtJsOgJY}
Leadership Exercise
{bmp_5a9eqWYXZ2G} Top management are required to demonstrate leadership and commitment through ensuring the
policy and objectives are established and are compatible with the strategic direction of the
organization; ensuring the integration of the management system requirements into the organization’s
business processes ; ensuring that the resources needed for the management system are available;
communicating the importance of effective management and of conforming to the management system
requirements; ensuring that the management system achieves its intended outcome(s) ; directing and
supporting persons to contribute to the effectiveness of the management system; promoting continual
{bmp_5pnp12n9LaM} Drag and drop the phrases into the correct places in the paragraph below:
{bmp_65WFkby7lxd} resources
{bmp_6JbFK1XfLbl} continual improvement
{bmp_6YmDNevAWvj} strategic
{bmp_5sdPuikGOsY} outcome(s)
{bmp_5n9YXn2UdXf} management
{bmp_5ZVR348VaUb} integration
{bmp_6HIa3jQfQMP} supporting
{bmp_6f9Tq4M7zIe} effective
{bmp_6Tz1mxwQTlc} processes
{bmp_6hBs3U7F7gB.Note} Before you continue, check your knowledge with this activity.
{bmp_5nqC7DN0ztR} Close
{bmp_5oJiB9okoRw} You must complete the paragraph before you can continue. The Next button will be
available when you have all of the phrases in place.
{bmp_5qN19tXuL6S} Drag and drop the phrases into the correct positions in the paragraph before you can proceed
{bmp_5d7cicvjT8i} Top management are also required to establish an information security policy.
In addition, Top Management need to ensure that all roles and responsibilities are identified and assigned to all relevant personnel
to ensure the ISMS meets the requirements of the standard, and that information relating to its performance is reported.
{bmp_6mb6fDloEPk}
Top management and information security policy
is appropriate to the purpose of the
{bmp_5oleh4vKza7} organization
a framework for setting information
security objectives
includes a commitment to satisfy
applicable information security related
requirements
includes a commitment to continual
improvement of the ISMS.
{bmp_5nVUYFvKRvy.Note} The leadership section also requires Top Management to establish a policy meeting the requirements seen here.
In addition, Top Management need to ensure that all roles and responsibilities are identified and assigned to all
relevant personnel to ensure the management system meets the requirements of the standard, and that
information relating to its performance is reported.
{bmp_6iQLohiL7ux} Clause 6 of ISO 27001 focusses on planning to address organizational and operational risks.
Within the context section of the ISO 27001, we undertake risk assessment and identify risk treatment methods to address the
issues we have identified.
{bmp_6LOexbwja2f}
Planning and risks
{bmp_6XEOIT5Nr88} Context
interested parties and the related issues
{bmp_6RCS2eeD84e} Next
{bmp_5ri0k1fDouB.Note} Planning to address organizational and operational risks and opportunities is the focus of clause 6 of ISO 27001.
We undertake risk assessment and identify risk treatment methods to address the issues we have identified.
{bmp_6TDRKDzTV7e} Planning
risk assessing and identifying controls and risk treatment
processes to address risks and opportunities
{bmp_66YXSqNZknP} Leadership
the direction and provision of roles and responsibilities
{bmp_6nK7Fq21xvr} Leadership
the direction and provision of roles and responsibilities
{bmp_6W97oMgqVpw} Next
{bmp_6gJVCXk8RJ9} Risk assessment is a specific requirement of ISO 27001 as it ensures we identify the correct and most appropriate controls for
information security issues. Risk assessment helps us to identify the specific controls necessary within our own specific ISMS.
ISO 27001 also requires a ‘statement of applicability’ to demonstrate that we have identified all necessary controls from Annex A of
the standard.
Annex A of ISO 27001 is also supported by ISO 27002 which explains the purpose and application of each control in greater detail.
We must also remember that this clause also promotes opportunities for improvement and in particular the work completed
under sections 4.1 and 4.2.
{bmp_6CfiBRgdmcF}
Risks and opportunities
{bmp_5VoXmuVN0U6.Name} Risks and opportunities
{bmp_5VoXmuVN0U6.Note} Risk assessment is a specific requirement of ISO 27001 as it ensures we identify the correct and most appropriate
controls for information security issues.
ISO 27001 also requires a ‘statement of applicability’ to demonstrate that we have identified all necessary controls
from Annex A of the standard.
{bmp_5Wcbc6kLR0Q} Annex A of ISO 27001 provides us with a list of control objectives and controls to help strengthen an ISMS. Control objectives
explain the reason and purpose of the specific control category, and the controls themselves set out the requirements.
{bmp_6SPoSKxJtsh}
Annex A - Control objectives
{bmp_60BqbObBLoH} Annex A: The Controls
{bmp_6BQC88R2N4f} A5: Information Security Policies
A6: Organization of Information Security
A7: Human Resource Security
A8: Asset Management
A9: Access Control
A10: Cryptography
A11: Physical & Environmental Security
A12: Operations Security
A13: Communication Security
A14: Systems Acquisition, Development &
Maintenance
A15: Supplier Relationships
A16: Information Security Incident
Management
A17: Information Security Aspects of Business
Continuity Management
A18: Compliance
{bmp_6TBvd7jAD3R.Note} Annex A of ISO 27001 provides us with a list of control objectives and controls to help strengthen an ISMS.
Control objectives explain the reason and purpose of the specific control category, and the controls themselves set
out the requirements.
Annex A begins at A5 and concludes with A18. The information shown here explains the controls sets, and identifies
the number of controls in each set.
{bmp_5Z5p9ufY7Zp}
Control objectives further detail
{bmp_5gk7fdIRJz9} Selection of controls from Annex A or ISO 27002 is necessary to ensure a robust ISMS. If any of the 114 controls are deemed
unnecessary by an organization, they must state why within the Statement of Applicability (SoA).
The SoA is a documented list of all applicable and justified non-applicable control objectives and controls.
{bmp_6MWKPZBnU4M}
Annex A - Statement of Applicability
{bmp_6R6iSbRUqk7.Name} Annex A - Statement of Applicability
{bmp_6R6iSbRUqk7.Note} Selection of controls from Annex A or ISO 27002 is necessary to ensure a robust ISMS.
If any of the 133 controls are deemed unnecessary by an organization, they must state why within the Statement of
Applicability (SoA).
{bmp_5wxqBeRhkIa} Risk treatment plans are the action taken to address a risk to either remove it, control or mitigate it or transfer it to someone else
such as a specialist contractor.
Once we have conducted the risk assessment and identified applicable controls, we then need to identify methods to ‘treat’ the
risks.
Like other management systems standards, Section 6 of ISO 27001 also requires the setting of Information Security objectives and
plans to achieve them.
{bmp_69xY8Lgqwne}
Risk treatment plans
{bmp_6dQ3DmZn8qe} Risk Assessment
{bmp_6aijJM8UAxP.Note} Once we have conducted the risk assessment and identified applicable controls, we then need to identify methods
to ‘treat’ the risks.
Risk treatment plans are the action taken to address a risk to either accept it, remove it, control or mitigate it or
transfer it to someone else such as a specialist contractor.
{bmp_5gWinIEHbLp} Clause seven identifies five requirements which provide support for the implementation, maintenance and improvement of the
management system.
{bmp_6Ifascst8Mn}
Support
{bmp_6k5iC17lgXY.Name} Support
{bmp_6k5iC17lgXY.Note} Clause 7 identifies the requirements for the support needed for the ISMS to be implemented, maintained and
improved effectively.
{bmp_5zm92Vboxxg} Resources
{bmp_6TLh0qUHz4F} Resources
{bmp_6E7bRqrHbxJ} Competence
{bmp_5cOJiKClrff} Competence
{bmp_5d66FpXS6FX} Communication
{bmp_6BcigRp9Di7} Communication
{bmp_6A5v5CohDGc} Awareness
{bmp_5wY0MaelGQj} Awareness
{bmp_6rZA44SdoEy} to ensure personnel are conscious of the requirements of the policy, how they contribute to the management system and improvement
and the implications of not conforming to the requirements of the management system
{bmp_6HItCbd10ST} Resources
{bmp_5jNGoTe166n} Resources
{bmp_5Wh9IvQcbrm} Competence
{bmp_6AqhxZIY1aU} Competence
{bmp_5qxlirp1TPz} Communication
{bmp_5mRu74bx5bC} Communication
{bmp_5WEILakFDzp} Awareness
{bmp_6AjBB8llGch} Resources
{bmp_6XLWbY3sG8d} Resources
{bmp_5YquknTSv99} Competence
{bmp_6W6HEYO0kQy} Competence
{bmp_661uBjpBP6W} Communication
{bmp_5m28pQqIvkU} Awareness
{bmp_6lFVnXxWzb3} Awareness
{bmp_62yEhRTi4nP} Resources
{bmp_6VgUYU059nt} Resources
{bmp_6JihpwOJEUw} Competence
{bmp_6ORb3I4mvnt} Communication
{bmp_6cGnx3SKyte} Communication
{bmp_5vmEJ2ClVn1} Awareness
{bmp_6BOMHLlOEZt} Awareness
{bmp_64L7zh9hpdg} Resources
{bmp_5mwqdbpz6nP} Competence
{bmp_6XyemSiyYfG} Competence
{bmp_60dcO87k5ug} Communication
{bmp_677OosaiRtA} Communication
{bmp_6ZRkPYZm70w} Awareness
{bmp_6fKqx1AcJry} Awareness
{bmp_6M1HIhiyMz9} Once documented information has been identified, it needs to be either maintained, or retained.
All documented information needs to be developed to be suitable for its purpose and approved for suitability and adequacy. It
also needs to be controlled to ensure it is available and protected against loss or misuse.
{bmp_6bD2KjafAIo}
Documented Information
{bmp_5yEYNeN1Tse.Name} Documented Information
Section seven of ISO 27001 identifies the requirements for ‘documented information’ in the form of information that
is retained and maintained.
{bmp_6QFp4w7FON1} True
{bmp_5kxAvCi6Cyc} False
{bmp_6QIFBpJAm6F} Identify which of the following statements you consider to be True and which are False
{bmp_5h0rXiy935P}
Exercise
{bmp_5uLG400hqRa} All controls in Annex A of ISO 27001 must be
assessed to determine if they are applicable.
Retention of records is required by ISO 27001.
According to ISO 27001, the process of risk
assessment does not have to be undertaken.
A ‘SoA’ refers to a Statement of Applicability.
All controls in Annex A of ISO 27001 must be applied in all organizations.
Risk treatment plans provide the organization with options to take relating to risk assessment results.
{bmp_6G2nny3PxE1} Select
{bmp_6ba3V57KBx8.Name} Exercise
{bmp_6IjemlP5fuf} Make your choice for all document types and then click submit
{bmp_6iGIXbG7a0J} The operational planning and control section of ISO 27001 requires the implementation of actions to address ISMS risks and
opportunities.
The output from the activities undertaken in previous ISO 27001 sections now need to be applied to ensure control is effective.
This includes:
{bmp_6CGTx1mREBa}
Operational planning and control
{bmp_6T6bWyWTxzp.Name} Operational planning and control
{bmp_6T6bWyWTxzp.Note} The operational planning and control section of ISO 27001 requires the implementation of actions to address ISMS
risks and opportunities.
The output from the activities undertaken in previous ISO 27001 sections now need to be applied to ensure control
is effective.
{bmp_6jMiAGjhBDH} To meet the requirements of Clause 9 of ISO 27001, a business needs to identify:
{bmp_6Hp29UUeXo6}
Performance management
{bmp_6ltTk24Xwoe.Name} Performance management
{bmp_6ltTk24Xwoe.Note} Section 9 of ISO 27001 relates to performance management in terms of monitoring, measuring, analyzing and
evaluating information relating to the effectiveness of the management of the controls and the ISMS.
{bmp_6r2Y8SmhTIB} Internal audit is the process of checking internal processes to ensure they are in accord with requirements.
Management review is a process to review the performance of the business to ensure its continuing suitability, adequacy and
effectiveness.
{bmp_6f5aABbvjtP}
Internal audit
{bmp_5y45n931vgk.Name} Internal audit
{bmp_5y45n931vgk.Note} Additional requirements of section 9 are internal auditing and management review.
{bmp_5e9NC7mK1ta} Audit
{bmp_6SO4JPgk8LK} Audit
{bmp_5pyBTssuPXJ} The management review shall include consideration of:
{bmp_5vkPpp77u1y} Section 10 includes the requirement to identify non-conformities and take corrective action to address them. It also requires the
continual improvement of the management system.
correction, and
corrective action to avoid repeat incidents.
{bmp_5pNSIClCi3b}
Non-conformities
{bmp_6XPwLEwpzy2.Name} Non-conformities
{bmp_6XPwLEwpzy2.Note} The final section of ISO 27001 is section 10, which refers to the improvement of the ISMS Section 10 includes the
requirement to identify non-conformities and take corrective action to address them. It also requires the continual
improvement of the management system. The corrective action clause requires both correction and corrective
{bmp_63GAH3MEXpy} False
{bmp_6aHGqfX8i2X.Name} Exercise
{bmp_6aHGqfX8i2X.Note} Let’s look at potential emergency situations more closely with this exercise.
{bmp_5gsUQVr80wQ} Drag and drop each of the elements into the correct box to unlock the NEXT button.
{bmp_5qLLJZgCP9e} You’ve reached the end of this section. Let’s summarize before you continue to the final section of this course.
During this section, we have explored the core requirements of the standard as shown here, and the links to the controls in Annex
A.
Auditable clauses
Context - Identifying interested parties
Leadership and top management
Top management and information security policy
Planning and risks
Risk assessment
Annex A - Control objectives
Annex A - Statement of Applicability
Risk treatment plans
Support
Documented information
Operational planning and control
Performance management
Internal audit
Non-conformities
You should now be able to identify the core requirements of the standard.
{bmp_6GeZ07bduS6}
Summary
{bmp_6hAn7jw2lDu.Name} Summary
{bmp_6hAn7jw2lDu.Note} You’ve now reached the end of this section. Let’s re-cap before you continue to the final section of this course.
{bmp_5tqA31aNrtd.Name} 1 Welcome
{bmp_61tOCeXSx93.Name} 1.1 Welcome
{bmp_6AIE0xCckP8.Name} 3 Overview