Translation for: \\Mac\Home\Documents\LR\Clients\SICPA\Intro to ISO 27001\Introduction to ISO

27001.story

Id (DO NOT EDIT) Translate this column

{bmp_6NeOFLdos2l.Name} Welcome

{bmp_6O6uMB6r07J} Welcome to the ISO 27001 Management System Standard online course.

In this module we will explore the ISO standard for an Information Security Management System (ISMS.)

{bmp_689Q2ISPUc4}
Essential guide
to ISO 27001.
{bmp_6MkvNOdBDru.Name} Welcome

{bmp_6MkvNOdBDru.Note} Welcome to this online course, an essential guide to ISO twenty-seven-thousand-and-one, Management System
Standard. In this module, we will explore the ISO standard for an Information Security Management System.

{bmp_68aZ5fsN3AS}
How to use the course
{bmp_5ocl3baLpHV} To help you navigate within the course, the tools shown here are designed for ease of use, without the need for added instructions. Roll
over each button now to familiarize yourself with each icon and what it does.

Now that you have an idea of what they do, you’ll see them throughout the course on the tool bar in the lower right part of the screen. For
simplicity they will only appear if they are relevant to the current screen.

This course is designed to be completed in a prescribed sequence. To ensure that you progress through the course as intended, you will
see that you can only step forward screen by screen without being able to jump ahead to other sections, or skip screens. However, you can
always select ‘Back’ to revisit a screen, or select previously visited screens from the menu.

The course has not been designed for you to complete in one sitting, therefore if you log out, you will be returned to the same spot where
 you left off before your break.

If you have any questions about the content of the course, or about what you are asked to do in the exercises and activities, please contact
your designated tutor, who will provide further guidance.

{bmp_6pRbfNdwoC9.Name} How to use the course

{bmp_6pRbfNdwoC9.Note} To help you navigate within the course, the tools shown here are designed for ease of use, without the need for

added instructions. Roll over each button now to familiarize yourself with these tools. As you move through this

module, you’ll find Case Studies and ‘real-life’ Scenarios, as well as interactive Exercises and Quizzes to check your

knowledge along the way.

{bmp_6GC72uVCAG7} Replay

{bmp_6BqYHH41XBW} If the current page contains an animation

you can replay it again by pressing this
button.

{bmp_6FhgwVLyu5n} Voiceover

{bmp_6Ea1An1J6i1} To hear the voiceover for the current

screen again, click this button.

TIP: A written transcript of each voiceover

will be made available in the menu window
to the left of the screen.

{bmp_64jf2waZU94} Interaction

{bmp_5mtbCfu0Bsq} If you see this icon on the toolbar

there will be an interactive experience on
the current page. If you are unsure of what
to do, roll over this icon to learn more.
{bmp_6KsKF5HkviF} Definition

{bmp_6DFEE56eGBM} If you see this icon on the toolbar

you can click to open a definition window
and learn more about a word or phrase
within the current page.

{bmp_61pAeQm3N8r} Before we begin, it is important that you understand the requirements of this course.

Before you start, it is important for you to understand the requirements of this course. ISO 27001 Management System Standard
has been designed as a model of best practice already adopted by organizations that may or may not have already achieved
formal certification. This course is highly interactive, and intended
to guide you through the learning objectives, and relate this to
your own organization.

The time taken to complete this eLearning module and

exercises as well as the final assessment varies from person to person – but don’t forget you DO NOT need to do it in one
sitting and for some it may take a little longer, and others a little less time.

In order to successfully complete this eLearning module you MUST view all course content, undertake any quizzes and pass
the final assessment which has a pass grade of 80%….but don’t panic, you do have the option to retake it if you don’t quite make
the grade first time.

{bmp_6Mb5adn0vcS}
Course requirements
{bmp_5v2BAAn2TXP.Name} Course requirements

{bmp_5v2BAAn2TXP.Note} Before we begin, it is important for you to understand the requirements of this course. This course is highly
interactive, and intended to guide you through the learning objectives, and relate these to your own organization.
There is no specific time set for how long it should take you to go through the course - this will vary from one person
to the next. You can go at your own pace, and you don’t have to do it all in one sitting. To successfully complete this
 course, you must view all content, undertake the quizzes and exercises, and pass the final assessment with a grade
of eighty percent. But don’t worry, you have the option to re-take the assessment if you don’t quite make the grade
the first time.

{bmp_5rJBp1IpA07} By the end of this module, you will be able to:

{bmp_6j6ORcEnWOz}
Aims and goals
{bmp_5kqjf7U2Hqx} Explain how the ISO 27001 and ISO 27002 approach strengthens defenses against the loss and theft of information

{bmp_6SRWSk2HPi8} Describe the key terminology used in ISO 27001 and ISO 27002

{bmp_6pTZfEGCMSc} Describe the core requirements of the standard and the links to the controls in Annex A of ISO 27001.

{bmp_5hC1MIdubrY} At the end of this module, you will be given a test of your understanding, with an 80% pass requirement. You will have an
opportunity to re-visit this module and re-take the test if needed.

{bmp_6FHjbSxKkKf.Name} Aims and goals

{bmp_6FHjbSxKkKf.Note} By the end of this module, you should be able to explain how the framework aims to xxxxxxxxxxxxxxx, be familiar
with the terminology used in ISO 27001, and be able to identify the core requirements of the standard.

{bmp_6FpEzgztzEK.Name} End of Module

End of module.
{bmp_5wEICkqNQZB}

{bmp_5aHAiosusL9} This section summarizes what you have explored in this guide. You will also be given a short quiz to test your knowledge and
understanding of what you have learned.
{bmp_5XoYYLguuCH.Name} End of module

{bmp_5XoYYLguuCH.Note} In this final section, we’ll summarize what you’ve explored in this course, and you will be given a short quiz to test
your knowledge.

{bmp_6mzDRrYSDxt} Congratulations, you’ve reached the end of this Essential guide to ISO 27001 Management System Standard.

You should now be able to:

 explain how the ISO 27001 and ISO 27002 approach strengthens defences against the loss and theft of information
 describe the key terminology used in ISO 27001 and ISO 27002
 describe the core requirements of the standard and the links to the controls in Annex A of ISO 27001.

This Quiz has been created to test your knowledge and understanding of what you’ve learned in this module. Answer 80% of the
questions correctly to complete this course successfully. But don’t worry if you don’t get it quite right the first time; you can re-visit
the sections within the course and re-take the quiz if you need to.

{bmp_5v4sjoFXoPp}
End of module summary
{bmp_5h8u8asFJmc} Start Quiz

{bmp_6bpWbIM4wTO.Name} End of Module Summary

{bmp_6bpWbIM4wTO.Note} Congratulations! You’ve now completed this online module, ISO 27001 Management System Standard. To help you
test your knowledge and understanding of the material, we have created a short Quiz for you. The pass rate is
eighty percent. But don’t worry if you don’t get it right the first time; you can always re-visit the sections and re-take
the Quiz if you need to. When you’re ready, select the Start Quiz button to begin.

{bmp_5XdPL6xDcfi} To test your knowledge of what you’ve learned in this course there now follows a short knowledge check. Feel free to go back and review
what you have learned before continuing.
{bmp_5ZmwypENhz8}
End of module
knowledge check.
{bmp_6l9aOp4ilWy.Name} End of module knowledge check

{bmp_6l9aOp4ilWy.Note} Let’s check your knowledge with this short quiz.

{bmp_6CVeA8Z53Ow}
Question 1
{bmp_6p9LQU1awCr} Identify risks relating to the security of information

{bmp_6AJCyaGMzu0} Identify risks to health and safety

{bmp_6c7LsT6JYn2} ISO 27001 requires an organization to ….

{bmp_6UlfMKd86ht} Identify risks to the environment

{bmp_5ZGfEf6Nrtz} All of the above

{bmp_5opE8BW9Han.Name} Question 1

{bmp_5n6vKQcPROO} ISO 27001 is an information security standard and therefore relates to identifying the
risks around the security of information.

{bmp_6QOeqS5m3MI} Incorrect
{bmp_5w5rAJHxeTo} You did not select the correct response.

{bmp_6COPsRrxHuX} Correct

{bmp_6nygQWXQnUr} That's right! You selected the correct response.

{bmp_6CcMjCxzm5M}
Question 2
{bmp_5ds7nSeZHpf} ISO 27003

{bmp_6UIA8PVcx2l} ISO 27002

{bmp_5zuNA8TI3oi} ISO 27001 includes controls within Annex A. Which standard also includes the controls?

{bmp_67Pezr2fAWJ} ISO 22301

{bmp_61L8jH68MGJ} ISO 9001

{bmp_5stEzhr5WMz.Name} Question 2

{bmp_65HBKJfmDg4} ISO 27002 is a supplementary standard that focuses on the information security
controls that organizations might choose to implement. These controls are listed in
Annex A of ISO 27001, which is what you'll often see information security experts refer
to when discussing information security controls.
{bmp_6cJFYPjiweg} Incorrect

{bmp_5Z2rTO8gjfQ} You did not select the correct response.

{bmp_6i5MBpgj3kS} Correct

{bmp_6XfZe6wKjPn} That's right! You selected the correct response.

{bmp_6rnvujsGOID}
Question 3
{bmp_69QgBGryQBa} Size of assets

{bmp_6QR1Xukbkwk} Statement of assets

{bmp_5YChsY2oYh7} An ‘SoA’ is required by ISO 27001, to what does ‘SoA’ refer?

{bmp_6np5Kd9W2Go} Size of applicability

{bmp_5nJqJtV5Yhd} Statement of applicability

{bmp_6V868O1YP1B.Name} Question 3

{bmp_6SHzse3Puzq} A Statement of Applicability summarizes your organization’s position on each of the

114 information security controls outlined in Annex A of ISO 27001. Clause 6.1.3 of the
 Standard states an SoA must:
Identify which controls an organization has selected to tackle identified risks;
Explain why these have been selected;
State whether or not the organization has implemented the controls; and
Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been
selected, the SoA should link to relevant documentation about its implementation.

{bmp_6UVv0u7gKQ5} Incorrect

{bmp_6okLyMfxGll} You did not select the correct response.

{bmp_5dtHDeXV3sN} Correct

{bmp_5zZLieaSDgn} That's right! You selected the correct response.

{bmp_6MzOfvEy5nF}
Question 4
{bmp_5tzOmxJ0LzW} An option

{bmp_6lP5EbPAZLX} A requirement

{bmp_5eTuZTHSoBH} According to ISO 27001, risk assessment is ….

{bmp_6FZGIaFdzPc} Only applicable to Annex A controls

{bmp_6fyJWP2TrHn} Only applicable to physical security risks

{bmp_6ZX1ia8YWhb.Name} Question 4

{bmp_5y7OfNfjj44} An ISO 27001 risk assessment helps organizations identify, analyze and evaluate
weaknesses in their information security processes. It's a requirement of ISO 27001
compliance, informing organizations' decisions regarding the risks that must be
addressed and how they should be tackled.

{bmp_6GJDVaYzCxP} Incorrect

{bmp_5phYoIMUh8X} You did not select the correct response.

{bmp_6oJniwYemVh} Correct

{bmp_6muE3dcIkQz} That's right! You selected the correct response.

{bmp_5YH7tAos7VR}
Question 5
{bmp_5oQ5WofdwbH} Accept risks

{bmp_6ntFQCMJhtC} Remove risks

{bmp_6CZt2B81pGS} Risk treatment plans offer the opportunity to ….

{bmp_5aFBPhH0A3W} Transfer risks

{bmp_6oapOCtMtAD} Remove, Accept and Transfer risks

{bmp_6jkHGl7GFyZ.Name} Question 5

{bmp_5oy76uw0smq} ISO 27001 treatment plans offer the opportunity to remove, accept and transfer risks.

{bmp_6CIEhq5w8fc} Incorrect

{bmp_6G2yaAKubbB} You did not select the correct response.

{bmp_6Z6RvghOAZQ} Correct

{bmp_6IJTf3XXd6F} That's right! You selected the correct response.

{bmp_6TgtZyZw1Ta}
Question 6
{bmp_5ySGqgf9JSG} Information Security Officers

{bmp_5h83H5WOLkd} Information Security Managers

{bmp_60etcvihCEi} Information security risk assessments must be undertaken by ….

{bmp_5beJawb3DzT} Information Security Data Officers

{bmp_6FyIx1mGnsK} None of the these

{bmp_5ejd8piwxYS.Name} Question 6

{bmp_5qaQEJx4FNW} You do not necessarily need specific training or qualifications to carry out a risk
assessment. As an employer, however, you must appoint someone competent to help
you meet your information security duties. A competent person is someone with the
necessary skills, knowledge and experience to manage information security.

{bmp_6AZiKEjg3Py} Incorrect

{bmp_6gVocnZ1l3H} You did not select the correct response.

{bmp_6OeY7hXo2w9} Correct

{bmp_6dzPT8AlxiE} That's right! You selected the correct response.

{bmp_6Zf64gzPAdS}
Question 7
{bmp_6rNnAdSGEEz} Internal and external interested parties

{bmp_6OxcGijVhLt} An information security legal register

{bmp_68zuVr6Yxqa} When identifying the context of the organization, an organization must identify ….

{bmp_62xy5RC0kKZ} Information security officers and managers

{bmp_6JBeQkAyzxY} A register of all company assets

{bmp_6ljObY5CMxS.Name} Question 7

{bmp_6odlUrei1TZ} The organization must identify internal and external factors that influence its
objectives. An organization's internal context includes its internal stakeholders, its
approach to governance, its contractual relationships, and its capabilities, culture, and
standards.

{bmp_5pAifLhVVCI} Incorrect

{bmp_5VsyX9N02kP} You did not select the correct response.

{bmp_6V6rvO86ZoU} Correct

{bmp_6dhXOLxCwPM} That's right! You selected the correct response.

{bmp_6hEjIhfBaos}
Question 8
{bmp_67MxqhCCj79} Competence, Awareness, Annex A controls, Leadership
{bmp_5zBRFdKH0qS} Awareness, Competence, Leadership, Communication

{bmp_6n3UrnOgVVg} Section 7 of ISO 27001 relates to support processes. Which of the following are included within
section 7?

{bmp_6PB3IRyTch9} Communication, Awareness, Competence, Resources

{bmp_6cbQpxmqpB2} Resources, Leadership, Context, Awareness

{bmp_5w52oLSliPe.Name} Question 8

{bmp_64wqPkxz2OY} Clause 7 is about support for the Information Security Management System. This
includes communication, awareness, competence and resources.

{bmp_5a1tzJFRGTe} Incorrect

{bmp_5y6D2SYRz2g} You did not select the correct response.

{bmp_6BzeWaTR2lK} Correct

{bmp_5gJoBpFzdMz} That's right! You selected the correct response.

{bmp_6JXKRj9HW97}
Question 9
{bmp_6lkWMASZKFC} Maintained and filed
{bmp_6E6wB1MbOvk} Maintained and retained

{bmp_5f7FaQwaWfU} Documented information is a requirement of ISO 27001, what two specific requirements does ISO
27001 require for documented information?

{bmp_6XIFIV6gMe0} Retained and filed

{bmp_6TpVB2qeF1F} Filed and alphabetized

{bmp_5cUH5QV3ya7.Name} Question 9

{bmp_6inM7ULEE8q} Documented information is required to be both maintained and retained as a

requirement of ISO 27001.

{bmp_5z9UKiKglwk} Incorrect

{bmp_5lKO14u3J0f} You did not select the correct response.

{bmp_5dUazGE6URc} Correct

{bmp_6nZ1NthOgO3} That's right! You selected the correct response.

{bmp_5j0GdaRPp8T}
Question 10
{bmp_6f54AaGUxlj} Civil Information Authority

{bmp_5vuxPSYQPkF} Criminals In Action

{bmp_6nA0RGA1A5Z} One of the key elements of an effective ISMS is the phrase ‘CIA’, what does CIA stand for in the
context of an ISMS?

{bmp_6n9nncirhh1} Confidentiality, Integrity, Authority

{bmp_6KfWfyhX6cx} Confidentiality, Integrity, Availability

{bmp_5dSs0LCib1Z.Name} Question 10

{bmp_6Kdt7NSd6tM} In this context, confidentiality is a set of rules that limits access to information, integrity
is the assurance that the information is trustworthy and accurate, and availability is a
guarantee of reliable access to the information by authorized people.

{bmp_6aqO0zDXHEI} Incorrect

{bmp_6TLPxJZRSeL} You did not select the correct response.

{bmp_5rn3byRuCow} Correct

{bmp_5UoEmvyNP2g} That's right! You selected the correct response.

{bmp_5nbfjUl4TKE}
You Scored:
{bmp_6PQJvmd9AZc}
%Results3.ScorePercent%%
{bmp_6I3fi0SRmA5}
Your results
{bmp_6cE6kfYQ0w0.Name} Your results

{bmp_63aBg7qdpCR} Review

{bmp_6Rd9NayC5i3} Review Your Results

{bmp_6ScLh3X6C1l} Get the most from your online learning experience. Review your quiz results now,
revisit this section and retake the quiz to improve on your score and reinforce your
learning.

{bmp_5oGUnu0F6qI} Sorry, you did not pass.

{bmp_6PRjShQ2oQ4} Congratulations, you passed.

{bmp_5euTvmUFeiq} This course was bought to you by Lloyds Register ©2019

{bmp_5rxz9HGebLw.Name} Course Finish

{bmp_5zCM7S6EMO6.Name} Overview
{bmp_6R8ZTAP6nNt}
Overview.
{bmp_69jc6or3JyK} In this section, we will explore the purpose of
ISO 27001, the background of the standard, and the key elements of information security.

{bmp_5n2Y9Jl6ayd.Name} Introduction

{bmp_5n2Y9Jl6ayd.Note} In this section, you’ll find out about the purpose of ISO 27001, it’s background, and the key elements of information
security.

{bmp_6aZefqQElR4} There are many standards in the ISO 27000 series. The main standards are:

 ISO 27001 which are the requirements for an information security management system (ISMS) and
 ISO 27002 27002 is a guide you help organizations interpret
the controls stipulated within Annex A of ISO 27001

Standards for information security have been

around since 1995, when organizations
asked the British Standards Institution
to create a standard to help protect
information.

The Information Standards

Organization (ISO), working in
conjunction with the International
Electrotechnical Commission (IEC),
have developed over 30 standards in
the ISO 27000 series, each focusing
on specific issues.

{bmp_69LRdwP9Eye}
Background of the standards
{bmp_5mN9gqDH17K.Name} Background of the standards
{bmp_5mN9gqDH17K.Note} There are many standards in the ISO 27000 series, with the main standards being: ISO 27001, which are the
requirements for an information security management system (ISMS) and ISO 27002 which are a set of controls and
guidance to support the defense against loss or theft.

{bmp_6NTxoTKN3Ev} What is information?

Information can be electronic data, written on paper, spoken, an image, video, etc.

Information is one of an organization’s most valuable assets. The objectives of information security are to protect the
confidentiality, integrity and availability of information, known as C.I.A.

C.I.A. is the essence of Information Security.

{bmp_5bk3VBBwmnm}
What is information?
{bmp_6HZ9GmIdAjN.Name} What is information?

{bmp_6HZ9GmIdAjN.Note} Let’s begin by understanding what we mean by information.

Confidentiality
Information should be protected to ensure it is only available to those that are authorized by the organization or its
owners to have access to and use of information. Many forms of access control are about protecting confidentiality.
Integrity
Ensuring that information in storage, being processed or communicated is protected to ensure it is only available to
those that are authorized by the organization or its owners to have access to and use of the information.

Availability
Ensures that information will be available to the organization and its users who are authorized to have access to it,
when and where they need to use and process it.

{bmp_6M3sZMkP0Gf} Roll over and click on each of the sections that make up the Information Security Triangle

{bmp_6E1CfAwO6PL} Availability
{bmp_6hzZjKya4d3} Integrity

{bmp_6YucjgNcENt} Confidentiality

{bmp_5V33BUrh5dv} Availability

{bmp_5YXwFE1gmdM} Ensuring that information in storage, being processed or communicated is protected to ensure it is only available to those that are
authorized by the organization or its owners to have access to and use of the information.

{bmp_61sSdNtDY13} Integrity

{bmp_5gTrUGnfIU6} Ensuring that information in storage, being processed or communicated is protected to ensure it is only available to those that are
authorized by the organization or its owners to have access to and use of the information.
Integrity controls need to be included at the procedural level to reduce the risks of human error, theft or fraud, e.g. controls for
input/output data validation, user training and other operational type controls.

{bmp_5vL5PGpcysL} Confidentiality

{bmp_63WsPL3sJHR} Information should be protected to ensure it is only available to those that are authorized by the organization or its owners to have access
to and use of information. Many forms of access control are about protecting confidentiality.

{bmp_5cACPBvuEjV} The C.I.A. elements of information security help to ensure that an organization can protect itself against information being:

{bmp_6cdcPbvZEw9}
C.I.A. - Protection
{bmp_5oUMsmeL7HW.Name} C.I.A. - Protection

{bmp_5oUMsmeL7HW.Note} The C.I.A. elements of information security help to ensure that an organization can protect itself against information
being leaked, modified, lost, or unavailable.
{bmp_6ckPG7R7Si0} Select each heading to reveal its definition

{bmp_6RcmDodZbvO} any important business information being rendered unavailable when needed

{bmp_6bWfGpyDMZS} Leaked

{bmp_5bGf1ost46N} Leaked

{bmp_5pvRqaJ7emL} Modified

{bmp_6nyJSBI9vCN} Modified

{bmp_6ba1gHNazK8} Lost

{bmp_6dGToiEacJ8} Lost

{bmp_6CDdB6Kq4MM} Unavailable

{bmp_6eaHyQjo2xp} any important business information being lost without trace or hope of recovery;

{bmp_60Jr6Qytimj} Modified

{bmp_68npXTuYgTB} Modified

{bmp_6V3hpmZgbb8} Lost

{bmp_6JTry2Pm0hG} Unavailable
{bmp_6kQpR5EhbA5} Unavailable

{bmp_6ZlnzkchjVH} Leaked

{bmp_6BnAOcEX9dS} Leaked

{bmp_5zioJhlR5cF} critical information being accidentally or intentionally modified without its knowledge;

{bmp_6hw7rMNnk1m} Modified

{bmp_5a1bYYJ2OWG} Lost

{bmp_5mYp1fKdHiR} Lost

{bmp_5zTtkjx5hYi} Unavailable

{bmp_6Tp4HtZrXg6} Unavailable

{bmp_5dDRvrIrSxG} Leaked

{bmp_6N955L91OJq} Leaked

{bmp_6ASaeP8gkFu} sensitive or confidential information being given away, leaked or disclosed both accidentally
or in an unauthorized way;

{bmp_64lzgVE6M2w} Leaked
{bmp_69ppsc0ILK8} Modified

{bmp_6lnkjxjUroZ} Modified

{bmp_5Zm4hz6lYmJ} Lost

{bmp_5tvQVjtkCMk} Lost

{bmp_6JJJ468rADd} Unavailable

{bmp_6YcqBNrn2yd} Unavailable

{bmp_66pWLwSvnOq} Information security should be the responsibility of all:

 managers
 information systems owners or custodians
 and users in general
to ensure that their information is properly managed and protected from a variety of risks, threats and vulnerabilities faced by
every organization.
Information security management is not a one-off exercise, but should be seen as an ongoing activity of continual improvement.
Well-managed information security is a business enabler. No organization can operate successfully in today’s world without
information security. A well-chosen management system of controls for information security, properly implemented and used, will
make a positive contribution to the success of the organization, not just a cost against the bottom line.
We must remember that ISO 27001 has the controls and ISO 27002 helps in the interpretation and guidance of what they mean.

{bmp_68YwkxCSbsq}
Responsibilities
{bmp_5qqTK7aOGus.Name} Responsibilities

{bmp_5qqTK7aOGus.Note} Information security should be the responsibility of all managers, information systems owners or custodians, and
users in general, to make sure that their information is properly managed and protected from the risks and threats
 faced by every organization.
Information security management is not just a one-off exercise; it is an on-going activity of continual improvement.

{bmp_6jA7Tm1v3iZ} Take this short quiz to test your knowledge

{bmp_5VjrGUUr0kD} Retake

{bmp_5pQFkj6TowF} You scored:

{bmp_6o61wuEDWIE} %respquiz% / 5

{bmp_6YFa6teAPEk} Correct

{bmp_65fbmw4bMsV} That's right! You selected the correct response.

{bmp_69lHym4PGeV} Incorrect

{bmp_6ZB6NuhvPyv} You did not select the correct response.

The correct answer is Confidentiality.

{bmp_5sCId73Rr8I} Ensuring information is protected to make sure it is only available to those that are authorized by the organization is:

{bmp_5lX36bzUY5D} Information security

{bmp_638atOA2FW5} Availability

{bmp_5acIIvB4ODw} Confidentiality
{bmp_5rsXJBPQ2bZ} Integrity

{bmp_6cXN1coyk4j} Submit

{bmp_6OHtDDpnujg} 5/5

{bmp_6HOI2KAHF3l} Correct

{bmp_6UWtCkNsM08} That's right! You selected the correct response.

{bmp_6Z99M3tVCF0} Incorrect

{bmp_6VwNaWuzIRb} You did not select the correct response.

The correct answer is As implementing good practice.

{bmp_5zqdwnq2Ril} How should the use of ISO 27001 be viewed by senior managers within an organization?

{bmp_6chQrDldjVF} As implementing good practice

{bmp_6Cpvi1nAiYg} As overkill unless there are very serious problems

with handling data

{bmp_6MMNKCN4V5q} As a pet idea of the IT Director who thinks it will

look good to clients

{bmp_6nkGp7x7uRn} A good idea as competitors are using it

{bmp_6kMmxeE22AU} Submit

{bmp_6gcKfxt3DPA} 4/5

{bmp_5k7nBcjRhXT} Correct

{bmp_66Nv8Qz7CYw} That's right! You selected the correct response.

{bmp_5em9PYTvRVX} Incorrect

{bmp_5Wwy3b1lB98} You did not select the correct response.

The correct answer is Integrity.

{bmp_6DglT1seFew} What are you protecting when ensuring the accuracy and completeness of assets?

{bmp_6N1TbA60bCZ} Confidentiality

{bmp_6lQatQDUHkt} Integrity

{bmp_5cWrPU7VZ8h} The company from prosecution

{bmp_6ZRnra57Z8y} Not much

{bmp_6CotV3wQWaw} Submit

{bmp_605wXUdYBOM} 3/5
{bmp_6lNiyB0hKFw} Correct

{bmp_6IpsFkHM1D2} That's right! You selected the correct response.

{bmp_5kig61nKdMs} Incorrect

{bmp_6SqD7ObMSDo} You did not select the correct response.

The correct answer is a set of controls and guidance to support the defense
against loss or theft.

{bmp_6IDy3CZXstM} What is ISO 27002?

{bmp_5l2aCyxTnYe} A standard for cyber security management

{bmp_6oHUFQHs9KN} Requirements for an information security

management system

{bmp_6j0Zv174le5} A set of controls and guidance to support the

defense against loss or theft

{bmp_5r5RtXWeNi2} All of the above

{bmp_68ZOcuGrIDV} Submit

{bmp_6qhE6Xq6DkD} 2/5

{bmp_6DgVuKLl5Vy} Incorrect
{bmp_6aQwcan7oII} You did not select the correct response.
The correct answer is all of the above.

{bmp_6LgNdxF27Qf} Correct

{bmp_6TSCnH9ZXzE} That's right! You selected the correct response.

{bmp_6GzqqwRU2uu} Information, controlled within the scope of ISO 27001 includes what?

{bmp_5dz6bYZu9QN} Information on a flip chart in an office

{bmp_5xgQS7kq82E} Electronically stored information

{bmp_5hzIqUpeSTD} Verbal information

{bmp_5hDy98vkNEO} All of the above

{bmp_6FlQyhtpiuf} Submit

{bmp_6rAvO9nRiYe} 1/5

{bmp_6V9qEHivEk9} You’ve reached the end of the Overview section.

Let’s summarize before you continue to the next section. In this section, you have explored:

 the purpose of ISO 27001

 the background of the standard
 the key elements of information security and the C.I.A. concept.
{bmp_63xsnd4F5kM}
Summary
{bmp_6Qp7rBsRWfX.Name} Summary

{bmp_6Qp7rBsRWfX.Note} You’ve now reached the end of the Overview section.

Let’s summarize what we’ve explored before you continue.

{bmp_6gXDB8TPx3T.Name} Terminology and processes

{bmp_6pnRmWfrTYW} In this section we will explore some of the key terminology used in ISO 27001.

{bmp_6FKYkCzfzuE}
Terminology.
{bmp_6pDAX5F3Mva.Name} Introduction

{bmp_6pDAX5F3Mva.Note} In this section we will explore some of the key terminology used in ISO 27001.

{bmp_6U31cF6c7RA} Let’s look at some of the general terms from the guidance standard, ISO 27000.

{bmp_6cXSEyaSLeW}
General terms and definitions
{bmp_61oyNAjq0XY.Name} General terms and definitions

{bmp_61oyNAjq0XY.Note} Let’s look at some of the general terms from the ISO 27000 guidance standard.

{bmp_5fJO234ee8u} Select each heading to reveal its definition

{bmp_6jQvhpoLs8U} Measure that is modifying risk

{bmp_5t4w8xiwQhl} Confidentiality

{bmp_6NWaXKL7yKP} Confidentiality

{bmp_5kO1KjydUND} Integrity

{bmp_66U02WtkPjQ} Integrity

{bmp_5rmBgGJe8Cy} Availability

{bmp_5iskclSZdu7} Availability

{bmp_6iodNZ3oWu1} Control

{bmp_6KrxPTz5NMr} Property of being accessible and usable upon demand by an authorized entity

{bmp_6qy8SeVQGNk} Confidentiality

{bmp_6VpXBDBMJcE} Confidentiality

{bmp_6BUffqQ3Gra} Integrity

{bmp_6oPS93OGfmu} Integrity
{bmp_5wsplDyAM8o} Availability

{bmp_6A2lYjJ4hOc} Control

{bmp_5dKxr9UiEZX} Control

{bmp_5ZSd6AZHPJT} Property of accuracy and completeness

{bmp_6BBG9bXgvqi} Confidentiality

{bmp_6ij7O8WChyk} Confidentiality

{bmp_6FiQ0Bisfv6} Integrity

{bmp_6c8lNNn4Y4Y} Availability

{bmp_5oyJpoDnj4P} Availability

{bmp_6M1EbiezwEu} Control

{bmp_68Zvdv0xu19} Control

{bmp_6QOnN5BJziR} Property that information is not made available or disclosed to unauthorized individuals, entities, or processes

{bmp_6jYid4IMPQA} Confidentiality
{bmp_5mw4XHtQjCM} Integrity

{bmp_6IKyc9qeSPW} Integrity

{bmp_6SeabHbA9RI} Availability

{bmp_5qDW2svfcsS} Availability

{bmp_5qxQW0NzVRU} Control

{bmp_6GJOtz262i7} Control

{bmp_645xux6LcT3} Some terms used in ISO 27000 are information security threat specific.

{bmp_5hhPQ5uT9Pg}
Threat specific terms
{bmp_5p7vMkWW5ku.Name} Threat specific terms

{bmp_5p7vMkWW5ku.Note} Now let’s look at some of the terms that are threat specific.

{bmp_6dO5WJkACm7} Select each heading to reveal its definition

{bmp_5jHYomLlz2v} Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business
operations and threatening information security

{bmp_5cXXlsRV6zo} Threat

{bmp_6loTRC6Chfr} Threat
{bmp_61o01keFfsP} Vulnerability

{bmp_6apz4eqf55I} Vulnerability

{bmp_6cfqwXskit9} Information security event

{bmp_64dJn4Qg1cy} Information security event

{bmp_5tmHyRP891J} Information security incident

{bmp_5g2gzKGwifa} Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls,
or a previously unknown situation that may be security relevant

{bmp_5ZoImEm61WR} Threat

{bmp_6T479hX93GD} Threat

{bmp_6Ej6nF9sbYY} Vulnerability

{bmp_5vofg4u8wkq} Vulnerability

{bmp_6GNiGOHteRv} Information security event

{bmp_6ORsj6d8PdQ} Information security incident

{bmp_5yyO26SfcwW} Information security incident

{bmp_5h5lIINXbhm} Weakness of an asset or control that can be exploited by one or more threats

{bmp_6PrLx4PgDhU} Threat

{bmp_5rWUk1kMk6h} Threat

{bmp_61g5w6PrW4o} Vulnerability

{bmp_5VZRlv4GOzZ} Information security event

{bmp_5zkfFBXKP3I} Information security event

{bmp_5ykyI0rHlJN} Information security incident

{bmp_67a38MXTSPy} Information security incident

{bmp_6lD9ZEkYBbz} Potential cause of an unwanted incident, which may result in harm to a system or organization

{bmp_6pkfC3YbamV} Threat

{bmp_6YmvjScUMzf} Vulnerability

{bmp_6fvttxkZXf8} Vulnerability

{bmp_6dzR4N8kxOl} Information security event

{bmp_5Vr3ep9v0zr} Information security event

{bmp_63bE0DmBmUL} Information security incident

{bmp_5tHl0wrKzpk} Information security incident

{bmp_5hRL5avnkUy} Other terms used in ISO 27000 are information security risk specific.

{bmp_6abvf1QithK}
Risk specific terms
{bmp_67mwwCOSbhO.Name} Risk specific terms

{bmp_67mwwCOSbhO.Note} Finally, let’s look at the risk specific terms, and their definitions.

{bmp_5XsMNiTVzmb} To remove the risk at its source e.g. stopping the activity altogether or terminating a contract with a supplier or even an employee.

{bmp_5mUfCt6Lk5H} Risk

{bmp_6gk1gWT2vTc} Risk

{bmp_6mg2GHS0sBa} Risk assessment

{bmp_6TTvtN04pTO} Risk assessment

{bmp_6leQoYz8z94} Risk treatment

{bmp_6o1Ap0vwHSd} Risk treatment

{bmp_6WDtfUp5beJ} Residual risk

{bmp_5feiozh82CA} Residual risk

{bmp_6SGJGL6TKSg} Risk analysis

{bmp_61tBGoZxdRQ} Risk analysis

{bmp_5ulDeAVfnRd} Risk terminate

{bmp_5nxoTnFZS43} Risk transfer

{bmp_5c7qUEvlWJS} Risk transfer

{bmp_6K4M9nJHlul} Risk acceptance

{bmp_5abCuHVNp2D} Risk acceptance

{bmp_6h37jzr8kJF} The transferal of associated risk to other parties e.g.. outsourcing, suppliers or insurers

{bmp_64tYSR2AbaS} Risk

{bmp_68vCHCezbSb} Risk

{bmp_5rfxSFNRhEu} Risk assessment

{bmp_6N6oy9ezOJN} Risk assessment

{bmp_5q8YtCrXFam} Risk treatment

{bmp_69ty1pYx0Nw} Risk treatment

{bmp_5iRnb6Rrt3L} Residual risk

{bmp_6PWgFZkJLOK} Residual risk

{bmp_6Xknpan57td} Risk analysis

{bmp_5tmNcRWbsCX} Risk analysis

{bmp_5qYItYqrEMF} Risk transfer

{bmp_5YtSpnWJcOl} Risk terminate

{bmp_6o25XMJmr4G} Risk terminate

{bmp_6mzIoc17JVT} Risk acceptance

{bmp_6ZApqaUn3Ju} Risk acceptance

{bmp_6lSHUPBwM0U} Informed decision to take a particular risk

{bmp_6iXLrm6ni1e} Risk

{bmp_5dG9934A2qF} Risk

{bmp_6D9ogu5jNyB} Risk assessment

{bmp_6MwLNEeZ3dh} Risk assessment

{bmp_6TAWBBekYJ7} Risk treatment

{bmp_5c2WeX7WjUb} Risk treatment

{bmp_5tyTE3Ge3Mg} Residual risk

{bmp_5q36vveXyos} Residual risk

{bmp_60v7bnWBjXJ} Risk analysis

{bmp_6KbbGrAollM} Risk analysis

{bmp_6h57mwkQiCL} Risk acceptance

{bmp_6kkssMaKoFY} Risk transfer

{bmp_6XukPRkvrq2} Risk transfer

{bmp_61PxSmrYUOK} Risk terminate

{bmp_60MRmrcKsGz} Risk terminate

{bmp_6LWWRLXaKQW} Process to comprehend the nature of risk and to determine the level of risk

{bmp_5fA5Su6oING} Risk

{bmp_6Fskt6TkUjJ} Risk

{bmp_6nv0OV64MaW} Risk assessment

{bmp_5zMSTbFkWgL} Risk assessment

{bmp_5cJa1fwDhHJ} Risk treatment

{bmp_6KrLUB6oZhz} Risk treatment

{bmp_6alC6HExdXq} Residual risk

{bmp_68lhwbGgWJq} Residual risk

{bmp_6AVCtwMpBQa} Risk analysis

{bmp_6kTDOOefnMj} Risk analysis

{bmp_68qGQJnxSly} Risk acceptance

{bmp_675pjOvymyZ} Risk acceptance

{bmp_66K8T9oBEvp} Risk transfer

{bmp_6AZUr9zbebl} Risk transfer

{bmp_5j5ZEcKNT4w} Risk terminate

{bmp_6gcH3tNJpTV} Risk terminate

{bmp_5VhgkJTkEnt} Select each heading to reveal its definition

{bmp_6LpNuqmXceu} Risk remaining after risk treatment

{bmp_5l8B0u1J8W1} Residual risk

{bmp_5sIm89PpM9d} Risk analysis

{bmp_6G7vg3LR6PX} Risk analysis

{bmp_5dfajB6a44n} Risk acceptance

{bmp_6LPDlttu84Z} Risk acceptance

{bmp_5ix5DSp1Mj4} Risk
{bmp_5fF4kgLDmbw} Risk

{bmp_6A43wb8gpQ9} Risk assessment

{bmp_6Fdb4T6UODe} Risk assessment

{bmp_6LCmWhKOGVI} Risk treatment

{bmp_6qUuTGZVFM3} Risk treatment

{bmp_6MEUVdxZJ9O} Risk transfer

{bmp_6VF1X3CrLhb} Risk transfer

{bmp_6Ttx3Ld7xzF} Risk terminate

{bmp_5kMKQ0qTM7r} Risk terminate

{bmp_5VKCEWARgx0} Process to modify risk

{bmp_6qSNzV17rYb} Risk treatment

{bmp_6VqyIeyUaAj} Residual risk

{bmp_6lQ4iqlcAcZ} Residual risk

{bmp_6Rex27oE9Ua} Risk analysis

{bmp_61GLBg6y966} Risk analysis

{bmp_63sWy7JGwbJ} Risk acceptance

{bmp_6R4dGDkYJwM} Risk acceptance

{bmp_5YXPnd7dNqf} Risk

{bmp_5W7jTZOf7ZC} Risk

{bmp_6n7HUfz2W7f} Risk assessment

{bmp_62EzIAuHYE8} Risk assessment

{bmp_5cKXL1OnRgZ} Risk transfer

{bmp_6iqvZUJlfa1} Risk transfer

{bmp_6e2YSfkN6Yn} Risk terminate

{bmp_5tajmGSLdiJ} Risk terminate

{bmp_6lo2CeR4ZWJ} Overall process of risk identification, risk analysis and risk evaluation

{bmp_61zAGsba9VJ} Risk assessment

{bmp_5jAU40M3ad2} Risk treatment

{bmp_5wD4m4mVGr5} Risk treatment

{bmp_5oiw9XF0HtN} Residual risk

{bmp_6oPZrhRHPEB} Residual risk

{bmp_5VrreddWoCh} Risk analysis

{bmp_6ddwDpVpDiE} Risk analysis

{bmp_6pyJ67E79ET} Risk acceptance

{bmp_6fcXZUSHX6n} Risk acceptance

{bmp_6ex8riUDKGt} Risk

{bmp_6I39tyb3Ys1} Risk

{bmp_5rMOsxbb2f5} Risk transfer

{bmp_6Vl1a7kgze7} Risk transfer

{bmp_6YXZhT9PAQ3} Risk terminate

{bmp_5fO2CESmpAE} Risk terminate

{bmp_65YUIawFa7T} Effect of uncertainty on objectives

{bmp_69MQZkVMyCP} Risk

{bmp_6KomF2VGGPH} Risk assessment

{bmp_6IGCdReWS7m} Risk assessment

{bmp_6gEKVrFOL8v} Risk treatment

{bmp_5wRUuEoF4vw} Risk treatment

{bmp_6daOFWlVWFc} Residual risk

{bmp_5qZwx2iYotI} Residual risk

{bmp_6NMqFphbqR1} Risk analysis

{bmp_5avxts6VMeL} Risk analysis

{bmp_6Lyk19UjfNz} Risk acceptance

{bmp_621d8AhIjpn} Risk acceptance

{bmp_6RpvkJcbb9o} Risk transfer

{bmp_6DD965SUnjI} Risk transfer

{bmp_64baUllCWe6} Risk terminate

{bmp_6oc0FueIZrM} Risk terminate

{bmp_5jyKBWrUjww} Risk acceptance

{bmp_6jxAFgjWbdW} Informed decision to take a particular risk

{bmp_6GE6icDGR70} Threat

{bmp_5hCG66ntVVa} Potential cause of an unwanted incident, which may result in harm to a system or organization

{bmp_5yD2QE91stW} Risk assessment

{bmp_5mhmxV2eleu} Overall process of risk identification, risk analysis and risk evaluation

{bmp_5jrfViYZ1fA} Control

{bmp_6nyXeR1FIXJ} Measure that is modifying risk

{bmp_5hL7JYCt46D} Vulnerability

{bmp_5xfat9dV7ry} Weakness of an asset or control that can be exploited by one or more threats
{bmp_6pvHRzAoqxQ} Check your knowledge of the terminology with this activity..

{bmp_5nTx6nWETNJ}
Definitions and terminology - exercise
{bmp_5rGVxbElIHj} Risk

{bmp_6Uj2ywwN7jp} Effect of uncertainty on objectives

{bmp_6Gq7noCHDZa.Name} Definitions and terminology - exercise

{bmp_6Gq7noCHDZa.Note} Let’s review and check your knowledge of the Terminology with this activity.

{bmp_5Wq8hhCNv8J} Incorrect

{bmp_5kbeRY8XuNj} That is incorrect. Please try again.

{bmp_67nUWouuWwS} Drag and drop each description to lock it in to the term it refers to, then click the submit button

{bmp_6lj9u2BMVWt} Incorrect

{bmp_5dYJYkJnf3o} You did not select the correct response.

{bmp_6FsGDaWUDaL} Correct

{bmp_6WVgycjRWWF} That's right! You selected the correct response.

{bmp_6WSRNe5B24Z}
Definitions and terminology - Answers
{bmp_5daKqae1qdi.AltText} Table with 2 columns and 7 rows

{bmp_5daKqae1qdi.6ZUQefHkdF8} Term

{bmp_5daKqae1qdi.5eCFI9Xq5Fk} Definition

{bmp_5daKqae1qdi.601T5g29yUP} Risk acceptance

{bmp_5daKqae1qdi.5thpDovD74Q} Informed decision to take a particular risk

{bmp_5daKqae1qdi.6SDAjlYk31r} Threat

{bmp_5daKqae1qdi.6hQv7OtQbyK} Potential cause of an unwanted incident, which may result in harm to a system or organization

{bmp_5daKqae1qdi.654964pFJ9R} Risk assessment

{bmp_5daKqae1qdi.5agJ9QmtodB} Overall process of risk identification, risk analysis and risk evaluation

{bmp_5daKqae1qdi.5h3AQAvllXc} Control

{bmp_5daKqae1qdi.60Z3qMlLCKP} Measure that is modifying risk

{bmp_5daKqae1qdi.6c1SiEHafv5} Vulnerability

{bmp_5daKqae1qdi.6CtctMXyDak} Weakness of an asset or control that can be exploited by one or more threats

{bmp_5daKqae1qdi.6gToTteKyxW} Risk
{bmp_5daKqae1qdi.5ymtEoAWLFh} Effect of uncertainty on objectives

{bmp_6p5SPIZxiie} Here’s a quick recap of the terms with the correct definitions:

{bmp_5cCRbidN0QQ.Name} Definitions and terminology - Answers

{bmp_66u9feKrZY7} You’ve reached the end of the Terminology section. Let’s summarize before you continue to the next section.

In this section, you have explored the key terminology used in ISO 27001, including:

 general terms and definitions

 threat specific terms and definitions

 risk specific terms and definitions.

{bmp_5v7WY6HTNPO}
Summary
{bmp_6VqWHzUxZsE.Name} Summary

{bmp_6VqWHzUxZsE.Note} You’ve now reached the end of the Terminology section.

Let’s summarize what we’ve explored before you continue.

{bmp_6dmxgRp68eP.Name} Specific requirements

{bmp_6OvnHcbHwNw}
Specific
requirements
{bmp_67u07EKpW8u} In this section we will look at the specific requirements of ISO 27001 within Clauses 1 to 10.
{bmp_5ysUDyrE98L.Name} Introduction

{bmp_5ysUDyrE98L.Note} In this section we will look at the specific requirements of ISO 27001.

{bmp_6cMCXz5ctox} The elements shown here are known as ‘information clauses’ and are not auditable requirements.

{bmp_67KPfccO483}
The Information Clauses
{bmp_5Wzkq5XnrFX.Name} The Information Clauses

{bmp_5Wzkq5XnrFX.Note} Clause 1 is the scope of ISO 27001.

Clauses 2 and 3 reference ISO 27000 as a support document.

Clauses 4 to 10 of ISO 27001 are the requirements of an ISMS that need to be implemented to meet the aims and
goals of the standard.

{bmp_60DjqkNDEFs} Select each of the information clauses to find out more

{bmp_5pvSxqCDA6K} Clause 3 is guidance, and references ISO 27000 as a support document which provides an overview of information security, and the
vocabulary used in ISO 27001.

{bmp_6Ig4VnoNPCu} Clause 2 is guidance, and references ISO 27000 as a support document which provides an overview of information security, and the
vocabulary used in ISO 27001.

{bmp_6kh7ADrYJR7} Clause 1 is the scope of ISO 27001, detailing what ISO 27001 covers, such as physical, personnel and information technology security.

The scope of ISO 27001 is primarily based on risk and can apply to all organizations no matter how big or small.

{bmp_6obWEsqn3bt} Like many other standards, section 4 requires us to identify the context of the organization, the scope and the main elements of
the ISMS.
 Clauses 4 to 10 are known as the ‘auditable clauses’

{bmp_60XOkAAxGtv}
The Auditable Clauses
{bmp_6ZjKvHymhm6.Name} The Auditable Clauses

{bmp_6ZjKvHymhm6.Note} Like many other standards, section 4 requires us to identify the context of the organization, the scope, and the main
elements of the ISMS.

{bmp_65f1Vcg0KWC} “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve
the intended outcome(s) of its management system.” This requires identifying all internal and external interested parties and their
needs and expectations.

{bmp_6pI0i5xM9S1}
Context – external and internal issues
{bmp_5c2rj1k1Rfm} LRtraininggetin

{bmp_6fcaqFDdW8r.Name} Context – external and internal issues

{bmp_6fcaqFDdW8r.Note} The context section of ISO 27001 requires identification of internal and external issues affecting the business.

{bmp_5pASlpFGwuT} Roll over each of the surrounding images to identify the interested party

{bmp_5VAkIO2gveU}

Shareholders
{bmp_5gBKMLL3Kae}

Regulators
{bmp_6CdTEHIklMU}

Federations
{bmp_5aRsIrrMuhE}

Non-government
organizations
{bmp_5rVZRtqccQO}

Competition
{bmp_69aJQMLaI7f}

Insurance
{bmp_6Mkqq0rl8T6}

Pressure groups
{bmp_6GR369G9XAW}

Governments
{bmp_641WXF8waXM}

Science
{bmp_5ZlDpaZnzrE}

Academia
{bmp_5wxYfCEOmw8}

Media
{bmp_5ziLcrXUVDc}

Public
{bmp_5fFSKKaI6sI}

Banks
{bmp_5aBe49dAxBG}

Workers
{bmp_5cioux23qKi}

Customers
{bmp_68hN29y1pIA} All organizations have internal and external ‘interested parties’ and each of them has specific needs and expectations regarding
the security of information.

The context section also requires the identification of the business’ scope of their management system and the structure of the
management system itself.

{bmp_6Comhf5HFSq}
Interested parties and information security
{bmp_6Vyh3A8LbLZ} Employees

{bmp_6iNN3OUEo3e} Customers

{bmp_69VSOsA8HPG} Other Parties

{bmp_6dYyIJ0uLXU.Name} Interested parties and information security

{bmp_6dYyIJ0uLXU.Note} Let’s look at the context a little further.

All internal and external ‘interested parties’ have specific needs and expectations about the security of their
information, such as salary details, family information, account details, and more.
The context section also requires the identification of the business’ scope and structure of their management
system.
{bmp_6fxtOUaOfgi} Other interested parties
We also have other external interested parties such as legislators and regulators.

{bmp_5XUyoMRISzd} Customers
Customers want their information, such as accounts, contact details, volume of purchases, to be safe.

{bmp_5Y7n07PpR22} Employees
Employees want their personal information, such as salary details, family information, disciplinary matters, to be secure from others.

{bmp_6ma201qcohL} Select each of the images to find out the specific needs of these interested parties.

{bmp_5pSqQWThxXu} Clause 5 refers to leadership and the role of top management within the business.

Top management are defined as the “person or group of people who direct and control an organization at the highest level.” Top
management are required to demonstrate leadership and commitment through:

 ensuring the policy and objectives are established and

are compatible with the strategic direction of the
organization
 ensuring the integration of the management system
requirements into the organization’s business processes
 ensuring that the resources needed for the management
system are available
 communicating the importance of effective management
and of conforming to the management system
requirements
 ensuring that the management system achieves its
intended outcome(s)
 directing and supporting persons to contribute to the effectiveness of
the management system
 promoting continual improvement
 supporting other relevant management.

{bmp_5qX0Y0DZlMk}
Leadership and top management
{bmp_5efJIIO5iuN.Name} Leadership and top management

{bmp_5efJIIO5iuN.Note} Clause 5 refers to leadership and the role of top management within the business. Top management are defined as
the “person or group of people who directs and controls an organization at the highest level”
You can see from the list here how top management are required to demonstrate leadership and commitment.

{bmp_6ewqtJsOgJY}
Leadership Exercise
{bmp_5a9eqWYXZ2G} Top management are required to demonstrate leadership and commitment through ensuring the

policy and objectives are established and are compatible with the strategic direction of the

organization; ensuring the integration of the management system requirements into the organization’s

business processes ; ensuring that the resources needed for the management system are available;

communicating the importance of effective management and of conforming to the management system

requirements; ensuring that the management system achieves its intended outcome(s) ; directing and

supporting persons to contribute to the effectiveness of the management system; promoting continual

improvement ; supporting other relevant management .

{bmp_5pnp12n9LaM} Drag and drop the phrases into the correct places in the paragraph below:

{bmp_6SEI7nj4Ci1} leadership and commitment

{bmp_6ET782uuFTb} policy and objectives

{bmp_65WFkby7lxd} resources
{bmp_6JbFK1XfLbl} continual improvement

{bmp_6YmDNevAWvj} strategic

{bmp_5sdPuikGOsY} outcome(s)

{bmp_5n9YXn2UdXf} management

{bmp_5ZVR348VaUb} integration

{bmp_6HIa3jQfQMP} supporting

{bmp_6f9Tq4M7zIe} effective

{bmp_6Tz1mxwQTlc} processes

{bmp_6hBs3U7F7gB.Name} Leadership Exercise

{bmp_6hBs3U7F7gB.Note} Before you continue, check your knowledge with this activity.

{bmp_5nqC7DN0ztR} Close

{bmp_6ILtqhuFb7v} Complete the Paragraph

{bmp_5oJiB9okoRw} You must complete the paragraph before you can continue. The Next button will be
available when you have all of the phrases in place.
{bmp_5qN19tXuL6S} Drag and drop the phrases into the correct positions in the paragraph before you can proceed

{bmp_5d7cicvjT8i} Top management are also required to establish an information security policy.

In addition, Top Management need to ensure that all roles and responsibilities are identified and assigned to all relevant personnel
to ensure the ISMS meets the requirements of the standard, and that information relating to its performance is reported.

{bmp_6mb6fDloEPk}
Top management and information security policy
 is appropriate to the purpose of the
{bmp_5oleh4vKza7} organization
 a framework for setting information
security objectives
 includes a commitment to satisfy
applicable information security related
requirements
 includes a commitment to continual
improvement of the ISMS.

{bmp_5nVUYFvKRvy.Name} Top management and information security policy

{bmp_5nVUYFvKRvy.Note} The leadership section also requires Top Management to establish a policy meeting the requirements seen here.

In addition, Top Management need to ensure that all roles and responsibilities are identified and assigned to all
relevant personnel to ensure the management system meets the requirements of the standard, and that
information relating to its performance is reported.

{bmp_5zEJQGeLrcP} Click on the checklist to see it more clearly

{bmp_6pNg8GIPq4j}  is appropriate to the purpose of the

organization
 a framework for setting information
security objectives
 includes a commitment to satisfy
applicable information security related
requirements
 includes a commitment to continual
improvement of the ISMS.

{bmp_6iQLohiL7ux} Clause 6 of ISO 27001 focusses on planning to address organizational and operational risks.
 Within the context section of the ISO 27001, we undertake risk assessment and identify risk treatment methods to address the
issues we have identified.

{bmp_6LOexbwja2f}
Planning and risks
{bmp_6XEOIT5Nr88} Context
interested parties and the related issues

{bmp_6RCS2eeD84e} Next

{bmp_5ri0k1fDouB.Name} Planning and risks

{bmp_5ri0k1fDouB.Note} Planning to address organizational and operational risks and opportunities is the focus of clause 6 of ISO 27001.

We undertake risk assessment and identify risk treatment methods to address the issues we have identified.

{bmp_640Tj0tUoj3} Click on the next button to what comes next

{bmp_6TDRKDzTV7e} Planning
risk assessing and identifying controls and risk treatment
processes to address risks and opportunities

{bmp_66YXSqNZknP} Leadership
the direction and provision of roles and responsibilities

{bmp_6nK7Fq21xvr} Leadership
the direction and provision of roles and responsibilities

{bmp_6W97oMgqVpw} Next
{bmp_6gJVCXk8RJ9} Risk assessment is a specific requirement of ISO 27001 as it ensures we identify the correct and most appropriate controls for
information security issues. Risk assessment helps us to identify the specific controls necessary within our own specific ISMS.

ISO 27001 also requires a ‘statement of applicability’ to demonstrate that we have identified all necessary controls from Annex A of
the standard.

Annex A of ISO 27001 is also supported by ISO 27002 which explains the purpose and application of each control in greater detail.

We must also remember that this clause also promotes opportunities for improvement and in particular the work completed
under sections 4.1 and 4.2.

For the purpose of this course, we will focus on Annex A.

{bmp_6CfiBRgdmcF}
Risks and opportunities
{bmp_5VoXmuVN0U6.Name} Risks and opportunities

{bmp_5VoXmuVN0U6.Note} Risk assessment is a specific requirement of ISO 27001 as it ensures we identify the correct and most appropriate
controls for information security issues.

ISO 27001 also requires a ‘statement of applicability’ to demonstrate that we have identified all necessary controls
from Annex A of the standard.

{bmp_5Wcbc6kLR0Q} Annex A of ISO 27001 provides us with a list of control objectives and controls to help strengthen an ISMS. Control objectives
explain the reason and purpose of the specific control category, and the controls themselves set out the requirements.

Annex A contains 14 control objectives and sets of controls.

Select the folder to see the contents of Annex A.

{bmp_6SPoSKxJtsh}
Annex A - Control objectives
{bmp_60BqbObBLoH} Annex A: The Controls
{bmp_6BQC88R2N4f} A5: Information Security Policies
A6: Organization of Information Security
A7: Human Resource Security
A8: Asset Management
A9: Access Control
A10: Cryptography
A11: Physical & Environmental Security
A12: Operations Security
A13: Communication Security
A14: Systems Acquisition, Development &
Maintenance
A15: Supplier Relationships
A16: Information Security Incident
Management
A17: Information Security Aspects of Business
Continuity Management
A18: Compliance

{bmp_6TBvd7jAD3R.Name} Annex A - Control objectives

{bmp_6TBvd7jAD3R.Note} Annex A of ISO 27001 provides us with a list of control objectives and controls to help strengthen an ISMS.

Control objectives explain the reason and purpose of the specific control category, and the controls themselves set
out the requirements.

Annex A begins at A5 and concludes with A18. The information shown here explains the controls sets, and identifies
the number of controls in each set.

{bmp_5ix7XOsyE8c} Select Annex A to learn more about the controls

{bmp_5luyd4GhBmY} A5 Information security policies

2 controls requiring policies to be written and reviewed.
A6 Organization of information security
7 controls identifying the requirement for the assignment of responsibilities for specific tasks.
A7 Human resource security
6 controls ensuring that employees understand their responsibilities before starting their employment and once they’ve left or changed roles.
 A8 Asset management
10 controls identifying specific information assets and appropriate information security protection responsibilities.
A9 Access control
14 controls ensuring that employees can only view information that’s relevant to their job role in relation to CIA.
A10 Cryptography
2 controls requiring the encryption and key management of sensitive information.
A11 Physical and environmental security
15 controls aiming to secure the organization’s premises and equipment.
A12 Operations security
14 controls helping to ensure the security of information processing facilities.
A13 Communications security
7 controls defining how to protect information in networks.
A14 System acquisition, development and maintenance
13 controls ensuring that information security is a central part of the organization’s systems.
A15 Supplier relationships
5 controls defining third party contractual agreements and how to measure if the agreements are being kept.
A16 Information security incident management
7 controls identifying how to report disruptions and breaches, and responsibilities.
A17 Information security aspects of business continuity management
4 controls defining controls to address business disruptions.
A18 Compliance
8 controls relating to identifying applicable legal requirements.

{bmp_5Z5p9ufY7Zp}
Control objectives further detail
{bmp_5gk7fdIRJz9} Selection of controls from Annex A or ISO 27002 is necessary to ensure a robust ISMS. If any of the 114 controls are deemed
unnecessary by an organization, they must state why within the Statement of Applicability (SoA).

The SoA is a documented list of all applicable and justified non-applicable control objectives and controls.

{bmp_6MWKPZBnU4M}
Annex A - Statement of Applicability
{bmp_6R6iSbRUqk7.Name} Annex A - Statement of Applicability

{bmp_6R6iSbRUqk7.Note} Selection of controls from Annex A or ISO 27002 is necessary to ensure a robust ISMS.

If any of the 133 controls are deemed unnecessary by an organization, they must state why within the Statement of
 Applicability (SoA).

{bmp_6hwcpBfaNTH} Select Annex A to learn more about the controls

{bmp_5wxqBeRhkIa} Risk treatment plans are the action taken to address a risk to either remove it, control or mitigate it or transfer it to someone else
such as a specialist contractor.

Once we have conducted the risk assessment and identified applicable controls, we then need to identify methods to ‘treat’ the
risks.

Like other management systems standards, Section 6 of ISO 27001 also requires the setting of Information Security objectives and
plans to achieve them.

{bmp_69xY8Lgqwne}
Risk treatment plans
{bmp_6dQ3DmZn8qe} Risk Assessment

{bmp_5ZIfBChL17B} Identify applicable controls

{bmp_5v69YI0dKI7} Identify methods to treat the risks

{bmp_6aijJM8UAxP.Name} Risk treatment plans

{bmp_6aijJM8UAxP.Note} Once we have conducted the risk assessment and identified applicable controls, we then need to identify methods
to ‘treat’ the risks.

Risk treatment plans are the action taken to address a risk to either accept it, remove it, control or mitigate it or
transfer it to someone else such as a specialist contractor.

{bmp_5gWinIEHbLp} Clause seven identifies five requirements which provide support for the implementation, maintenance and improvement of the
management system.
{bmp_6Ifascst8Mn}
Support
{bmp_6k5iC17lgXY.Name} Support

{bmp_6k5iC17lgXY.Note} Clause 7 identifies the requirements for the support needed for the ISMS to be implemented, maintained and
improved effectively.

{bmp_5dgV8H30kya} to be identified and either maintained or retained.

{bmp_5zm92Vboxxg} Resources

{bmp_6TLh0qUHz4F} Resources

{bmp_6E7bRqrHbxJ} Competence

{bmp_5cOJiKClrff} Competence

{bmp_5d66FpXS6FX} Communication

{bmp_6BcigRp9Di7} Communication

{bmp_6A5v5CohDGc} Awareness

{bmp_5wY0MaelGQj} Awareness

{bmp_6dUuOD1NUaK} Documented information

{bmp_6rZA44SdoEy} to ensure personnel are conscious of the requirements of the policy, how they contribute to the management system and improvement
 and the implications of not conforming to the requirements of the management system

{bmp_6HItCbd10ST} Resources

{bmp_5jNGoTe166n} Resources

{bmp_5Wh9IvQcbrm} Competence

{bmp_6AqhxZIY1aU} Competence

{bmp_5qxlirp1TPz} Communication

{bmp_5mRu74bx5bC} Communication

{bmp_5WEILakFDzp} Awareness

{bmp_6TqBvaTfuMh} Documented information

{bmp_6Tap0EnHM9H} Documented information

{bmp_5dLb11rFOCW} internal and external communication

methods to ensure free flow of information,
instructions and information about the
management system

{bmp_6AjBB8llGch} Resources

{bmp_6XLWbY3sG8d} Resources
{bmp_5YquknTSv99} Competence

{bmp_6W6HEYO0kQy} Competence

{bmp_661uBjpBP6W} Communication

{bmp_5m28pQqIvkU} Awareness

{bmp_6lFVnXxWzb3} Awareness

{bmp_5qmWTFYIO0j} Documented information

{bmp_6M10TjaL4nf} Documented information

{bmp_6isbu7NWxhl} in terms of suitably qualified, trained, experienced and/or able personnel

{bmp_62yEhRTi4nP} Resources

{bmp_6VgUYU059nt} Resources

{bmp_6JihpwOJEUw} Competence

{bmp_6ORb3I4mvnt} Communication

{bmp_6cGnx3SKyte} Communication
{bmp_5vmEJ2ClVn1} Awareness

{bmp_6BOMHLlOEZt} Awareness

{bmp_68KXtMvu6pY} Documented information

{bmp_6RARqLfWt1g} Documented information

{bmp_5zsIr5sU8GM} resources required, such as physical, people, infrastructure, equipment etc.

{bmp_64L7zh9hpdg} Resources

{bmp_5mwqdbpz6nP} Competence

{bmp_6XyemSiyYfG} Competence

{bmp_60dcO87k5ug} Communication

{bmp_677OosaiRtA} Communication

{bmp_6ZRkPYZm70w} Awareness

{bmp_6fKqx1AcJry} Awareness

{bmp_5qaqKV6AB08} Documented information

{bmp_5vKa6eujiWy} Documented information

{bmp_6fYirZuez7p} Select each of the boxes to explore the scenario with Company X.

{bmp_6M1HIhiyMz9} Once documented information has been identified, it needs to be either maintained, or retained.

All documented information needs to be developed to be suitable for its purpose and approved for suitability and adequacy. It
also needs to be controlled to ensure it is available and protected against loss or misuse.

{bmp_6bD2KjafAIo}
Documented Information
{bmp_5yEYNeN1Tse.Name} Documented Information

{bmp_5yEYNeN1Tse.Note} Let’s look more closely at documented information.

Section seven of ISO 27001 identifies the requirements for ‘documented information’ in the form of information that
is retained and maintained.

{bmp_6QFp4w7FON1} True

{bmp_5kxAvCi6Cyc} False

{bmp_6QIFBpJAm6F} Identify which of the following statements you consider to be True and which are False

{bmp_5h0rXiy935P}
Exercise
{bmp_5uLG400hqRa} All controls in Annex A of ISO 27001 must be
assessed to determine if they are applicable.
Retention of records is required by ISO 27001.
According to ISO 27001, the process of risk
assessment does not have to be undertaken.
 A ‘SoA’ refers to a Statement of Applicability.
All controls in Annex A of ISO 27001 must be applied in all organizations.
Risk treatment plans provide the organization with options to take relating to risk assessment results.

{bmp_6G2nny3PxE1} Select

{bmp_6ba3V57KBx8.Name} Exercise

{bmp_6IjemlP5fuf} Make your choice for all document types and then click submit

{bmp_6iGIXbG7a0J} The operational planning and control section of ISO 27001 requires the implementation of actions to address ISMS risks and
opportunities.

The output from the activities undertaken in previous ISO 27001 sections now need to be applied to ensure control is effective.

This includes:

 plans and controls to manage information security risks and opportunities

 the controls as outputs from the risk assessment processes
 the controls as outputs from the risk treatment processes.

{bmp_6CGTx1mREBa}
Operational planning and control
{bmp_6T6bWyWTxzp.Name} Operational planning and control

{bmp_6T6bWyWTxzp.Note} The operational planning and control section of ISO 27001 requires the implementation of actions to address ISMS
risks and opportunities.

The output from the activities undertaken in previous ISO 27001 sections now need to be applied to ensure control
is effective.

{bmp_6jMiAGjhBDH} To meet the requirements of Clause 9 of ISO 27001, a business needs to identify:

 the methods for monitoring, measurement, analysis and evaluation

  how controls will be measured and monitored
 when the monitoring and measuring shall be performed
 when the results from monitoring and measurement shall be analysed and evaluated.

Records of performance monitoring need to be retained to help with data management and analysis.

{bmp_6Hp29UUeXo6}
Performance management
{bmp_6ltTk24Xwoe.Name} Performance management

{bmp_6ltTk24Xwoe.Note} Section 9 of ISO 27001 relates to performance management in terms of monitoring, measuring, analyzing and
evaluating information relating to the effectiveness of the management of the controls and the ISMS.

{bmp_6r2Y8SmhTIB} Internal audit is the process of checking internal processes to ensure they are in accord with requirements.

Management review is a process to review the performance of the business to ensure its continuing suitability, adequacy and
effectiveness.

{bmp_6f5aABbvjtP}
Internal audit
{bmp_5y45n931vgk.Name} Internal audit

{bmp_5y45n931vgk.Note} Additional requirements of section 9 are internal auditing and management review.

{bmp_5e9NC7mK1ta} Audit

{bmp_5h1eHPpRUhH} Management Review

{bmp_5vkMBqyYStu} Management Review

{bmp_6SO4JPgk8LK} Audit
{bmp_5pyBTssuPXJ} The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in:
1) external and internal issues that are relevant to the information security management system;
2) the needs and expectations of interested parties, including compliance obligations;
3) its significant information security aspects;
4) risks and opportunities;
c) the extent to which information security objectives have been achieved;
d) information on the organization’s information security performance, including trends in:
1) non-conformities and corrective actions;
2) monitoring and measurement results;
3) fulfilment of its compliance obligations;
4) audit results;
e) adequacy of resources;
f) relevant communication(s) from interested parties, including complaints;
g) opportunities for continual improvement.

{bmp_5vkPpp77u1y} Section 10 includes the requirement to identify non-conformities and take corrective action to address them. It also requires the
continual improvement of the management system.

The corrective action clause requires both:

 correction, and
 corrective action to avoid repeat incidents.

{bmp_5pNSIClCi3b}
Non-conformities
{bmp_6XPwLEwpzy2.Name} Non-conformities

{bmp_6XPwLEwpzy2.Note} The final section of ISO 27001 is section 10, which refers to the improvement of the ISMS Section 10 includes the

requirement to identify non-conformities and take corrective action to address them. It also requires the continual

improvement of the management system. The corrective action clause requires both correction and corrective

action to avoid repeat incidents.

{bmp_6F1BzV2gK5n} Check your knowledge with these True or False questions.

{bmp_5p0Q63SyB2j}
Exercise
{bmp_5YSZX7hYkdj} True

{bmp_63GAH3MEXpy} False

{bmp_6ixearQzgzz} Section 8 of ISO 27001

refers to operational controls.

{bmp_6EIT4AkMhgf} When addressing non-conformities,

ISO 27001 requires both correction
and corrective action to be taken.

{bmp_6HQRwyVth8n} Operational controls are

considered to be the outputs of
previous sections of the standard.

{bmp_5rlQw7U0P91} When identifying operational

controls, all of the requirements
of Annex A must be implemented

{bmp_6HzFi8mP0fd} Internal audits of the ISMS must be

conducted by personnel having
passed an ISO 27001 Lead Auditor exam.

{bmp_6aHGqfX8i2X.Name} Exercise

{bmp_6aHGqfX8i2X.Note} Let’s look at potential emergency situations more closely with this exercise.

{bmp_5gsUQVr80wQ} Drag and drop each of the elements into the correct box to unlock the NEXT button.
{bmp_5qLLJZgCP9e} You’ve reached the end of this section. Let’s summarize before you continue to the final section of this course.

During this section, we have explored the core requirements of the standard as shown here, and the links to the controls in Annex
A.

 Auditable clauses
 Context - Identifying interested parties
 Leadership and top management
 Top management and information security policy
 Planning and risks
 Risk assessment
 Annex A - Control objectives
 Annex A - Statement of Applicability
 Risk treatment plans
 Support
 Documented information
 Operational planning and control
 Performance management
 Internal audit
 Non-conformities

You should now be able to identify the core requirements of the standard.

{bmp_6GeZ07bduS6}
Summary
{bmp_6hAn7jw2lDu.Name} Summary

{bmp_6hAn7jw2lDu.Note} You’ve now reached the end of this section. Let’s re-cap before you continue to the final section of this course.

{bmp_6LbjXmzD0mG.Name} Question Bank 1

{bmp_ProjectTitle.Title} Essential Guide to ISO 27001

{bmp_5tqA31aNrtd.Name} 1 Welcome
{bmp_61tOCeXSx93.Name} 1.1 Welcome

{bmp_5pcktK5e0ym.Name} 1.2 How to use the course

{bmp_5hcWF8gYqov.Name} 1.3 Course requirements

{bmp_6V1jzwpmkAV.Name} 1.4 Aims and goals

{bmp_6AIE0xCckP8.Name} 3 Overview

{bmp_5VvrfavE35D.Name} 3.1 Introduction

{bmp_61CVGJ4AxLt.Name} 3.2 Background of the standards

{bmp_6dko2ifAI7A.Name} 3.3 What is information?

{bmp_5XPY8VivuMA.Name} 3.4 C.I.A. - Protection

{bmp_5ksKud9MIWI.Name} 3.5 Responsibilities

{bmp_6HRFek0uirc.Name} 3.6 Summary

{bmp_5dlwtjViNaS.Name} 4 Terminology and processes

{bmp_5zT5ZCZ01r1.Name} 4.1 Introduction

{bmp_6GU57PKxkMq.Name} 4.2 General terms and definitions

{bmp_5qzOAj4tw4J.Name} 4.3 Threat specific terms

{bmp_5V4GwN4eLfx.Name} 4.4 Risk specific terms

{bmp_6fymdMP8Eee.Name} 4.5 Definitions and terminology - exercise

{bmp_6Xwn0MPJbvE.Name} 4.7 Summary

{bmp_0.Name} 5 Specific requirements