Hi, and welcome to the third section on information security. This one is on international standards, ISO standards. Now, really part of the CIPM course exactly, but we are seeing this being referred to in a number of more qualification and it's starting to get very popular. I did this especially for the US audience because the US audience, they are very familiar with security standards like SOC 1 and SOC 2, but not necessarily familiar with ISO standards that we see here across the rest of the world, the international standards. The SOC 1 and SOC 2, brilliant standards created by the association of auditors, and the SSA reviews that we see across America really came into light through Sarbanes-Oxley. But for the rest of the world, we tend to use international standards, ISO standards, to prove to each other that we've got a third-party looking at our organization and that third-party is looking at our organization does it to some improved standard that's recognized globally. The reason these are standards, ISO standards, international standards is because, and I do sits on the committee of a number of them, that's essentially not on your approved nationally, but then are approved internationally. Now, obviously, the more internationally you make the less specific they can be if you wish to achieve some consensus. I really focusing on not ISO standards on things like screws and nuts and bolts. They are ISO standards for every things, but I'm really going to focus on Management System standards which were assessed by something called accredited certification. The way accredited certification works is that different national accreditation bodies across the world have signed a memorandum of understanding with each other. Here in the UK, our accreditation body is UCAS (United Kingdom Accreditation Service) over in the US. Your accreditation body is ANAB, the American National Accreditation Board. The government gives those national accreditation bodies some powers. This just represents the UK and the US. But equally, if you can imagine there's a parallel here with national accreditation bodies across the world, and over 50 of those national accreditation bodies have signed a memorandum of understanding. What the memorandum of understanding means is that they mutually recognize each other's work; they mutually recognize each other's accreditation and that's how the standards are internationally recognized. Now, that you won't have a lot to do with you as the organization, as the organization at the bottom in there, you just comply with the standards, you comply with the words and the standard. But what you will do is you will actually ask another body, a certification body to come in and perform the audit. They see someone like British Standards or Certification Europe or LRQA or perhaps one of the big four or even a big auditor to come in and assess your certification, access your organization against the requirements that are written down on the piece of paper. If you meet the requirements on the piece of paper, you get the batch. If you don't meet the requirements on the piece of paper, you don't get the batch. What's important is it's the certification body who must also be assessed and audited by the national accreditation body. For example, here in the UK, you would have UKAS, the national accreditation body. We would give the batch to British standards, BSI, your management systems as a certification body, and they would come in and do the audit on the organization who would meet the standard. Let's talk about ISO standards and specifically talk about the Information Security Standard. This is ISO/IEC 27001. What this represents then, is not a thing in itself and this is where a lot of people get it wrong. They create an ISMS is a thing in itself, like, here is our ISMS folder full of our ISMS documents. That's not the way it's supposed to work, it's supposed to be a part of your business, that bits of your business that deals with information security, that palette of your overall wider business management system, not an end in itself. But what it does, it builds this Plan-Do-Check-Act methodology, these requirements for establishing, implementing, maintaining, and improving that ISMS, that Information Security Management System. Again, this is nonspecific. It's got to be global. It doesn't give specific security controls, or specific strengths of security controls, requirements are generic. They have to be applicable to all organizations of all sizes, types, nature, big or small, whatever sector you're in. Therefore, what it's really about is it's about understanding your own risks and coming up with your own responses. As I said, this is about establishing, implementing, maintaining, and continually improving the ISMS. There's a couple of standards here, I hate to hit with numbers, but ISO 27001 is the one that you actually get the badge to, use the word shall throughout, shall without you can actually get assessed and Certified to that. But there are a number of other standards in the 27000 family. After 27001, so that should say 2013, 27001: 2013. There is equal 27002: 2013, as well. Bizarre little typo there. The 2013 standards not 2005. They are the oldest standards. I apologize for that but the 27001 and 27002 2013, they kind of work in partnership. 27001 gives you all the requirements, it will tell you; do a risk assessment, create your plan, create your program, monitor and measure that plan, improve that plan. With 27002 will then say; go and have a look at 27002. There's some good ideas for security there. They're all SHOULDs that they designed to be implemented as a result of your 27001 risk assessment. Then there is a requirement to produce what we call a statement of applicability; how many of the controls from the second standard apply to you, and how have you implemented them? If you're not doing those controls, you have to ask yourself the question why. It's designed as a checklist to see that your security system is good enough for what you do, if you're not doing anything in 27002, why not? The controls there aren't mandatory, but equally, they're not exhaustive either. There are other controls out there in the world. A good example is 27019. If you're in Cloud security, if you're doing Cloud provider, you should probably get the badge to 27019 which includes a lot more controls that might be relevant to a Cloud provider. We've already talked about this, and I've shown this model before. But it's about understanding who you are, you're going to have to document who you are, what you do, who your stakeholders are, what they expect, and then you're going to have to produce some managed delivery. What's your scope? How big is your organization? Where does it exist? What laws apply to it? All the things we talked about earlier in the course but very much for information security here. What laws apply to it? Where does it go? Who's got expectations? What do they expect from your security? Then based on those expectations, you plan what you're going to do, normally through some risk assessment provision. You deliver it, you check that it's been delivered effectively, monitor and measure it, and you act to improve. Now, well with 27001, we've got this idea of some system certification requirements. What you've got to prove in 27001 here, you've got some certification requirements. There's a lot of other stuff in the standard as well. Naught to three in 27001 nothing to worry about. Introduction, terms and definitions, it's actually only clauses 4-10 that contain that context, leadership, planning, support, operation, performance evaluation, improvement you get assessed against. Their semantics is on top of that as well, but those annexes really refer to 27002. The controls, implementation guidance and information in 27002 and these map that 5-18 from the Annex in 27001. They are just reproduction at header levels of what you'll find in 27002. What you'd looked in 27001, it's really important to understand while you talk about the management system, IE27001, 4-10 or the controls which is 27002 or annex A5-A18. 27001 really important in terms of ISMS and that's what you get batched to one of your monitoring system that equally, you have to be able to prove that you've implemented the controls from 27000 to where the risk assessment says that you have to. We've already seen this slide in terms of risk assessment of obviously these inside, 27001 says, generate your controls by performing a risk assessment. What risks have you got? How big are they? What do you need to do to treat those risks? Come up with your plan, implement that plan, monitor, measure, repeat after a period, continually improve your management system but only in 27001 did I say, go and have a look at 27002 and make sure that you started to look at the controls from 27002. Your policies, your security organization, HR security, your assets that you're managing, your Access Control. You can read yourself, cryptography, physical, IT communications, systems development, supplier management, instant management, business continuity management, and legal compliance. There's more in 27002, very big jobs. All of those wide ranging security controls can be derived from 27002 and then even then, there are other ISO documents that will give you ideas for more controls on top of that as well. As you've seen from really good mapping documents where they map what's in SOC 1 and SOC 2 to the ISO controls and vice versa. Really important if you've already undertaken that route. One more standards and then we'll draw an end to the security session and move on to breach management. That is looking at ISO 27701, really important. New ISO standard that's come out 27701. This is about turning someone who's already got a badge to 27001, has already got an ISMS, an Information Security Management System, and turning that information security management system into a PIMS, a Personal Information Management System. Not only can you ask your suppliers and your supply chain to get badge to 27001 to prove their security methods, you can ask them to get badge to 27701 to prove their privacy commitment. Very similar standard. It's got eight clauses to it this one, eight clauses. Again naught to four background how to implement it, but the requirements is really in 5, 6, 7, 8. Five just tells you how to copy and paste into 27001, how to change your ISO 27001, ISMS to a PIMS or Personal Information Management System. Then 6,7,8 give you new controls. Much as I said, 27002 gives you controls, then 27701 gives you controls specific to privacy. Controls about digital inventory, controls about privacy by design, controls about consent management, controls about data protection officers. Then on top of that, and then as specific controls, depending on whether you're a controller or a processor. That's clause 7 for a controller and Clause 8 for a processor. You may well be subject to 6, 7, 8 or 5, 6, 7, 8. You may just be subject to 5, 6, 7 or you may be subject to 5, 6, 8 depending on what role you're taking. Number of annexes to the document as well, including one that really nicely maps to the GDPR. Far is I'm going to go on information security, that's as far as I'm going to go on information security. Next we're going to talk about information security breaches and then how you actually go about responding to them. But before you can respond, first of all, you've got to detect them.
