The ISO 27000 Series Assurance Framework

Original course:

IT Security Fundamentals

ISO 27000 is an international standard. This video examines the ISO 27000 series assurance framework and how that framework can help us.


- In this video, I'm going to talk about ISO 27001 . ISO 27001 is an information security standard published by the International Organization for Standardization. There are some pervasive myths about this standard. Before we start looking at it in more detail, let's address them. Myth number one, ISO 27001 requires a lot of investment in technology and other resources. Myth number two, it imposes new constraints on businesses. Myth number three, it takes a long time to implement. Myth number four, it requires a lot of documentation. None of these myths are true. ISO 27001 can be achieved correctly with little investment. It can also be implemented fairly quickly without a huge amount of documentation. And rather than constraining business, it can be customized to its needs, allowing it to be used as a strategic asset. This could make a business more competitive and reduce costs. Now that we've dealt with the myths, let's look at ISO 27001 in more detail. ISO 27001 is a management framework for the protection of business critical information. Its purpose is to preserve the confidentiality, integrity and availability of critical business information assets. Confidentiality means limiting access to information to authorized users only and preventing access to unauthorized users. Integrity means maintaining and assuring the accuracy and consistency of data over its entire life cycle. Integrity is a critical aspect to any system that stores, processes or handles critical data. Availability means making information resources available to those who need it, when they need it. An information system that is not available when needed is at least as bad as no system at all. It's important that organizations don't rely on one single control to safeguard information. Instead, they should use a set of controls. One is never enough. Fortunately, ISO 27001 lays out practical steps organizations should take to protect that asset from malicious actors. There are five steps to ISO 27001. Let's go through them. The first step is to instigate a security policy and procedure. A clear and understandable policy must explain what employees should do in the event of a breach or a suspected breach. A suspected breach, for example, would be an employee losing a work phone in a public place. Step two is the use of strong passwords and biometric authentication. This will help to ensure that data cannot be compromised, even in the event of a lost device. The third step is employing strong encryption. Encryption protects data held locally and in the cloud from prying eyes. Anyone accessing the data will need the encryption key to be able to make sense of it. Step four is awareness training. Employees should be kept informed and up to date on the latest policies. An action should be taken in the event of a security breach or a suspected breach. And finally, the fifth step is legal protections. You can ask employees to sign an agreement stating that they will cover the costs of all damages from stolen devices. Further to all of these, an organization must have all of their different business processes, for example, logistics, HR, legal, and security working together to deliver effective security controls. Before embarking on the ISO 27001 process, organizations should perform a risk assessment to identify any risks to the business. Once identified, the standard can be employed to mitigate those risks. To summarize what we've covered, there are a lot of myths around ISO 27001, and none of them are true. There are five steps to implementing the standard and when implemented properly, it can provide an information security management system or ISMS, that can cover end to end information security.

About the Author