Hello and welcome back. So, let’s walk through how we might go about implementing an ISO 27001 based framework.

We'll have controls for every single one of those layers that will need to be applied in order for ISO 27001 to work. Now, those work like this: inside ISO 27001, you have something called Annex A. Inside Annex A we have 114 controls, and these are optional. They are optional because, if you don't use them, you've got to give a reason as to why you've not used them, and if you are using them, you also have to give a reason as to why it applies to that particular risk. This is often called 'the code of practice'. All controls for practical implementation.

In ISO 27002 we have all our controls that are fleshed out for practical implementation to our actual environments. ISO 27001 tells us what we should do, but it doesn't give us any real guidance as to how to make it reality. ISO 27002 does. So that's what we work from.

ISO 27002 would be the document you'd buy and implement as a code of practice. Once we’ve done that bit, it'll be your most-used document, because you'll be working to make sure that the environment that you're trying to build has the areas and has the controls implemented as they're supposed to be. 

Introduction, scope, statement of scope. We write a statement of scope. This ISO 27001 environment will protect all of our customer systems and our customer data. References are just references to other documents, terms and definitions for our environment. They give the context of the organisation, where it works, what it does, how it works, the leadership, who's in charge. This framework leans on leadership. Without leadership, ISO 27001 doesn't work. It can't work without good leadership. It's not something that an IT manager can just come up and say, "hey, all right everyone, we're going to start implementing an ISO 27001 environment. Good. It’s gonna be great. You're going to love it. It's going to make our lives harder in the beginning, but it's going to be great at the end. It's going to be awesome." It won't work like that because you need boards. You need the board to jump in and approve it. Why? Because you've got to pay for controls. One of those controls is training. There are lots of control groups that need to be met, and that means new technology and things to be bought and things like that. So then it really needs to be signed off by the board. So if you are the IT manager and you do want to implement this, this is now when you need to actually have great negotiating skills and the ability to put together a proposal to the board that will make sense, speaking their language. And that language is risk. They don't speak security. They speak risk. And they speak return on investment, or return on security investment. So if you understand that, then you're 10 steps ahead of everybody else, sometimes even the people that are sitting on the board.

The planning of the implementation of the actual ISO 27001 information security management system. We need to look at how we're going to support it in its lifecycle, putting it therefore into operation, what we will do, when it will go into operation, how it will look - and then obviously performance evaluation, otherwise known as metrics, setting SLAs and agreeing our metrics and such. And then obviously that gives us room for improvement. So it works on a cycle, which we like to call 'plan, do, check, and act'. It's a cyclical process. There's our plan, do, check, act cycle. A process that never ends.

So we've got our OECD guidelines, which are European versions. These are guidelines letting you know what type of document it is and if it is mandatory or not. They are guidelines, they are not mandatory. But they are built for large multinational organisations to help them assess and take care of their information security as a whole.

So then it does exactly what ISO 27001 is doing: looking at awareness, good awareness training, making sure people have the right responsibilities, how you then look at the response to situations, transpiring ethics of individuals and of company operations, democracy risk assessments—which is a huge part—SDI, security, both technical and physical, and people, and then obviously the reassessment of all situations. 

So that's the cyclical process of then checking and then going back to do some acting again. So it's all the same. It's just for multinational organisations, whereas this ISO 27001 can be applied to an organisation of any size.