Hi and welcome back. Let’s now examine the ISO 27000 series assurance framework and how that framework can help us. You can find the ISO 27000 document as a PDF download from informationsecuritymanagement.co.uk. 

So all the definitions that we will use in this course will come mainly from that document. So if there's something that you find doesn’t make sense in terms of its definition, it's normally in there.

ISO 27000 is an international standard. So this is the international vocabulary set for this standard, ISO 27001 is a family of standards with ISO 27001 being the only one that you can get certified and accredited to. All the others are just helper pages, or helper documents if you will, that help you perform and have an information security management system. That's what it is, an information security management system in place.

Information security management, information security controls, and risk management - that's what we do for the information assurance system. The framework focuses on business risk and it lives above—and looks at—business risk and risk management and then applies those controls to the actual environment. If you remember our image that we built earlier, this one here, ISO 27001 is living here as a strategic framework, taking into consideration risk assurance or risk management, and then using information security controls to protect the environment.

ISO 27001 is an information security management system. So we manage the whole lifecycle of information security. 

Now remember, we used our definition to talk about where information is created, processed, transferred, destructed—all of that type of stuff. We spoke about that. Now we're using our management system to pay attention to the lifecycle of that information: who creates it, where it's destructed, how it's processed, and how we protect it, wherever it might be inside our ecosystem. 

So, traditionally our perimeter would be as far as we could extend our cables outside of our building. But because the world has changed, our perimeter is now wherever our information gets to—that's now our perimeter.

So now, when we're building our ISO 27001 environment, we have to ask ourselves the question: where is our perimeter? Or rather, where does our information get to? Where are the endpoints? And so what we do is we create what we call a statement of scope from that.

The easiest way to find out what the scope for our network would be, what the scope for our framework would be, would be to find our information flow diagrams. Where does information in our systems flow to? What are the end points? And then we can think about whether we need to have that part of that information system (or those systems) in scope or out of scope, depending on the value of the information or whether it's relevant to the core systems that we're trying to protect.

We can protect everything or we can protect the small part of our organisation. We don't have to certify the entire business. You can just certify a department.

ISO 27001 is literally just an overarching statement of how we want to secure our organisation. It's like a utopian idea of what information security will look like. It stipulates that you need to have: the best systems and encryption, and services like anti-virus and firewalls. And that people need to be trained.

It can be quite prescriptive when you read the standard because it says you must have this and you must have that, but those stipulations don’t become actual requirements until you implement ISO 27002 —that is where we find all of the controls that we were just talking about are now required. In fact, the controls live in every single area of that information assurance and information governance stack that we looked at earlier.

You don't have to get certified to ISO 27001. What you can do is you can just work to ISO 27001 as a standard. 

It's the only standard that you could be audited and accredited to and the organisation that accredits you is specific to your region.

An approved body will accredit you and certify you, and what will happen is you will have accredited auditors who will come through and they run an audit of your business.

If you pass the criteria of the audit and meet the standard, they will recommend you for certification. And then if you've met the standard, once you've gone through the testing process and the investigative auditing process, then they will recommend you to be accredited by the accrediting agency.

If the accreditation body isn't happy with the audit, they can then go ahead and audit that audit to make sure that it's been done correctly. So that's the process with ISO 27001.