WEBVTT

00:00:01.040 --> 00:00:04.950
When thinking of certification of an information security

00:00:04.950 --> 00:00:11.270
management system, the base for it would be ISO 27001.

00:00:11.280 --> 00:00:15.980
And just as SOC is for attestation, we can think of ISO 27001 being

00:00:15.980 --> 00:00:21.480
for certification. Upon passing the audit process, an organization

00:00:21.480 --> 00:00:25.890
can have its information security management system certified by an

00:00:25.890 --> 00:00:28.390
ISO compliant organization.

00:00:28.430 --> 00:00:32.630
And ISMS will typically ensure that a structured, measured, and ongoing view of

00:00:32.630 --> 00:00:37.060
security is taken across an organization allowing security impacts and

00:00:37.060 --> 00:00:42.340
risk‑based decisions to be properly managed. Here, just as in other places,

00:00:42.340 --> 00:00:49.460
there needs to be executive sponsorship as an imperative element of success for

00:00:49.470 --> 00:00:51.720
the information security management system.

00:00:51.730 --> 00:00:58.700
There are some 14 domains inclusive inside of so 27001 that

00:00:58.700 --> 00:01:00.660
an organization would need to maintain.

00:01:00.670 --> 00:01:04.489
The first is a set of policies for information security needing to be

00:01:04.489 --> 00:01:07.820
defined, approved by management, published, and communicated to all

00:01:07.820 --> 00:01:10.590
employees and relevant external parties.

00:01:10.600 --> 00:01:13.850
There's the organization of information security, which would include all

00:01:13.850 --> 00:01:19.330
information security responsibilities being defined and allocated. Conflicting

00:01:19.330 --> 00:01:23.600
duties in areas of responsibility shall be segregated to reduce opportunities

00:01:23.600 --> 00:01:27.170
for unauthorized or unintentional modification,

00:01:27.170 --> 00:01:29.350
misuse, or disclosure of data.

00:01:29.440 --> 00:01:33.770
Human resource security has to do with background verification checks

00:01:33.770 --> 00:01:37.030
on all candidates in accordance with relevant laws,

00:01:37.030 --> 00:01:39.150
regulations, and ethics.

00:01:39.160 --> 00:01:44.060
Also, the classification of that corresponding information and who has access

00:01:44.070 --> 00:01:48.820
should be strictly controlled. Asset management has to do with associated

00:01:48.820 --> 00:01:55.370
information and processing facilities being identified and inventoried drawn

00:01:55.380 --> 00:02:02.780
upon rules for acceptable use. Access control, as it sounds, would be the policy

00:02:02.790 --> 00:02:07.800
that establishes in a documented way and a reviewed fashion on the information

00:02:07.800 --> 00:02:12.450
security requirements for getting access to network and network services on an

00:02:12.450 --> 00:02:13.970
authorized bases.

00:02:13.980 --> 00:02:17.560
Cryptography would spell cryptographic controls for protection of

00:02:17.560 --> 00:02:19.680
information being developed and implemented.

00:02:19.690 --> 00:02:22.110
A policy and the use protection in a lifetime of

00:02:22.110 --> 00:02:24.830
cryptographic keys is also developed.

00:02:24.840 --> 00:02:28.830
The physical environmental security would have to do with

00:02:28.830 --> 00:02:32.810
protection areas that contain either sensitive or critical

00:02:32.810 --> 00:02:36.760
information and processing facility protection.

00:02:36.840 --> 00:02:40.810
When we think about the operation security, what we're

00:02:40.810 --> 00:02:44.840
considering is documentation made available to all users who

00:02:44.840 --> 00:02:48.580
need them, changes to the organization, the business process,

00:02:48.580 --> 00:02:52.030
the information processing facilities that affect information

00:02:52.030 --> 00:02:56.210
security shall be controlled. With communication security, networks

00:02:56.210 --> 00:02:59.720
should be managed and controlled to protect information in systems

00:02:59.720 --> 00:03:02.000
and applications. Security mechanisms,

00:03:02.000 --> 00:03:04.960
service levels, and management requirements of all

00:03:04.960 --> 00:03:07.710
network services shall be identified.

00:03:07.720 --> 00:03:11.720
The whole process of acquiring or developing or maintaining

00:03:11.720 --> 00:03:15.110
systems should be specified in a lifecycle.

00:03:15.120 --> 00:03:20.330
And this would also be inclusive of services over public networks.

00:03:20.340 --> 00:03:24.410
Think about the supply chain attacks that have occurred in recent years.

00:03:24.420 --> 00:03:27.250
Here, we're thinking about the suppliers access to the

00:03:27.250 --> 00:03:31.700
organization's assets shall be agreed upon with the supplier and

00:03:31.710 --> 00:03:35.670
documented. Incident management, just as it sounds,

00:03:35.670 --> 00:03:38.250
is to ensure consistent and effective approach to the

00:03:38.250 --> 00:03:41.930
management of information security during any kind of

00:03:41.930 --> 00:03:45.260
degradation or disruption of services.

00:03:45.270 --> 00:03:49.030
Business continuity management focuses on the resiliency of the

00:03:49.030 --> 00:03:52.740
organization, the continuity of information security management in

00:03:52.740 --> 00:03:56.090
adverse situations during a crisis or a disaster.

00:03:56.100 --> 00:03:59.290
And then finally, compliance is the holistic view,

00:03:59.300 --> 00:04:01.290
the contractual, the regulatory,

00:04:01.290 --> 00:04:04.370
the legislative capabilities that the organization needs to

00:04:04.370 --> 00:04:09.580
identify and document and keep up to date. When we look at ISO

00:04:09.580 --> 00:04:15.270
27002, these are the controls that you would apply from a set

00:04:15.270 --> 00:04:19.160
of guidelines to ISO 27001.

00:04:19.160 --> 00:04:21.970
So these controls take into consideration the organization's

00:04:21.970 --> 00:04:25.080
information security environment. And as we said,

00:04:25.090 --> 00:04:29.550
it works in conjunction with ISO 27001.

00:04:29.640 --> 00:04:33.750
These control objectives are how you reach the

00:04:33.750 --> 00:04:37.350
certification capability of ISO 27001.

00:04:37.440 --> 00:04:38.120
Earlier,

00:04:38.120 --> 00:04:44.000
we described ISO 27018 and it's five‑part requirements

00:04:44.010 --> 00:04:48.200
in order to protect PII in the cloud.

00:04:48.210 --> 00:04:54.510
So if you were to take ISO 27001 and form it for cloud

00:04:54.510 --> 00:04:59.100
concerns, ISO 27018 would be its counterpart.

00:04:59.310 --> 00:05:01.590
ISO 27017,

00:05:01.590 --> 00:05:07.650
which we have not talked about, could be compared to ISO 27002, but here again,

00:05:07.660 --> 00:05:11.730
in the cloud. The first thing it does is delineates responsibility between the

00:05:11.730 --> 00:05:13.970
cloud service provider and the cloud consumer.

00:05:13.980 --> 00:05:18.330
It looks at asset disposition upon contractual termination. It

00:05:18.330 --> 00:05:22.590
considers the cloud service customers environment and making sure

00:05:22.590 --> 00:05:25.390
that there's isolation between customers.

00:05:25.400 --> 00:05:30.320
It makes certain that the virtual machine configuration is

00:05:30.320 --> 00:05:34.450
at the gold‑image level that you would expect for something

00:05:34.450 --> 00:05:36.550
that is patched and certified.

00:05:36.560 --> 00:05:40.480
It also ensures that there are administrative procedures and

00:05:40.480 --> 00:05:43.980
operational procedures for the cloud service provider in their

00:05:43.990 --> 00:05:48.080
environment for maintaining that control. Activity monitoring is not

00:05:48.080 --> 00:05:49.660
just for the cloud service provider,

00:05:49.670 --> 00:05:54.950
but giving an offshoot of that monitoring holistically to the consumer as well,

00:05:54.960 --> 00:05:59.640
which I must say is done very well by most cloud service providers by means of

00:05:59.640 --> 00:06:05.150
a rich suite of monitoring of APIs. And then also, environmental alignment to

00:06:05.150 --> 00:06:08.960
make sure that the virtual and the cloud network environment align from a

00:06:08.960 --> 00:06:14.610
security perspective. ISO 27017 guidelines specifically for the cloud that

00:06:14.610 --> 00:06:17.960
reflects the interests of ISO 27002.

00:06:17.970 --> 00:06:23.550
Next, let's take a look at cloud‑specific attestations and certifications.