ISO International Management Systems Institute Podcast

May 30, 2023

Howard and Jim chat about  ISO 27001, Annex A – Technical  Controls.

Points discussed include a review of the 14 controls in Clause 8:

Annex A, Clause Eight, Technical Controls
Number of controls:34 (8.1 to 8.34)
On Our Next Episode

The Path to ISO 27001 Certification – Find out the steps you’ll need to take to become Certified to ISO 27001:2022!

View More View Less

May 17, 2023

Howard and Jim chat about  ISO 27001, Annex A – Physical Controls.

Points discussed include a review of the 14 controls in Clause 7:

Annex A, Clause Seven, Physical Controls
Number of controls:14 (7.1 to 7.14)
On Our Next Episode

ISO 27001, Annex A – Clause 8 – Technology Controls.

Next Steps – review your current situation against these controls to see if you can find a way to improve your Pyysical Controls for better Information security.

If you enjoyed this episode, please follow us on your preferred podcast directory. We appreciate your likes & comments, and invite you to share episode with anyone who might benefit from learning about this topic.

View More View Less

May 2, 2023

Howard and Jim chat about  ISO 27001, Annex A – People Controls.

Points discussed include a review of the 8 controls in Clause 6:

Annex A, Clause Six, People Controls
Number of controls: 8 (6.1 to 6.8)
On Our Next Episode

ISO 27001, Annex A – Clause 7 – Physical Controls.

Next Steps – review your current situation against these controls to see if you can find a way to improve your People controls for better Information security.

View More View Less

April 11, 2023

Howard and Jim chat about  ISO 27001, Annex A – Organization Controls.

Points discussed include:

A review of the 37 controls in Clause 5:

Annex A, Clause Five, Organizational Controls
Number of controls: 37 (5.1 to 5.37)

View More View Less

February 28, 2023

Howard and Jim chat about the integration of an ISO 27001 into an existing ISO 9001 QMS.

Points discussed include:

ISO 9001 Quality Management Standard is the most prevalent in the world. It’s been around since 1987 and there are over 2 million certificates worldwide in over 170 countries.
Best Practice would be to integrate ISO 27001 into your existing ISO 9001 system (or any other Harmonized Standard system) instead of having two separate systems.
Start off by reviewing Clause 4 and make any necessary tweaks such as the ‘Interested Party’ section.
Follow up by reviewing the other clauses , 5 though 10, to determine the sections that may need some additional IS related information.
Whatever method you’re using to determine risks in quality, you can definitely start with that for information security risks.
Create your Statement of Applicability from Annex A.

View More View Less

February 14, 2023

In this episode, Howard and Jim chat about the ISO 27001:2022 – Statement of Applicability (SoA).

Howard and Jim chat about the ISO 27001:2022 – Statement of Applicability (SoA)

Items discussed include:

The Statement of Applicability is required for ISO 27001 certification. It’s a statement that explains which Annex A security controls are — or aren’t — applicable to your organization’s Information Security Management System (ISMS).

You can update your current ISO 27001 Statement of Applicability (SoA) like this:

Compare your current SoA to the new requirements – there are charts in the new Standard showing the connections
Identify the business owners in the various risk areas, and assign a high-medium-low value to the risk, and then revise your Information Security Risk Treatment Plans
Update your Risk Treatment Plans to keep you protected
Keep your Risk Treatment Plans dynamic – threats never sleep!

View More View Less

January 31, 2023

Items discussed include:

Plan – Do – Check – Act Approach.
Getting clients to ask their auditees if the procedure, the way it’s been implemented, is getting them the results they want.
The purpose of auditing is to see if you’re getting the results you want.
Part of the audit is to see if the objectives are really sensible.
Asking during the audit if there’s any possible way the auditees think that procedures, processes, and the implementation could be improved.
The reocmmended frequency for performing audits.
Review the competency of the individuals and teams assigned to perform the audit.

View More View Less

Howard and Jim chat about ISO 27007 – Guidance for Information Security Management Systems Auditing.

December 20, 2022

Howard and Jim chat about ISO 27005 – Managing Information Security Risks in this episode of the ISO Review Podcast.

Items discussed include:

Plan – Do – Check – Act Approach
Identify the risk
Analyze the naure and level of the risk
Evaluate (low – medium – high ) the risk
Select objectives and controls for the treatment of the risk
Determine what is an acceptable level of the residual risk

View More View Less

December 13, 2022

Howard and Jim review ISO 27002 – Security Techniques in this episode of the ISO Review Podcast.

Items discussed include:

Information security, cybersecurity and privacy protection — Information security controls

Scope
Normative References
Terms, definitions, and abbreviated terms
Structure of the Document
Organizational controls (37)
People controls (8)
Physical controls (14)
Technological controls (34)
Annex A
Annex B
The entire document has useful help in it. It’s has help that’s going to give users and listeners a chance to really improve their the effectiveness of their management system. It’s going to help improve their outputs, their risk management and the way people can access their own Information Management System safely.

View More View Less

November 15, 2022

In this episode, Howard and Jim review the changes in ISO 27001:2022, Information Security Management Systems Requirements.

Items discussed include:

ISO 27001 – Information Security Management System was the pioneer in what was first known as the High Level Structure, is now called the Harmonized Structure, as it was developed for all the other standards to be built on.
The breadth of changes in the Clauses:
4.2 – Interested Parties (minor tweak);
4.4 – Description of the Entire System (additional information added);
6.1 – Risk Management (additional information and clarification);
6.2 – Information Security Objectives (additional information and clarification);
6.3 – Change Management (new clause);
7.4 – Communication (minor tweak);
8.1 – Operation Planning (rewritten);
9.1 – Monitoring (additional information);
9.2 – Internal Auditing (expanded with new information);
9.3 – Management Review – (expanded)
Annex A – Controls. They have been reorganized from 14 categories to 4 categories and have been reduced from 114 controls to 93:
Clause 5 – Organization Controls (37)
Clause 6 – People Controls (8)
Clause 7 – Physical Controls (14)
Clause 8 – Technological Controls (34)
ISO 27002, the guidance document for Annex A (more in the next episode!)
The benefit of beginning recertification sooner rather than later
What’s in Store For The Next Episode

Our topic is ISO 27002:2022 – Security Techniques, the newly updated guidance document for ISO 27001:2022 Annex A

View More View Less

December 13, 2022

Howard and Jim review ISO 27002 – Security Techniques in this episode of the ISO Review Podcast.

Items discussed include:

Information security, cybersecurity and privacy protection — Information security controls

Scope
Normative References
Terms, definitions, and abbreviated terms
Structure of the Document
Organizational controls (37)
People controls (8)
Physical controls (14)
Technological controls (34)
Annex A
Annex B
The entire document has useful help in it. It’s has help that’s going to give users and listeners a chance to really improve their the effectiveness of their management system. It’s going to help improve their outputs, their risk management and the way people can access their own Information Management System safely.

View More View Less

November 1, 2022

In this episode, Howard and Jim discuss Guidance for Improving your Internal Audits for an Information Security Management System.

Highlights include:

  • Does the information security auditor have the proper security clearance to access documented information.
  • Person Identifiable Information, or other sensitive information, must be handled properly according to any legal requirements that the organization might have.
  • Companies that outsource their internal audit activities, need to ensure that the outsourced auditor needs to be vetted to make sure they can view a sensitive information.
  • The lead auditor needs to determine the extent to which evidence that’s not available to the audit team during the audit, affects the confidence in the audit findings.
  • The auditor needs to verify that any documentation required by the audit criteria is going to be available, and that controls have been put in place by the organization that they’re auditing.
  • The introduction of Annex A and the Statement of Applicability (SOA) as described in ISO 27002:2022.
  • View More View Less


     

    September 20, 2022

     


    In this episode, Howard and Jim discuss the path to become a Certified Lead Auditor.
    Points Covered:

    • How to become a Certified Lead Auditor.
    • Who is the body that certifies lead auditors.
    • What are the courses that need to be taken.  
    • What experience does a prospective auditor need to have. 

    August 20, 2022

     


    In this episode, Howard and Jim continue their conversation about ISO 27001, Information Security Management System (ISMS) to Manage Cyber Attacks, and unpack what an effective ‘implementation Plan’ looks like.


    Highlights

    Jim talks about the creation of the ISO 27007, Information Security, Cyber Security, and Privacy Protection, released in 2020, which provide guidelines for information security management systems auditing.

    Audit Takeaways

    Are we getting the results we want?
    Are we managing risks related to this activity?
    Is there anything the auditee can think of that would help make their life better relative to the safety we want to have around information security?
    Future Episode Idea

    How to become a Certified Lead Auditor.
    Who is the body that certifies lead auditors.
    What are the courses that need to be taken.
    What experience does a prospective auditor need to have.

    View More View Less


    August 1, 2022

     


    In this episode, Howard and Jim continue their conversation about ISO 27001, Information Security Management System (ISMS) to Manage Cyber Attacks, and unpack what an effective ‘implementation Plan’ looks like.


    Highlights

    Jim referenced The PDSA Cycle (Plan-Do-Study-Act), developed by Dr. W. Edwards Deming. considered by many to be the master of continual improvement of quality. The PDSA is a systematic process for gaining valuable learning and knowledge for the continual improvement of a product, process, or service.

    Link: https://deming.org/explore/pdsa/

    View More View Less


    July 19, 2022

     


    In this episode, Howard and Jim continue their conversation about ISO 27001, Information Security Management System (ISMS) to Manage Cyber Attacks, and unpack the benefits of implementing an ISMS.


    In the Media

    Jim made the connection between ISO 27001 and an outage on Friday, July 8, at Rogers, one of Canada’s largest telecommunications companies, which caused significant internet, cable and cellphone disruptions, mostly in Ontario and Quebec, the country’s most populous provinces. Link to article: https://www.insurancejournal.com/news/international/2022/07/11/675306.htm

    View More View Less


    July 1, 2022

     


    In this episode, Howard and Jim chat about How to Use ISO 27001 to Manage Cyber Attacks. Points that will be covered during this episode and then discussed further in subsequent episodes, include:

    • What does an ISMS look like?
    • What are the benefits of an ISMS?
    • What does an effective ‘implementation Plan’ look like? and 
    • What Specific Guidance is available?


    An Information Security Management System is the framework that helps organizations prepare for a cyber-attack through a process of threat assessment, monitoring and continual improvement.

    A well-designed system requires that you identify potential sources of a security breach, mitigate them and provide a strong ongoing defense system for your information. An attack will happen – it’s not a case of ‘if’ it’s a matter of ‘when’.

    It’s virtually impossible to predict every risk to your information and mitigate it. It is possible, however, to create and manage a system that will give you a fighting chance.

    The key is preparation, detecting vulnerabilities and creating a more resilient management system, in terms of interactions with so many layers of cyber connections. That’s where an information security management systems (ISMS) fits into your future.

    Deeper awareness about what does an ISMS looks like?

    The harmonized structure of ISO 27001 integrates perfectly with other Harmonized Standards
    Annex A requirements, if properly implemented, help keep your information assets safe
    Audits (Internal and External) help you find ways to improve the effectiveness of your system to keep information secure

    View More View Less


    June 1, 2022

     


    The ISO Review Podcast is a production of the International Management System Institute.

    The ISO Review Podcast shares the latest International Standards Development, and is your resource for getting the most out of your management systems.

    The Podcast is hosted by Howard Fox, Business Coach, and Host of the Success InSsight Podcast. He is joined by Jim Moran, ISO Management System Professional, celebrating his 30th year delivering ISO support.


    Twice-monthly, Jim & Howard will be sharing article highlights from the IMSI Newsletter. In this episode, Jim covers these highlights:

    ISO Certification and Risk Management Practices
    PFMEA: Learn How to Remove Error From a System With This 10 Step Guide
    Bridging the Gap Between Management and Strategy
    What is Kaizen? A Mindful System of Quality Improvement
    Jim’s Recommended Readings
    The Black Swan: The Impact of the Highly Improbable (2nd Ed.)
    by Nassim Nicholas Taleb (Author) May 11, 2010.

    View More View Less