Відео

You're very welcome! 🙏

There is a little more information in the blog for information transfers - hightable.io/iso-27001-annex-a-5-14-information-transfer/ but the controls are not stand alone and for this question you would also want to consider - ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements - which is in hightable.io/iso-27001-annex-a-5-31-legal-statutory-regulatory-and-contractual-requirements/ - I can explain more if you join the weekly Q and A sessions or book a 1 to 1 with me. 🙏

In the main video I go through this and for me all assets go in the asset register. Even the BYOD assets go in the asset register. It does not mean that the company controls them directly but it allows you to do things like restrict access to just those devices and put in place compensating controls that reduce the risk of BYOD. A little bigger topic than comments here allow but you can watch the main video or book onto the weekly Q and A or get a 1 to 1 with me and we can go through. 🙏

@StuartBarker thank you for the quick response. Much appreciated for your insightful input.

You will have tools that manage your infrastructure that you can export reports from. You will have anti virus, patching, end point protection - these will have built in reporting that you can export to a dashboard. Your incident management system will generate reports. The key is to pull together sources of data relevant to you and present it in a way that it can be understood. I do not know one 'tool' per se as some things could be manual things that you are reporting on. Keep it simple, reuse what you have. Speak with your tech teams to understand what data can be extracted. If you have a third party managing it then negotiate the reports that they give you based on what you need them to report and the frequency of doing so. I do a weekly Q and A and you can take 1 free 1-to-1 with me if you have questions. Hard to answer generically in comments but I think you get the idea.

@@StuartBarker Greatly appreciate your input, thank you.

I go through in a blog and video and in my toolkit but high level the issues with people could be that you don't have anyone qualified or experienced in ISO 27001, time could be that you don't have time to implement and ISMS due to organisation pressures - projects - deliverables - understaffing. Check out the full video for a more detailed explanation. Thanks for the question though - a great question!

Yes - on the plan :) they take up a bit of time but I am nearly there. Thank you for the feedback. I hope to do more this week! Keep watching. 🙏

@@StuartBarker Thanks for the response. Sure. Waiting for the videos.

thank you :)

That is great - the main toolkit is currently on offer and worth a look. Thank you. 🙏

Every calendar year between external audit cycles. I have seen where people do once per 3 year cycle and get an observation, minor or major non conformity. I appreciate this doesnt seem consistent but it is auditor dependant. The best practice approach would be once per calendar year minimum but I have a video on audit planning that explains in more detail - this link should take you direct to the relevant section - ua-cam.com/video/hz_hPt4DZvw/v-deo.html

Sorry the relevant section is 4 minutes and 9 seconds.

@@StuartBarker Yes, I agree that the internal audit program should be implemented regularly between external CAB audits. Perhaps I should have put my question more clearly - would you suggest that the entire ISMS (processes and controls) are to be audited every year, or a sampled approach is taken over the 3-year certification cycle on the basis of process criticality or risk exposure?

@dbellconsulting - the video that I link goes into the nuances of it but ISO 27001 is a risk based system so the audit program is based on risk. A good starting point is to audit the entire ISMS every year as I have seen that the ISMS itself often gets overlooked and I have seen auditors raise that as a non conformity. Start on the basis of once a year for the entire ISMS and with the knowledge that certain parts of the ISMS may require auditing more than once in that one year cycle. The video on audit planning sets out the exact way I would go about it and the variations / exceptions and considerations to take. For me, once per year would be the minimum to ensure an effective management system - if I was talking broad brush. If it is right for you to do a sampled approached over the 3 year certification cycle based on your risk and you are comfortable you can justify the approach then that should be fine but I would treat this more as an exception than the rule. 🙏

yes. It is one way to do it and the way I do it. 🙏

@ thank you so much

Working through them and it coming soon but you can jump on a free weekly clinic to ask me questions and run through. Website menu / learn / iso 27001 clinic - to book

Just uploaded today - 9 dec 2024 - ua-cam.com/video/u_Kgm9Ucl-o/v-deo.htmlsi=kU5scRkGlHMlLkm7

This was included in the 2022 update to the template and is in the latest toolkit to make it explicit. I even pre fill it with examples. The previous assumption was people would know how the ISMS meets requirements but you cannot assume anything so I updated it to make it more explicit. Thanks for watching and good spot that many would not. Latest template and toolkit = it is included.

@@StuartBarker thank you. I must be working from the old version. You've reminded me to look at the updates. thank you. Your product is great. I'm getting through it!

@jack_b_za6415 You can jump on a free weekly clinic or grab a 1 to 1 as hard to answer in small comments but I would expect that you have a register of all your clients, what software they have purchased, the licenses that go with that. THEY will have a requirement under the intellectual property control to evidence licensing and software and if they rely on you they will expect that you can evidence it. Which alludes to what this control is about. Do you know, in total, what you have in place for your ISO 27001 scope ( I narrow it here but really you would want to know EVERYTHING you have ). The control wants what YOU have but it clearly makes sense, based on what you tell me and the requirements your clients have that you have this for clients and what you sell also. Hope makes sense - jump on a clinic or call to chat through if you need more.

Thank you and good luck with the exam. Let me know how you found it. 🙏

5.29 - hightable.io/iso-27001-annex-a-5-29-information-security-during-disruption/ 5.30 - hightable.io/iso-27001-annex-a-5-30-ict-readiness-for-business-continuity/ 5.29 - what are your information security requirements during a disruption and how do they differ from production 5.30 - what ICT disaster recovery do you have in place

@lecompt - A person can hold more than one role. This video is the explanation and help - > ua-cam.com/video/_CP7vr-8MYk/v-deo.html

Appreciate the feedback. It is taken directly from a Teams recording of a real life session so yeah, not great but the content hopefully is on point. Appreciate the feedback though - check out the other actual training and implementation videos that are in 4k with dolby surround. 🙏

@@StuartBarker thank you The content is good. But i haven't Completed all the parts yet

I appreciate that. Thank you. Makes doing them worth while if they are helping people. 🙏

I think you are probably correct. I get caught up in the moment but hopefully it helped. You certainly know your onions! :) 🙏

Hey, happy to help! thanks for the feedback 🙏

I watched George Clooney back in the day in Batman. It did not make me Batman nor sadly George Clooney but inside, you know, and I know, I really am Batman. So maybe ....

Of course: hightable.io/how-to-write-deploy-and-implement-iso-27001-policies/

@paul4561 - you can book a free 1 to 1 with me on hightable.io - I have previously built and sold a company doing this although now I give knowledge away for free. Also this video is from a consultant coaching programme I do - ua-cam.com/video/HojVRKC6FPU/v-deo.html - it is doable.

@@StuartBarker Thank you, must get chatting to you :)

Linkin with me and I can share with you... 👍

@@StuartBarker Thank you so much. How can I contact you? email, LinkedIn chat, or other ways?

Depends what kind of job you want there Florida Investor ! I would say it is information that you would pay someone to train you on and is based on 30+ years experience but only you can judge its value. As for landing a job ... I wanted to be a stripper but I don't think it's going to help me with that... I guess it all about context 🙏

Yes Ryan. This is part of the overall puzzle. This policy meets the requirements for having a cloud services policy and the requirements for cloud providers but remember that the standard is made up of many policies and Annex A controls that address specifics such as access control, network security, physical security, anti malware and much much more. The points you raise are addressed, but not here. Which out of context may seem strange but we are creating building blocks to create a house. What ever house you need and want. You can join the Q and A or drop me a 1 to 1 and I can cover for you in more detail than the comments allow. 🙏

One of many additional videos that support this area that will add some context to this 'how to' video - ua-cam.com/video/pD9xeH-NlM8/v-deo.html

Your / You're welcome ☺️

@@StuartBarker Hahaha, so fair man, so fair.

Thank you - I cover what you need in the blog that goes with the video - it is here for reference - hightable.io/iso-27001-annex-a-5-7-threat-intelligence/ 🙏