ISO 27001 Guide To Implementation

Поділитися
Вставка
  • Опубліковано 25 лис 2024

КОМЕНТАРІ • 18

  • @brunom12111
    @brunom12111 3 роки тому +5

    Nice explanation! The best one i found so far

  • @Homebased_Official
    @Homebased_Official 10 місяців тому

    Fantastic breakdown - the only thing I am still struggling with is the difference between Gap analysis and Risk assessment in ISo27001. I do know what they are theoretically . However, I watched another video that cited their own steps as - Senior management buyin, purchase Iso standard , carry out risk assessment, complete SOA and scope, Gap Analysis, which is the internal Audit , findings , senior management, Attestation , certification. And what ISo version is yours ? 2023? Cos I know the2013 version has 114 controls

  • @tulpapainting1718
    @tulpapainting1718 2 роки тому

    Thank you very much for all of this. Are you able to provide a new link to the ISMS manual that you mention? The link in the description is broken.

  • @trentmurray2467
    @trentmurray2467 Рік тому

    Hey, it seems the resources no longer exist. Are you able to provide an updated link to your current ISMS Manual? Thanks!

  • @leefogel5195
    @leefogel5195 2 роки тому

    Thanks for compiling this. Very helpful.

  • @dmnick123ify
    @dmnick123ify 2 роки тому

    Hello...thanks for your video. I am interested in learning how to implement ISO. Where can I take a course to be educated on ISO 27000?
    Perhaps an online course.
    Thx

  • @anuproy4166
    @anuproy4166 2 роки тому

    I'm qualified ISMS lead auditor certified. I want to work with foreign company. can you give me an idea for that?

  • @dommikador6524
    @dommikador6524 3 роки тому +3

    Great

  • @stinfluggle
    @stinfluggle 3 роки тому +1

    A very helpful explanation, thank you

    • @Mangolive
      @Mangolive  3 роки тому

      You are welcome Roland

  • @Rups78
    @Rups78 2 роки тому

    One query, 7.0 support should come under “Plan” or under “Do”? Because support is an action after planning. I may be wrong but would love to hear different opinions on this pls.

    • @wintergreene795
      @wintergreene795 Рік тому +1

      Support in this context regards to the support of the management and the enterprise on the ISO certification process. Hence it is under the Plan

    • @Rups78
      @Rups78 Рік тому +1

      Thanks for clarifying. “Management Support” make sense, instead of “Support”

  • @Walruz1000
    @Walruz1000 2 роки тому +1

    Out of interest, how would you apply the model of Asset Register --> Classification Register --> Risk Register to a monitor? As you mention prior to discussing this how you even included computer monitors, how do you quantify the output of a monitor to determine the classification? For some of these was there a default which meant there was no further work necessary?

    • @Mangolive
      @Mangolive  2 роки тому +2

      Good question Paul. The inclusion of monitors was seen as a catch all for all IT items. So we included them purely to ensure we didn't miss anything. The output was nil so therefore very low on the classification. Thus no further work necessary other than being labelled and tracked.
      Cheers
      Craig

    • @Walruz1000
      @Walruz1000 2 роки тому

      @@Mangolive Thank you for the reply! Could I ask one further question, to what level would you record threats? Would you go as far as wiretapping\eavesdropping of an internal network, and would you include threats such as denial of service, denial of wallet etc? Or.. would you be more specific and include the actual threat, so for example if it were a denial of service it might be caused by Malware X. To what level of detail would we be expected to go?
      Also, under the treatment of controls where you are performing the threat assessment, is there a name for that model? The models I have seen so far use a scoring matrix and put threats in categories based on values assigned to each and then they calculate the average. Is there a name for the method you have used?
      And how does the classification register relate to the information security register? I understand the values of secret, public etc, but on the following slide that value is not attributed to any of the items, but there is instead a "Risk Level", how would I get from the classification of secret to a Risk Level of high for example?
      A lot of questions I know but I have to undertake an assessment as part of my Msc (for a fictitious company) and I need to say which threat assessment model I have used and justify why.