diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.19.06.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.19.06.png new file mode 100644 index 0000000..a746a0c Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.19.06.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.47.42.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.47.42.png new file mode 100644 index 0000000..032245f Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 22.47.42.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 23.09.06.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 23.09.06.png new file mode 100644 index 0000000..2c5b576 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-04 at 23.09.06.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md index f5d95c3..a61d12a 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S02.3-Introduction-to-management-systems-and-ISO-27000-family-of-standards.md @@ -18,4 +18,35 @@ This session explains what a management system is, defining it as a set of inter So let's have a look at what a management system is. -Now if we look at ISO 27000, a clause 341 gives a definition on a management. So a management system is a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives. So basically it's a very complicated, or it seems a very complicated sentence, but it isn't really All organizations have some form of a management system because it's just the way you operate your business. It's nothing more complicated than that. It's a way on how you operate your business. So a coherent and a well-functioning management system combines processes, resources, tools and workforce And a management system can be very complicated or can less can be very documented or less documented depending on the maturity of the organization. So again, a documentation is not a purpose in itself. An appropriate level of documentation is Preferable because it will help you to ensure that consistency, continual improvement, and retention of organizational knowledge Of course, an organization changes in the course of its lifetime. You have an internal and external context It changes so um the management system really needs to be um agile as well, and it needs to be able to respond to those changes as well. So whenever setting up a management system Very important to keep in the back of your mind is whatever is implemented must be controlled and measured and what is controlled and measured must be managed. And so the performance evaluation clause in every ISO standard is a very essential component of any management system. Because everything that you write down should be able to be evidenced So you always need to think really hard on okay, what is it what we're going to do, and am I able to measure and to see if the control or whatever management system that we've implemented, if it's working effectively When looking at an information security management system, the ISO 27000 also gives some explanation about that. So an ISMS consists of the policies procedures, guidelines, and associated resources and activity collectively managed by the organization in the pursuit of protecting its information assets So it's again a very long sentence. So an ISMS is basically a systematic approach for both establishing, implementing, operating Monitoring, reviewing, maintaining, and improving the organization's information security to achieve its business objectives. And it's always based on a risk assessment approach and the risk appetite or the risk acceptance criteria from the organization to effectively treat and manage those risks. So a couple of things that are very important here, so it's a systematic approach, and very important is that an information security management system does not live in isolation. So it needs to be linked to the business activities. And it's always based on a risk management approach and the risk appetite of an organization to really treat and handle those risks. Now, when an organization, and uh today I see it more and more happening, uh, an organization can handle Multiple compliance frameworks. I see organizations that have an ISO 9001, they start with the 27,000 one, and they also want to Include the fourteen thousand one. If you want to do that, you want to um look for uh implementing an integrated management system In short, it's IMS. And it's really a management system that integrates all the components of a business into one coherent system to enable basically the achievement of its purpose and mission. If you look at um the table on the slide, you see and that's also the reason why um ISO has uh made a lot of changes to their ISO standards to ensure that The clauses 4 to 10 in each standard are pretty similar to each other. That's also the reason why they're called a harmonized structure. So if you look at leadership and commitment, for example, you see that in the ISO 9001, 14001, 2020, 20,000 23001 and 27001, and it all comes back to clause 5. 1. And more likely, the text that is in that clause is the same Policy comes back in all the ISO standards in 5. 2. The same for objectives, you can find them in 6. 2 documented information is always 7. 5 internal audit always 9. 2 management review 9. 3 Only with continual improvement you sometimes have three subclauses like is the case with 9000 and 14001 where uh you have it in 10. 3 and with the other standards in 10. 2 But the information that is in the continual improvement clause is exactly the same for all standards. So that will help you to harmonize and optimize practice. because it doesn't make sense to write in three different management systems the same explanation for leadership, for example. Of course, for a policy, you can say, oh, I want to create three different policies, but the way you set up a policy, the way it needs to be treated in the organization, it's the same So it will help you, of course, reduce duplication and therefore costs, of course. It will also reduce the risks. It will increase Profitability, it will help you to maintain consistency and it will for sure help you with uh improving the communication as well. So you if you work with different management systems consolidating into one is the best practice because it will also help you in communicating to the organization because otherwise it becomes pretty complex for your employees to understand what you're actually are talking about. Now apart from ISA publications range beside the ISO 27001 organizations can get certified against a lot of uh primary standards So ISO publications range from traditional activities such as agriculture and construction to the most recent developments of course in information technologies like as digital coding of audio visual signals for multimedia applications. So there are um a couple of standards that the organizations can still get certified against Mo the most well known and um I always say the oldest, but that's because I get older, is the ISO nine thousand one, uh which is quality management system. Uh twenty years ago that one was uh really uh was well known, uh was um Required for a lot of organizations. Today I see less questions about ISO 9000 and an increase on 2700001, but also on ISO 14001, which is an environmental management system. With the rise with everything related to climate change um and environmental uh issues the ISO uh 14001 is gaining in importance again, but it's already a pretty old standard as well. You can certify against ISO 45001, which talks about occupational health and safety The ISO 37301 is a compliance management system. We have uh a food safety management system which is 22000. Um we have business continuity management. Um 22301 also on the rise. I see a lot of customers asking for uh the business continuity management system Of course, also spiked through NIST2 regulations, increasing regulation on incident response and operational resilience There is an anti-bribery management system, ISO 37000 and one, and there is also a service management system which is ISO 2000- So you see there are a lot of primary standards that can be used, of course. If I look at this, I would say 9,000 and 14,001 would be the the two that are uh pretty well known uh throughout the world um with um the business continuity management system as third runner up um So yeah, if you want to have more information on each of the standards, you can also visit the PECB website again to get a little bit more information on each of them. standards. So it was a pretty long section that we've spoken about. So let me summarize a little bit. So the International Organization for Standardization In short, ISO publishes standards in response to market demand. ISO standards are based on global expert opinion and consensus and are developed through a multi-stakeholder process ISO 27001 specifies then the requirements for establishing, implementing, maintaining and improving an ISMS and assessing and treating information security. Risks. Advantages of implementing an ISMS can include the improvement of organizational security posture, achievement of good governance, increase of international recognition improvement of customer satisfaction and an increase of competitive advantage. A management system then refers to a set of interrelated and interacting elements of an organization to establish policies and objectives and processes to achieve those objectives, and organizations can two or more management systems by integrating them. \ No newline at end of file +![](CleanShot%202026-06-04%20at%2022.19.06.png) + +Now if we look at ISO 27000, a clause 3.41 gives a definition of a management system. So a management system is a set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives. + +All organizations have some form of a management system because it's just the way you operate your business. It's nothing more complicated than that. +So a coherent and a well-functioning management system combines processes, resources, tools and workforce, and a management system can be more or less complicated and more or less documented, depending on the maturity of the organization. + +So again, documentation is not a purpose in itself. An appropriate level of documentation is preferable because it will help you to ensure that consistency, continual improvement, and retention of organizational knowledge. + +Of course, an organization changes in the course of its lifetime. You have an internal and external context that changes so the management system really needs to be agile as well, and it needs to be able to respond to those changes. The information security management system does not live in isolation. + +So whenever setting up a management system it's important to keep in mind that whatever is implemented must be controlled and measured, and what is controlled and measured must be managed. The performance evaluation clause in every ISO standard is an essential component of any management system. Because everything that you write down should be able to be evidenced. So you need to think if what we're going to do can be measured to see if the control is working effectively. + +An ISMS consists of the policies procedures, guidelines, and associated resources and activity collectively managed by the organization in the pursuit of protecting its information assets. + +So an ISMS is basically a systematic approach for both establishing, implementing, operating Monitoring, reviewing, maintaining, and improving the organization's information security to achieve its business objectives. + +And it's always based on a risk assessment approach and the risk appetite or the risk acceptance criteria from the organization to effectively treat and manage those risks. + +An organization must often work with multiple compliance frameworks. For example, an organization already has ISO 9001, they start with the 27001, and they also want to include the 14001. If you want to do that, you want to look for implementing an integrated management system, or IMS – a management system that integrates all the components of a business into one coherent system to enable the achievement of its purpose and mission. + +This is also the reason why ISO has introduced a harmonized structure across different management system standards, by making sure clauses 4 to 10 in each standard are pretty similar to each other. + +If you look at leadership and commitment, for example, you see that in the ISO 9001, 14001, 22000 22301 and 27001, that is handled in clause 5.1. Policy is clause 5.2 in all standards. The same for objectives, 6.2. Documented information is always 7.5, internal audit always 9.2, and management review 9.3. Only with continual improvement you sometimes have three subclauses, like it is the case with 9001 and 14001, where there's a 10.3 and the other standards stop at 10.2. But the information on continual improvement is exactly the same for all standards. So that will help you to harmonize and optimize practice. It will help you reduce duplication and therefore costs, and it will also reduce the number of risks. It will increase profitability, it will help you to maintain consistency and it will for sure help you with improving the communication. So you if you work with different management systems consolidating into one is the best practice. + +Organizations can get certified against lot of primary standards, ranging from traditional activities such as agriculture and construction, to the most recent developments in information technologies, like digital coding of audio visual signals for multimedia applications. The most well known, and the oldest, is the ISO 9001, which is quality management system. + +Today we see an increase in questions about 27001, and with the rise of everything related to climate change, the 14001, an environmental management system. The ISO 45001 is about occupational health and safety. The ISO 37301 is a compliance management system. Food safety is the 22000. Business continuity management, 22301, is also on the rise, spiked through NIS2 regulations, increasing regulation on incident response and operational resilience. There is an anti-bribery management system, ISO 37001 and one, and there is also a service management system which is ISO 20000-1. + +The International Organization for Standardization, or ISO in short, publishes standards in response to market demand. ISO standards are based on global expert opinion and consensus and are developed through a multi-stakeholder process ISO 27001 specifies then the requirements for establishing, implementing, maintaining and improving an ISMS and assessing and treating information security risks. + +Advantages of implementing an ISMS can include the improvement of organizational security posture, achievement of good governance, increase of international recognition improvement of customer satisfaction and an increase of competitive advantage. A management system then refers to a set of interrelated and interacting elements of an organization to establish policies and objectives and processes to achieve those objectives, and organizations can two or more management systems by integrating them. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S03-Certification-process.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S03-Certification-process.md index 1ced836..8f30388 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S03-Certification-process.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S03-Certification-process.md @@ -16,4 +16,66 @@ This session explains the ISO 27001 certification process from initial ISMS impl ## Transcription -Certified instructor and I just wanted to tell you a little bit about my background. So as you might be able to pick up from the accent, I'm based in the UK specifically I live near a city called York in the northeast of England. A little bit of background about myself from a career point of view. So I've been in and around technology and specifically information security since around around about the year 2000. I started life in the technical side of IT, doing IT support, so desktop and server support. Later on I moved into networking, spent a few years in that space where I got a real interest in security through implementing things like intrusion detection systems. Systems, firewalls, etc. Then she moved into more of the management side of security and worked for a number of years for the National Health Service in the UK, implementing standards like What at the time was BS7799, so the forerunner to ISO 2701. Since then I've worked for a couple of very large IT outsources and providing services to customers, doing things like ISO implementations, PCI DSS, developing security architectures and policies. And since then basically I now essentially work as a consultant, so I have clients that I'm still helping. implement security standards and frameworks. I also spend a bit of time as an auditor conducting audits against a number of ISO standards and of course as a trainer with a doing a lot of work with PCB like these courses Um so I hope to bring some useful knowledge and experience in the uh courses I'm delivering. Welcome to this ISO 270001 Lead Auditor course I just wanted to tell you a little bit about the training and its aims. So the aim of the lead auditor course is to give you a good introduction to the ISO 27001 standard, to give you an overview of how that works and the overview of a an information security management system but with a focus on actually auditing an existing management system. So throughout the course we'll look at key things like audit principles, procedures and processes And then basically we'll take you through the steps of initiating an audit, right through to making audit conclusions, and also we'll take you through what happens after the audit. We'll look at this from an external perspective, so we'll also uh uh examine how certification bodies operate and your role as a lead auditor within that. Okay, so in this section we're going to examine the certification process for ISO standards. So specifically we'll look at the process itself. We look at something called the certification scheme and then we're going to look at the role of two very important organisations in this process which are accreditation bodies And certification bodies, and we'll have a look at the difference with each and the purpose and the role that they play. So the first thing to take a look at here is this diagram that outlines the certification process. As I'll explain in a moment, this is the certification process that would be followed by what we call accredited certification bodies. So let's just have a look at this. So let's imagine we have an organization that wants to be certified To ISO 2701. First of all, of course, before any audit, they're going to implement their ISMS But not only implement it, the organization will need to check that its own ISMS is working effectively by implementing and conducting internal audits. and having the management review conducted as well. So let's imagine an organization has implemented its ISMS, it's had its internal audit and management review. At that point the organization will need to choose an organization called a certification body. We'll have a discussion on those in just a moment. Let's imagine the organization selected its certification body. We then have, for the very first time, an organization is going for certification, something called the initial audit So the organization of course will prepare for this initial audit. There is an option, but it is completely optional, to have what's known as a pre-audit. a situation where a cert body can do an initial review to see if the organisation is ready for the actual audit, so to speak. That's an entirely optional thing. But the first part of an actual initial audit is what we call the stage one audit. What I tell people in a stage one audit it's typically about 30%. of the overall audit time is spent at stage one. And the purpose of stage one is to allow the certification body and the audit team to get familiar with the organisation and to validate that the basics of the management system are in place. such as the key documentation, some of the key processes that are required. So let's for now just assume that everything goes well at stage one and we then move to stage two and there's usually a gap between stage one and two Which typically is about two to four weeks, although that can differ, but the idea of that gap is to allow for preparation for stage two And stage two is what I call the detailed audit. This is where the auditors are looking beyond the basics of the management system, but looking for real evidence that the controls, for example, that are implemented are really working. And during this course we will get into both stage one and two and the kind of activities as auditors we need to be performing. Now it says in the diagram here on-site audit. That might vary depending on the nature of the organization, but typically it is certainly an in-depth audit. Now, after the stage two is done, depending on the recommendation made by the lead auditor, a couple of things could happen. One of those is if the audit uncovers what we call non-conformities, it might, not always, because it depends on circumstances, but it might be be required to conduct something called a follow-up audit And a follow-up audit is where an organization is given the opportunity, for example, to address a non-conformity, and the auditor will essentially come back at some point in time and validate that that non-conformity has being addressed. Again, we'll get into the details of the process and when a follow-up is necessary and when it isn't, but that could happen in some cases. In some cases that won't be necessary at all. But let's imagine that the organisation has implemented its management system, has had a successful stage one and two audit It's at that point where, of course, the auditor could make a recommendation for certification and the certification body if they're satisfied that the audit has been conducted correctly. After a quality review of the audit report, it is the certification body who will ultimately issue the certificate to the organisation and certify their management system. And as we'll explain in more depth as we progress through the course, when an organization gets certified, they get certified for a period of three years, and every year in between there'll be what we call a surveillance audit. The certification body will validate that the organization maintained its management system. So during this course we'll look in depth at all these procedures, but for now I just want to give you that sort of high-level overview, if you like. So the question then becomes, well, who are the key players in a certification audit? You know, who is doing what? And actually this diagram here that lays out the certification scheme is a really useful one to understand the position. So what I want to start off by talking about is the role of what we call a conformity assessment body or certification body. Now there are multiple types of certification bodies that do different things. So for example, PCB are what we would call a personal certification body So they certify individuals. So when you take your PCB Lead Auditor exam, for example, and you pass that, it's PCB who will award you as an individual professional your certificate. But in this discussion, we're really focused on a different type of conformity assessment body called management system certification bodies. So a management system certification body is usually, not always, but usually a profit-making organization. There are some that are not. And their job basically is to go out and conduct audits of management systems to ultimately certify organizations against various management systems. System standards. And there are many conformity assessment or management system certification bodies operating. And so the question you might ask is: okay, well, if we've got a management system certification body issuing certificates, how do we know that the certificates that they're issuing are credible, that they'll be recognized by people And how do we know that the certification body is trustworthy and professional? And all these very important questions. So to answer that question, there is a standard that certification bodies can follow, and that's called ISO 17021 And this standard lays out various rules about how certification bodies operate to ensure that they're operating in a credible, trustworthy and professional manner. Those certification bodies can themselves be audited by a separate organisation. And that separate organisation I'm speaking about is something called an accreditation body. So around the world in most countries there is usually one and one only accreditation body which is usually appointed by government and their job is essentially to supervise the activity. of certification bodies. Now I say usually there's one and one only. That does differ for the US who have three or four essentially, but in most countries there's one. And so the idea is: let's imagine I went away tomorrow and decided to set up a management system certification body. If I wanted to issue certificates that were valid, recognized, and trustworthy I'd need to implement ISO 17021. If I want to issue ISO 27001 certificates, I'd also need to implement another standard called ISO 27006. which lays out how certification bodies who issue ISO 27001 certificates need to operate. And then what we'd need to do is we need to go and approach an accreditation body and ask them to audit us and accredit us. So the key thing here is certification bodies get accredited by accreditation bodies certification bodies certify organizations management systems. Now it's really important to note that if an organization chooses a certification body that is not accredited, then you could argue that the certification they're issuing is worth precisely zero. And we have to be careful with this because Whenever you're selecting a certification body, it's always important to ask them, are they accredited to issue ISO 27001 certificates? i. e. , are they accredited under ISO 17021 and ISO? or 27,006. Second question is who are they accredited by? Now this is the important point. So I said that around the world in most countries there's one and one only accreditation body So how do you know who that accreditation body is so that you can actually check that the certification body is properly accredited? Well there is an organization called the International Accreditation Forum And you can find their website, it's www. ieaf. nu. If you go to that website and look under members and signatories, you can search by country So you can find in each country who the national accreditation body is for that country. So if somebody tells you we are accredited by UCAS in the UK, Well I could tell you straight away that's genuine, but of course you could go to the IAF website and check that it is indeed UCAS and then you could go to the UCAS website and see whether that certification body is listed. One important point to make about this is it's not a requirement for the certification body to be accredited in every single country in which it operates. Let's imagine a large certification body that operates all over the world. It wouldn't make a lot of sense if they had to be audited in every single country they operated in. So the IAF does have this thing, the International Accreditation Forum Called multilateral recognition. So for example, a few years ago I used to work for a German certification body who operated in the UK and they were accredited in Germany by DAX, which is the German accreditation authority. But those certificates were recognized in the UK because DAX and UCAS, which is the UK equivalent, are both members of the IAF and both sign that multilateral recognition agreement. So that's also something to note. So the main important point that I'm trying to get across here is select a certification body that is accredited by a member of the International Accreditation Forum. Uh and my final sort of word on that is do be careful to check those things because unfortunately, as I've experienced, there are certification bodies operating who are not properly accredited and I've even seen cases where there are some certification bodies who claim to be accredited, but then they're accredited by organizations that are not members of the IAF. In any of those circumstances It's unfortunately a case that that certificate may not be recognized. So just make sure when you're investing you can you know work well with the certification body in question So in summary then, what we've confirmed is there's a formal certification process that exists A certification body that is accredited based on what we've discussed in this section will follow the process that we presented at the start of the section. That is to say, conducting a stage one and stage two audit, and they will certify an organization assuming they're successful for a period of three years. Certification bodies certify management systems and the standards they should be following are ISO 17021 and ISO 27006 and accreditation bodies are the organisations who supervise the activity. of certification bodies and we should always select an accredited certification body to have an assurance about the audit process and the credibility of the certificate that's going to be Be issued. \ No newline at end of file +I'm Graeme Parker, Certified instructor and I just wanted to tell you a little bit about my background. So as you might be able to pick up from the accent, I'm based in the UK specifically I live near a city called York in the northeast of England. A little bit of background about myself from a career point of view. So I've been in and around technology and specifically information security since around around about the year 2000. I started life in the technical side of IT, doing IT support, so desktop and server support. Later on I moved into networking, spent a few years in that space where I got a real interest in security through implementing things like intrusion detection systems. Systems, firewalls, etc. Then she moved into more of the management side of security and worked for a number of years for the National Health Service in the UK, implementing standards like What at the time was BS7799, so the forerunner to ISO 2701. Since then I've worked for a couple of very large IT outsources and providing services to customers, doing things like ISO implementations, PCI DSS, developing security architectures and policies. And since then basically I now essentially work as a consultant, so I have clients that I'm still helping. implement security standards and frameworks. I also spend a bit of time as an auditor conducting audits against a number of ISO standards and of course as a trainer with a doing a lot of work with PCB like these courses Um so I hope to bring some useful knowledge and experience in the uh courses I'm delivering. + +Welcome to this ISO 270001 Lead Auditor course. I just wanted to tell you a little bit about the training and its aims. So the aim of the lead auditor course is to give you a good introduction to the ISO 27001 standard, to give you an overview of how that works and the overview of a an information security management system but with a focus on actually auditing an existing management system. + +So throughout the course we'll look at key things like audit principles, procedures and processes. And then basically we'll take you through the steps of initiating an audit, right through to making audit conclusions, and also we'll take you through what happens after the audit. + +We'll look at this from an external perspective, so we'll also examine how certification bodies operate, and your role as a lead auditor within that. + +Topics of this lesson: +- Certification process +- Certification scheme +- Accreditation bodies +- Certification bodies + +Okay, so in this section we're going to examine the **certification process** for ISO standards. So specifically we'll look at the process itself. We look at something called the certification scheme and then we're going to look at the role of two very important organizations in this process, which are accreditation bodies and certification bodies, and we'll have a look at the difference with each and the purpose and the role that they play. + +So the first thing to take a look at here is this diagram that outlines the certification process. As I'll explain in a moment, this is the certification process that would be followed by what we call accredited certification bodies. So let's just have a look at this. + +![](CleanShot%202026-06-04%20at%2022.47.42.png) + +So let's imagine we have an organization that wants to be certified to ISO 27001. First of all, of course, before any audit, they're going to **implement their ISMS** – but not only implement it, the organization will need to check that its own ISMS is working effectively by implementing and conducting **internal audits**, and having the **management review** conducted as well. + +So let's imagine an organization has implemented its ISMS, it's had its internal audit and management review. At that point the organization will need to **choose** an organization called **a certification body**. We'll have a discussion on those in just a moment. Let's imagine the organization selected its certification body. + +We then have, for the very first time with an organization that is going for certification, the **initial audit**. So the organization will prepare for this (*note that 'audit preparation' is seen as part of the audit itself*). There is an option, but it is completely optional, to have what's known as a pre-audit: a certification body can do an initial review to see if the organization is ready for the actual audit. That's an entirely optional thing. + +The first part of an actual initial audit is what we call the **Stage 1 audit**. Typically about 30% of the overall audit time is spent at Stage 1. The purpose of stage one is to allow the certification body and the audit team to get familiar with the organization and to validate that the basics of the management system are in place. Such as the key documentation and some of the key processes that are required. + +So let's for now just assume that everything goes well at Stage 1, and we can move to Stage 2. There's usually a gap between Stage 1 and 2, typically about two to four weeks, to allow for preparation for Stage 2, the detailed audit. + +**Stage 2** is where the auditors are looking beyond the basics of the management system, looking for real evidence that the controls, for example, that are implemented are really working. Now it says in the diagram here on-site audit. That might vary depending on the nature of the organization, but typically it is certainly an in-depth audit. + +During this course we will get into both Stage 1 and 2, and the kind of activities we need to be performing as auditors. + +After the Stage 2 audit is done, depending on the recommendation made by the Lead Auditor, a couple of things could happen. One of those is if the audit uncovers what we call **non-conformities**. It might, depending on circumstances, be required to conduct something called a Follow-up audit. + +A **Follow-up audit** is where an organization is given the opportunity, for example, to address a non-conformity, and the auditor will essentially come back at some point in time and validate that the non-conformity has being addressed. Again, we'll get into the details of the process and when a follow-up is necessary and when it isn't, but that could happen in some cases. In some cases that won't be necessary at all. + +Let's imagine that the organization has implemented its management system, has had a successful Stage 1 and 2, then the auditor makes a recommendation for certification, and the Certification Body checks that the audit has been conducted correctly. After a quality review of the audit report, it is the certification body who will ultimately issue the certificate to the organization and certify their management system. + +And as we'll explain in more depth as we progress through the course, when an organization gets certified, they get certified for a period of **three years**, and every year in between there'll be what we call a **Surveillance audit**. The Certification Body will validate that the organization maintained its management system. + +During this course we'll look in depth at all these procedures, but for now I just want to give you that sort of high-level overview. + +So the question then becomes: who are the **key players in a certification audit**? You know, who is doing what? And actually this diagram here that lays out the certification scheme is a really useful one to understand the position. + +![](CleanShot%202026-06-04%20at%2023.09.06.png) + +So what I want to start off by talking about is the role of what we call a Conformity assessment body or Certification body. Now there are multiple types of certification bodies that do different things. So for example, PECB are what we would call a **Personal certification body**, they certify individuals. So when you take your PECB Lead Auditor exam, for example, and you pass that, it's PECB who will award you as an individual professional your certificate. But in this discussion, we're really focused on a different type of conformity assessment body, called **Management system certification bodies**. So a management system certification body is usually a profit-making organization. There are some that are not. And their job basically is to go out and conduct audits of management systems to ultimately certify organizations against various management systems standards. And there are many conformity assessment or management system certification bodies operating. + +So how do we know that the certificates that they're issuing are credible? How do we know that the certification body is trustworthy and professional? To answer that question, there is a standard that certification bodies can follow, called **ISO 17021**. This standard lays out various **rules about how certification bodies must operate**, to ensure that they're operating in a credible, trustworthy and professional manner. Those certification bodies can themselves be audited by a separate organization, called an **Accreditation body**. Around the world, there is usually one and one only accreditation body per country[^1], which is appointed by government, and their job is to supervise the activity of certification bodies. + +If you want to set up a management system certification body, to issue certificates that were valid, recognized, and trustworthy, I'd need to implement ISO 17021. If I want to issue ISO 27001 certificates, I'd also need to implement ISO 27006, which lays out how certification bodies who issue ISO 27001 certificates need to operate. Then we need to approach an accreditation body and ask them to audit us and accredit us. So the key thing here is certification bodies get accredited by accreditation bodies, certification bodies certify organizations management systems. + +It's important to note that if an organization chooses a certification body that is not accredited, then you could argue that the certification they're issuing is worth precisely zero. Whenever you're selecting a certification body, it's always important to ask them if they are accredited to issue ISO 27001 certificates – i. e., if they are accredited under ISO 17021 and ISO 27006. The second question is, who are they accredited by? Since in most countries there's only one accreditation body, you can check the website of the International Accreditation Forum, www.ieaf.nu and search by country. + +One important point to make about this is it's not a requirement for the certification body to be accredited in every single country in which it operates. That's why the IAF has 'multilateral recognition' of certificates signed by members. The accreditation body of Germany is DAX, and the accreditation body of the UK is UCAS, they both signed the IAF multilateral recognition agreement, so they recognize each others certificates. + +Be careful to check those things because unfortunately there are certification bodies operating who are not properly accredited and I've even seen cases where there are some certification bodies who claim to be accredited, but then they're accredited by organizations that are not members of the IAF. In any of those circumstances it's unfortunately a case that that certificate may not be recognized. + +So in summary then, what we've confirmed is there's a formal certification process that exists. A certification body that is accredited will follow the process that we presented at the start of the section. Certification bodies certify management systems and the standards they should be following are ISO 17021 and ISO 27006, and accreditation bodies are the organizations who supervise the activity of certification bodies and we should always select an accredited certification body to have an assurance about the audit process and the credibility of the certificate that's going to be be issued. + +[^1]: The US have three or four. diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.1-Fundamental-concepts-and-principles-of-information-security.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.1-Fundamental-concepts-and-principles-of-information-security.md index 7161ccf..db456ae 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.1-Fundamental-concepts-and-principles-of-information-security.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.1-Fundamental-concepts-and-principles-of-information-security.md @@ -16,4 +16,6 @@ This session introduces core information security concepts from the ISO 27001 pe ## Transcription -So in this section we're going to look at something we've called the fundamental concepts and principles of information security. Now of course I appreciate that many people looking at this training may well have a security background already, maybe you've you've got a lot of experience or other certifications and so forth. And the idea of this section isn't to sort of repeat what you may already know or to reteach the same thing. The idea is is to make sure that we're all speaking the same language and in particular from an ISO perspective. So the idea of this section is to introduce the sort of terminology and meanings, if you like, that uh ISO 27001 contains so that as we go forward When we start talking about auditing a management system, we can all understand the meaning of different terminology. So what we're going to look at in this section is the concept of information assets and information security according to ISO 20. The three tenants of security that ISO 27001 speaks about, which is confidentiality, integrity and availability. And we'll also look at the risk terminology, things like vulnerabilities, threats and consequences and how all these relate to the topic of risk. We'll also have a look at security controls because as you know the standard has annex A with multiple controls and we'll talk about how those controls can be classified and thought of. And we'll also examine the topics of cybersecurity and information privacy because you'll have noticed in the title of the standard it does refer to both cybersecurity and privacy and information privacy. So what do those things mean and how do they fit into the ISO information security concept? So let's start with information and asset then because one thing that ISO 27001 says is that we're trying to protect our information assets. So we can get the official definition of these two words from ISO 9000, basically a quality management series of standards, and ISO 55000, which is the asset management series of standards. So I think most of us would accept hopefully that information is meaningful data, that is to say data that we can do something with. So if I've got a customer database. containing customer records, you know, names, addresses, order histories, etc. That has some meaning, some use and some purpose. And an asset, we we typically say an asset is something that has value Now when I say value, that might be a financial value, something you can sell an asset for, for example, but it can also mean value in terms of usefulness and service to the organization. And most people, I would imagine, if I asked them what an asset was, would probably think of something tangible, you know, a c a computer, a building, some equipment, etc. And they'd be correct But also assets can be intangible. So actually the people who work for your organization are assets and ideas and intellectual property and of course information And even if I can't sell information for a you know a dollar, euro uh fee, so to speak, it still has uh a value to the organisation, hence the term asset So ultimately an ISMS based on ISO 27001 is about identifying those assets, those pieces of information, those you know, uh data sets, etc. , working out how valuable they are, and then essentially protecting them accordingly Now when we think about information assets and we think about running an information security management system, there are some other terms that we just need to be familiar with. The concept of document specifications and records. Now of course it might sound a little bit odd to uh tell you what a document is, I'm sure many people can imagine that, but there is a general saying which is a document is the information and the medium upon which it's contained. So yes, you could be thinking about a traditional Microsoft Word document here, but equally a confluence or a wiki page with information that we follow would also, in ISO speak, be considered to be a document. And of course some of the documents that we create or use in an ISMS will state very clear requirements. You know, maybe I've got a document that states things like secure coding standards requirements. for example or a document that says how a network device should be configured. And we would call that in ISO terminology a specification. And when an organization runs an ISMS and follows the requirements laid out in some of these documents. then essentially they end up generating records. So let's say for example you're running an ISMS and you have a process for reporting information security incidents. And let's imagine somebody follows it and they report an incident through whatever reporting channel. Of course then there'd be a record, there'd be some evidence that that process has been used. If you had a specification about how backups should be done and those backups run, of course there'd be logs generated, those logs would be records because they would serve as evidence that that activity is taking place. And records are very important in an ISMS, not just because the server's an audit trail, which is important. uh and certainly as auditors we'll be looking at records but also the fact is that records can be in their own right sensitive and need a certain level of protection. So an ISMS will concern itself with protecting documents specifically. and records. So it probably makes sense at this point to answer the question, what is information security? But more importantly, what is information security according to ISO 27000? And we have the uh the definition here which says Information security is the preservation of confidentiality, integrity and availability of information. And I'll come to that. And explore that in a little bit more depth in just a moment. Now the other thing that we we we say or ISO says about this is that information security is about determining what information needs to be protected. how it should be protected and from what. Now that would imply when you read that that that means that when we set up an ISMS we'll need to identify the kind of information we have. Trying to protect. And we'd need to do some kind of study or research into the potential risks that that information faces. So in other words, when we implement an ISMS, if I had two organizations implementing an ISMS They may protect their information very differently depending on the type of information we're speaking about and the type of risks they face. So the standard is flexible enough so you tailor your controls as needed. Now the other thing that's important in the definition about information security is the fact that it covers information in all formats. Now this is interesting. A little bit later in the section we're going to talk about this concept called cybersecurity. And certainly what I've noticed over the last few years when you look at job descriptions and you know, what a lot of people talk about. You hear a lot about cyber. And cyber of course is focusing very much on the technology aspects, you know, protecting the technical systems that will store and process information. And of course that makes sense because the vast majority of information today is indeed processed electronically. But it's not all processed electronically. It is still possible to have information in paper format, in video format, in spoken word, etc. So information security concerns itself with protecting that information regardless of format. And maybe a very quick example I could give. I recall having a train journey where on that particular train there was a solicitor from a law firm having a conversation with a client. uh quite openly for the entire carriage on the train to hear and s in and discussing some quite sensitive topics. It was actually discussing a divorce case with a client uh and basically pretty much with the phone on loudspeaker uh to you know revealing uh people's names, addresses, dates of birth, salaries, you know, a lot of very sensitive information which Let's say I or somebody else in that carriage was a cyber criminal, for example, or a fraudster, we could have gathered plenty of information to conduct things like identity theft. and so on. The point of that story is to say that organization for all I know, I don't know them, but for all I know they might have extremely strong cybersecurity. They may have, you know, um robust networks, strong application security, etc. But they've obviously still got some weak links in their information security program. In this case maybe the awareness of some of the employees who work for them So information security will concern itself with all those things. And ultimately the last thing to say before we look at this confidentiality, integrity and availability bit is of course when we look think about information security what ISO says is we're always focusing on the business objectives There is a saying that information security should be an enabler, not a disabler. So in other words, we're not implementing security to stop the organisation operating and achieving what it needs to achieve. What we want is the organization to achieve. to achieve what it's aiming to achieve but in a secure manner essentially. So let's have a look at this confidentiality integrity and availability bit and I just want to run through those and again I realize people have been in security for quite some time should be already familiar with this but again let's just make sure we're on the same page Now the first thing is that ISO says that these are the three pillars of security, the three tenets of security. But I must stress that when you set up an ISMS, you're not limited to just thinking about these three. things. These are the minimum three things you would think about. So just for those who might be in other industries, for example, if you're in a regulated industry where you need to have strong audit trails of activity and you're concerned about accountability, for example. There's no reason why we cannot implement controls and manage that through an ISMS. If you're an organization that's producing products or services and you're concerned about you know counterfeiting or piracy and risks like that. Um your controls to ensure authenticity, your digital rights management. authenticity management, etc. , can be considered. And similarly, if you're in the business of doing transactions and you don't want people to be able to deny activities, so you're concerned about non-repudiation those things can be considered. So my point is just because they're not explicitly called out by ISO doesn't mean that they don't matter or can't be thought about. But let's focus on the first three, the confidentiality, integrity and ability So what I typically tell people is imagine if you went outside and stopped somebody in the street who doesn't really know much about information security. Somebody who's not really in that space, and I asked them what is information security, probably I imagine the answer I would get back would be something like stopping unauthorized access to data or you know, um only allowing people access who should have access, something like that. I imagine the vast majority of people would probably focus on confidentiality, says the most obvious one. So indeed confidentiality is is exactly that, about limiting access to information to only those people who need it, about having control over information and and who can access it. And of course organisations can achieve that in many ways by implementing robust authentication for example, establishing a clear data access policy, having proper access control, perhaps using things like encryption or data masking, all of these are confidentiality techniques. But of course, whilst confidentiality is important, if we're building the argument that information is an asset because we use it to make business decisions, to respond to uh uh various problems and challenges, then we surely want some confidence that the information is actually trustworthy, up to date, accurate, and so forth. And that's where we concern ourselves with integrity. So integrity is about implementing controls that reduce the risk of unauthorized changes to data, data corruption. helps us ensure minimum data quality so that when we do come to rely on a system or the information it contains we can have a confidence within it. And whilst we were talking about confidentiality a moment ago, confidentiality is all well and good and we could achieve it by locking down all kinds of things, but it's not much use if Those people in an organization who need access can't gain access. So there's a balance and that's where we look at availability. So availability and the principle of it is about making sure information and systems are available as required when required by the right audience and of course some organizations will have very important um commitments on this you know maybe you have a commitment as an organization to ensure certain systems are available for a certain amount of time. So this is all about focusing on things like system resilience, ensuring that there's Where necessary, there's failover in place, so that we have disaster recovery and business continuity plans in place. Now whilst ISO says we should uh focus on those three things I think it's important to point out one point. It doesn't tell us which one of those is more important. This depends on the context of your organization and looking at risk. And a couple of very quick examples I can give on two two totally different industries. So of course I mentioned in my introduction that I spent some time working with the health service in the UK. So in that context Obviously confidentiality was very high on our radar, you know, respecting the patient's right to privacy, protecting very sensitive medical records. was right up there. But equally integrity was. You know, I always say to people, imagine a doctor treating a patient with inaccurate medical records or data that's been corrupted. You know, the consequence could be extremely significant. Separately, I did some work for an electricity distributor, so think of it like a national grid organization. And on that project we were doing an industrial control system security project. So what we were interested in was protecting essentially computer systems that controlled electricity substations on the on the uh power grid. Now for that there wasn't really a lot of confidential information. you know there's no patient records or customer data. Maybe the designs of the system were probably the confidential information we wanted to protect. Our focus was very much on system integrity, controls to prevent or reduce the risk of people tampering with those systems And of course availability. You know, if somebody could do a denial of service attack and bring one of those systems down, they could cause significant disruption in the country that we're speaking about. So that project was much more focused on availability. My point being, n neither of them are right or wrong. Both of them are perfectly compatible under ISO twenty seven thousand and one and it's all about focusing in the right areas and looking at the organisation priorities. Just speaking of availability, um this diagram here just tries to pin together the relationship between information availability versus confidentiality and integrity. So of course we have on the side here it says information security. So information security is supported by uh data confidentiality controls and integrity. If we think about availability, what we should say is availability isn't just about a system being up and running. It's about other things as well. A system may be up and running, but is it reliable? In other words, if I go to use the system, you know, is it still going to function correctly And timeliness and performance are all part of that. You know, let's say I'm um I'm an online customer going to a website, uh that website might well be there, but if I can't make, for example, a purchase because because of performance issues, then I still wouldn't argue that the system is available. And there are multiple things that support system availability. So the there are those things that prevent systems going offline in the first place, such as housing those systems in an environment with adequate physical security, your professional data center with fire suppression and um you know air conditioning and uh monitoring and all of those things. Having effective security policies in place which reduce the risk of actions being taken that could bring systems offline Designing systems in such a way that they're what we call redundant. So let's imagine we have a a hardware failure, that we don't just lose the system because of one hardware failure, that another piece of hardware Where um that kicks in. So even with networking, you can do that with firewalls, you know, you can have failover firewalls, for example. Uh making sure there's adequate monitoring. So these are all preventative things, hopefully to stop the loss of availability when things go wrong. And then of course in worst case scenarios, having adequate business continuity plans which lay out how we would recover. if something significant happened in terms of interruption and also thinking about backups and having adequate backups in place so we could recover from a trusted uh backup. Now one thing to say about all of the things I've mentioned, because I've mentioned them at a very high level, when we look at ISO 2701, uh how rigorous we need to be in each of these areas comes back to your risk assessment. So for example, ISO 27001 is not sitting. For every piece of hardware you must have an equal and uh uh opposite duplicate for example or that you must have two power feeds into your data centre etc you might determine that your availability needs are so high that that makes absolute sense and you need to invest in those controls. In other environments where the availability requirement may be less, then you can make different decisions. So ISO is not dictating here, but what it is saying is these are the areas to think about when it comes to availability So ultimately, yes, yes we're about protecting confidentiality and integrity, but we also want to make sure we have information systems we can trust and have a confidence in and have a confidence. That they'll be there when we need to use them. \ No newline at end of file +So in this section we're going to look at something we've called the fundamental concepts and principles of information security. + +Now of course I appreciate that many people looking at this training may well have a security background already, maybe you've you've got a lot of experience or other certifications and so forth. And the idea of this section isn't to sort of repeat what you may already know or to reteach the same thing. The idea is is to make sure that we're all speaking the same language and in particular from an ISO perspective. So the idea of this section is to introduce the sort of terminology and meanings, if you like, that uh ISO 27001 contains so that as we go forward When we start talking about auditing a management system, we can all understand the meaning of different terminology. So what we're going to look at in this section is the concept of information assets and information security according to ISO 20. The three tenants of security that ISO 27001 speaks about, which is confidentiality, integrity and availability. And we'll also look at the risk terminology, things like vulnerabilities, threats and consequences and how all these relate to the topic of risk. We'll also have a look at security controls because as you know the standard has annex A with multiple controls and we'll talk about how those controls can be classified and thought of. And we'll also examine the topics of cybersecurity and information privacy because you'll have noticed in the title of the standard it does refer to both cybersecurity and privacy and information privacy. So what do those things mean and how do they fit into the ISO information security concept? So let's start with information and asset then because one thing that ISO 27001 says is that we're trying to protect our information assets. So we can get the official definition of these two words from ISO 9000, basically a quality management series of standards, and ISO 55000, which is the asset management series of standards. So I think most of us would accept hopefully that information is meaningful data, that is to say data that we can do something with. So if I've got a customer database. containing customer records, you know, names, addresses, order histories, etc. That has some meaning, some use and some purpose. And an asset, we we typically say an asset is something that has value Now when I say value, that might be a financial value, something you can sell an asset for, for example, but it can also mean value in terms of usefulness and service to the organization. And most people, I would imagine, if I asked them what an asset was, would probably think of something tangible, you know, a c a computer, a building, some equipment, etc. And they'd be correct But also assets can be intangible. So actually the people who work for your organization are assets and ideas and intellectual property and of course information And even if I can't sell information for a you know a dollar, euro uh fee, so to speak, it still has uh a value to the organisation, hence the term asset So ultimately an ISMS based on ISO 27001 is about identifying those assets, those pieces of information, those you know, uh data sets, etc. , working out how valuable they are, and then essentially protecting them accordingly Now when we think about information assets and we think about running an information security management system, there are some other terms that we just need to be familiar with. The concept of document specifications and records. Now of course it might sound a little bit odd to uh tell you what a document is, I'm sure many people can imagine that, but there is a general saying which is a document is the information and the medium upon which it's contained. So yes, you could be thinking about a traditional Microsoft Word document here, but equally a confluence or a wiki page with information that we follow would also, in ISO speak, be considered to be a document. And of course some of the documents that we create or use in an ISMS will state very clear requirements. You know, maybe I've got a document that states things like secure coding standards requirements. for example or a document that says how a network device should be configured. And we would call that in ISO terminology a specification. And when an organization runs an ISMS and follows the requirements laid out in some of these documents. then essentially they end up generating records. So let's say for example you're running an ISMS and you have a process for reporting information security incidents. And let's imagine somebody follows it and they report an incident through whatever reporting channel. Of course then there'd be a record, there'd be some evidence that that process has been used. If you had a specification about how backups should be done and those backups run, of course there'd be logs generated, those logs would be records because they would serve as evidence that that activity is taking place. And records are very important in an ISMS, not just because the server's an audit trail, which is important. uh and certainly as auditors we'll be looking at records but also the fact is that records can be in their own right sensitive and need a certain level of protection. So an ISMS will concern itself with protecting documents specifically. and records. So it probably makes sense at this point to answer the question, what is information security? But more importantly, what is information security according to ISO 27000? And we have the uh the definition here which says Information security is the preservation of confidentiality, integrity and availability of information. And I'll come to that. And explore that in a little bit more depth in just a moment. Now the other thing that we we we say or ISO says about this is that information security is about determining what information needs to be protected. how it should be protected and from what. Now that would imply when you read that that that means that when we set up an ISMS we'll need to identify the kind of information we have. Trying to protect. And we'd need to do some kind of study or research into the potential risks that that information faces. So in other words, when we implement an ISMS, if I had two organizations implementing an ISMS They may protect their information very differently depending on the type of information we're speaking about and the type of risks they face. So the standard is flexible enough so you tailor your controls as needed. Now the other thing that's important in the definition about information security is the fact that it covers information in all formats. Now this is interesting. A little bit later in the section we're going to talk about this concept called cybersecurity. And certainly what I've noticed over the last few years when you look at job descriptions and you know, what a lot of people talk about. You hear a lot about cyber. And cyber of course is focusing very much on the technology aspects, you know, protecting the technical systems that will store and process information. And of course that makes sense because the vast majority of information today is indeed processed electronically. But it's not all processed electronically. It is still possible to have information in paper format, in video format, in spoken word, etc. So information security concerns itself with protecting that information regardless of format. And maybe a very quick example I could give. I recall having a train journey where on that particular train there was a solicitor from a law firm having a conversation with a client. uh quite openly for the entire carriage on the train to hear and s in and discussing some quite sensitive topics. It was actually discussing a divorce case with a client uh and basically pretty much with the phone on loudspeaker uh to you know revealing uh people's names, addresses, dates of birth, salaries, you know, a lot of very sensitive information which Let's say I or somebody else in that carriage was a cyber criminal, for example, or a fraudster, we could have gathered plenty of information to conduct things like identity theft. and so on. The point of that story is to say that organization for all I know, I don't know them, but for all I know they might have extremely strong cybersecurity. They may have, you know, um robust networks, strong application security, etc. But they've obviously still got some weak links in their information security program. In this case maybe the awareness of some of the employees who work for them So information security will concern itself with all those things. And ultimately the last thing to say before we look at this confidentiality, integrity and availability bit is of course when we look think about information security what ISO says is we're always focusing on the business objectives There is a saying that information security should be an enabler, not a disabler. So in other words, we're not implementing security to stop the organisation operating and achieving what it needs to achieve. What we want is the organization to achieve. to achieve what it's aiming to achieve but in a secure manner essentially. So let's have a look at this confidentiality integrity and availability bit and I just want to run through those and again I realize people have been in security for quite some time should be already familiar with this but again let's just make sure we're on the same page Now the first thing is that ISO says that these are the three pillars of security, the three tenets of security. But I must stress that when you set up an ISMS, you're not limited to just thinking about these three. things. These are the minimum three things you would think about. So just for those who might be in other industries, for example, if you're in a regulated industry where you need to have strong audit trails of activity and you're concerned about accountability, for example. There's no reason why we cannot implement controls and manage that through an ISMS. If you're an organization that's producing products or services and you're concerned about you know counterfeiting or piracy and risks like that. Um your controls to ensure authenticity, your digital rights management. authenticity management, etc. , can be considered. And similarly, if you're in the business of doing transactions and you don't want people to be able to deny activities, so you're concerned about non-repudiation those things can be considered. So my point is just because they're not explicitly called out by ISO doesn't mean that they don't matter or can't be thought about. But let's focus on the first three, the confidentiality, integrity and ability So what I typically tell people is imagine if you went outside and stopped somebody in the street who doesn't really know much about information security. Somebody who's not really in that space, and I asked them what is information security, probably I imagine the answer I would get back would be something like stopping unauthorized access to data or you know, um only allowing people access who should have access, something like that. I imagine the vast majority of people would probably focus on confidentiality, says the most obvious one. So indeed confidentiality is is exactly that, about limiting access to information to only those people who need it, about having control over information and and who can access it. And of course organisations can achieve that in many ways by implementing robust authentication for example, establishing a clear data access policy, having proper access control, perhaps using things like encryption or data masking, all of these are confidentiality techniques. But of course, whilst confidentiality is important, if we're building the argument that information is an asset because we use it to make business decisions, to respond to uh uh various problems and challenges, then we surely want some confidence that the information is actually trustworthy, up to date, accurate, and so forth. And that's where we concern ourselves with integrity. So integrity is about implementing controls that reduce the risk of unauthorized changes to data, data corruption. helps us ensure minimum data quality so that when we do come to rely on a system or the information it contains we can have a confidence within it. And whilst we were talking about confidentiality a moment ago, confidentiality is all well and good and we could achieve it by locking down all kinds of things, but it's not much use if Those people in an organization who need access can't gain access. So there's a balance and that's where we look at availability. So availability and the principle of it is about making sure information and systems are available as required when required by the right audience and of course some organizations will have very important um commitments on this you know maybe you have a commitment as an organization to ensure certain systems are available for a certain amount of time. So this is all about focusing on things like system resilience, ensuring that there's Where necessary, there's failover in place, so that we have disaster recovery and business continuity plans in place. Now whilst ISO says we should uh focus on those three things I think it's important to point out one point. It doesn't tell us which one of those is more important. This depends on the context of your organization and looking at risk. And a couple of very quick examples I can give on two two totally different industries. So of course I mentioned in my introduction that I spent some time working with the health service in the UK. So in that context Obviously confidentiality was very high on our radar, you know, respecting the patient's right to privacy, protecting very sensitive medical records. was right up there. But equally integrity was. You know, I always say to people, imagine a doctor treating a patient with inaccurate medical records or data that's been corrupted. You know, the consequence could be extremely significant. Separately, I did some work for an electricity distributor, so think of it like a national grid organization. And on that project we were doing an industrial control system security project. So what we were interested in was protecting essentially computer systems that controlled electricity substations on the on the uh power grid. Now for that there wasn't really a lot of confidential information. you know there's no patient records or customer data. Maybe the designs of the system were probably the confidential information we wanted to protect. Our focus was very much on system integrity, controls to prevent or reduce the risk of people tampering with those systems And of course availability. You know, if somebody could do a denial of service attack and bring one of those systems down, they could cause significant disruption in the country that we're speaking about. So that project was much more focused on availability. My point being, n neither of them are right or wrong. Both of them are perfectly compatible under ISO twenty seven thousand and one and it's all about focusing in the right areas and looking at the organisation priorities. Just speaking of availability, um this diagram here just tries to pin together the relationship between information availability versus confidentiality and integrity. So of course we have on the side here it says information security. So information security is supported by uh data confidentiality controls and integrity. If we think about availability, what we should say is availability isn't just about a system being up and running. It's about other things as well. A system may be up and running, but is it reliable? In other words, if I go to use the system, you know, is it still going to function correctly And timeliness and performance are all part of that. You know, let's say I'm um I'm an online customer going to a website, uh that website might well be there, but if I can't make, for example, a purchase because because of performance issues, then I still wouldn't argue that the system is available. And there are multiple things that support system availability. So the there are those things that prevent systems going offline in the first place, such as housing those systems in an environment with adequate physical security, your professional data center with fire suppression and um you know air conditioning and uh monitoring and all of those things. Having effective security policies in place which reduce the risk of actions being taken that could bring systems offline Designing systems in such a way that they're what we call redundant. So let's imagine we have a a hardware failure, that we don't just lose the system because of one hardware failure, that another piece of hardware Where um that kicks in. So even with networking, you can do that with firewalls, you know, you can have failover firewalls, for example. Uh making sure there's adequate monitoring. So these are all preventative things, hopefully to stop the loss of availability when things go wrong. And then of course in worst case scenarios, having adequate business continuity plans which lay out how we would recover. if something significant happened in terms of interruption and also thinking about backups and having adequate backups in place so we could recover from a trusted uh backup. Now one thing to say about all of the things I've mentioned, because I've mentioned them at a very high level, when we look at ISO 2701, uh how rigorous we need to be in each of these areas comes back to your risk assessment. So for example, ISO 27001 is not sitting. For every piece of hardware you must have an equal and uh uh opposite duplicate for example or that you must have two power feeds into your data centre etc you might determine that your availability needs are so high that that makes absolute sense and you need to invest in those controls. In other environments where the availability requirement may be less, then you can make different decisions. So ISO is not dictating here, but what it is saying is these are the areas to think about when it comes to availability So ultimately, yes, yes we're about protecting confidentiality and integrity, but we also want to make sure we have information systems we can trust and have a confidence in and have a confidence. That they'll be there when we need to use them. \ No newline at end of file