0:05 [Music]
0:07 let's see some more information about iso
0:08 iso
0:11 27002 i have explained what this
0:14 standard is namely a guidance standard
0:17 designed to be used by companies by
0:20 organizations of all types and sizes as
0:22 a reference for determining and for
0:24 implementing information security cyber
0:28 security and privacy controls
0:30 this is not the first edition of the
0:32 standard it is the third one the first
0:35 edition of iso 27002 was published in 2005
0:37 2005
0:38 then the standard was
0:41 revised and the new edition came out in 2013.
0:43 2013.
0:46 today as i'm creating this online course
0:48 the third edition of the standard has
0:50 not been published yet i am actually
0:52 using the final draft of the
0:54 international standard but it is
0:58 expected that in the first part of 2022
1:00 we will have the new edition of iso
1:03 27002 published
1:05 if you are familiar with the previous
1:07 edition of the standard the one from 2013
1:08 2013
1:11 then you will see that there are some
1:14 changes some new controls have been
1:16 introduced some
1:19 of the controls in the previous edition
1:21 have been merged some of them have been
1:24 eliminated instead of having
1:28 114 security controls divided into 14
1:31 categories this is what we had in the
1:34 2013 edition of the standard now we only
1:38 have 93 controls divided into four categories
1:40 categories
1:43 this process of revising standards
1:45 periodically is a normal one it is
1:48 intended to ensure that the standards
1:50 remain up to date and that they follow
1:54 the latest developments
1:56 is the purpose of this standard as i
1:58 said it can be used in the context of an
2:00 information security management system
2:03 according to iso 27001
2:06 it can also be used by an organization
2:08 that is not necessarily looking to
2:12 implement an isms but only wants to
2:15 apply some information security controls
2:16 based on
2:18 internationally recognized best
2:21 practices and also this standard can serve
2:22 serve
2:24 as a starting point for a company that
2:27 wants to develop its own information
2:33 about the structure of iso 27002
2:34 we have
2:36 four categories of controls
2:39 organizational controls there are 37 of
2:43 them people controls 8 physical controls 14
2:44 14 and
2:45 and
2:49 technological controls 34. a total of 93
2:52 controls as i said those categories are
3:00 each security control is associated with
3:03 a number of attributes as you can see in
3:04 this table
3:07 by type a control can be preventive
3:10 meaning that the control acts before a
3:13 threat occurs it can be a detective control
3:14 control
3:17 that acts when a threat occurs or it can
3:20 be a corrective control that acts after
3:22 a threat occurs
3:25 security control can be only preventive
3:28 or detective or corrective or it can
3:31 have at the same time multiple
3:34 attributes associated with its
3:36 type to give you an example
3:38 we have a control that refers to the
3:41 disciplinary process that should exist
3:44 and that should be applied in case an
3:46 employee commits a violation of security policies
3:47 policies
3:50 policy this is of course a corrective
3:53 control but it is at the same time a
3:55 preventive control because the
3:57 disciplinary process should act as a
4:00 deterrent to prevent personnel from
4:03 violating the company's policies and procedures
4:05 procedures
4:07 the next category of attributes
4:09 information security properties each
4:12 control is intended to preserve one or
4:14 more characteristics of
4:16 information security meaning
4:18 confidentiality integrity and availability
4:20 availability
4:22 cybersecurity concepts is another
4:25 category where we have five attributes
4:28 identify protect detect respond and recover
4:30 recover
4:33 operational capabilities attributes are
4:36 more 15 exactly governance asset
4:39 management information protection human
4:41 resource security physical security
4:44 system and network security application
4:47 security secure configuration
4:49 identity and access management threat
4:52 and vulnerability management continuity
4:54 supplier relationship security legal and
4:57 compliance information security event
5:00 management and information security
5:02 assurance and finally
5:05 the last category of attributes security
5:09 domains will categorize controls from
5:11 the perspective of information security
5:14 fields expertise services and products
5:16 and the attributes here are governance
5:19 and ecosystem protection defense and
5:21 resilience so
5:24 for each of the 93 controls when i will
5:26 presenting a control i will also give
5:28 you the attributes
5:30 we have a table at the end of the
5:32 standard table a1
5:35 this is a matrix of controls and
5:37 attribute values you have there all the
5:40 controls in iso 27002
5:42 and the associated attributes for each
5:43 one of them
5:46 the table i have attached as a
5:48 supplementary resource to this video so
5:50 you can download it
5:52 the idea with those attributes is that
5:56 you can filter the controls based on the
5:58 attributes for example you can filter to see
5:59 see
6:01 which security controls are aimed to
6:04 preserve the integrity of information or
6:07 which controls are let's say preventive controls
6:13 it should be noted that not all controls
6:16 apply to all organizations there are
6:19 companies with no software development
6:21 for example so the controls that refer
6:24 to software development do not apply in
6:25 their case
6:27 other companies do not use cryptography
6:30 they do not generate cryptographic keys
6:33 so the respective controls do not apply
6:35 at the same time
6:38 it is perfectly public acceptable for an
6:41 organization uh to develop and to apply
6:44 supplementary controls uh to those in
6:47 the standard if the company considers
6:50 that the ones in iso 27002 are not
6:53 sufficient for its needs good
6:54 good
6:56 so i think this is enough with the
7:00 introductive part from the next video we
7:02 will begin discussing the security
7:04 controls in iso 27002
7:07 and i will follow the structure of the
7:09 standard meaning that we will begin with
7:11 the organizational controls this is the
7:12 first theme
7:16 we have 37 controls in this category and
7:19 the first of them is called policies for
