ISO Flashcards
ISO family
IOS faimly 2 27007-onwards
IOS 27001 family 3 27015-onwards
ISO 27001 family 4 27023
IOS family5
IOS family 6
PIM controls
Interested parties
Asset 8
example compliance policy
A18.2.3 Tech Complinace Review
A18.2.2 Compliance with Sec & Standards
A18.2.1 Independent Review of info Sec
A.18.1.4 Privacy & Protect of personally ID info
A18.1.3 Protection of Records
A.18.1.2 Intellectual Property rights
A.18 Compliance (2)
A.18 Compliance
Key in InfoSec Continuinty
A17.1.3 Verify review & Evaluate INfo Sec Continuity
PDCA
Threat, Risk , Vulnerability
Sec Measures
Incident cycle
Incident cycle T,R,V
C,i,A & Correctness
owner of asset
worm, Spyware
ISMS CSF
ISMS CSF 3.6 reflect
wheel
Annex A IS Ctrl Cat
Project Progression
A18 Compliance
A18 Compliance breakdown
A18.2
ISMS
A.12 Ops Sec
A.12 Ops Sec p2
A12.2. Ops Sec
A12.4 Ops Sec
A12.5,6,7 Ops Sec
A13 Comms Sec
A13.2 Comms Sec
A14 Sys Acquisition Dev & Maintence
A14.2 Sys Acq ,dev, Maintence
A14.2. X Sys Acq, Dev, Main
A.15 Supplier Relationships
A16 IS inc Mgmt
A16.1 IS Inc Mgmt
A16. IS Inc mgmt Lifecycle
A17 IS Aspect of BC mgmt
A10 Cyprto
A11 Physical & Env Sec
A11.1 Phy & Env Sec
A11.2.3- Phy Env Sec
A8 Asset Mgmt
A.8.1.2- Asset Mgmt
A.8.2 Asset Mgmt
A.8.3 Asset Mgmt
ISC Access Ctrl A9
A.9 Access Ctrl
A.9 Access Ctrl
A.9.4 Access Ctrl
A.94..4 & 5. Access Ctrl
A.& HR Sec
A7.1 HR Sec
A7.2 HR Sec
A7.3 HR Sec
HR Sec A7 example
A.& HR Answer
8.1 Ops
8.1 Ops outsource
8.1 Ops
Supply Chain Rish Mgmt
Id supply Chain
ID supply Chain
Common failing in Deployment
Ops steps for Effective Deployment
risk Assessment 8.2 & risk treatment
Annex A ref cntrl Obj & contrl
A.6 Org of IS
A6.1.4&5 Org of IS
A6.2. Org of IS
ISC Org of IS
6.1 Planning
IS Obj 6.2
IS Obj 6.2 part 2
measuring effectiveness
ISMS obj & Measurement
Link Sec to Bus Obj
Risk Treatment
Risk Assessement Ex- Impact Scale
Clause 6 Planning 6.1
Risk Decision
Options for Risk Decision
Risk Treatment - Risk Acceptance Criteria
ctrl
ex ctrl PPP
Risk & countermeasure- Likeihood impact
ISMS Risk Treatmemt
Compare ctrl to annex A
SOA detail security design
SOA Ex
SOA Manual- Procedure - Forms -records
ctrl listing handout
Risk Mgmt spreadsheet
Risk Assessment tool
Risk Mgmt Summary
Risk Mgmt Summary
Cont Improvement
clause 6.2 Planning
6.1.2 assess IS risk
IS risk Ass 6.1.2
Conduct Risk Ass 2 appraoch
Detail of Risk mgmt- High level- Detais
ISO27005 Risk Mgmt
Risk Assessmet - ID risk
Risk Scenarios- componets
NIST Risk Mgmt framework
Info Assurance Standard
Octava
Asset-based risk mgmt
Asset-based risk - treatment
Risk Asset ex
Risk Assessment Ex Y
Risk Assessment Ex Y
determining impact Value
Risk Criteria
stage 1 intent audit
stage 2 implementation Audit
Audit Obj
if NC found
most common problem at Audit - Risk Mgmt
Most common Problem at Audit- Misc
ISMS should not stop evolving in prep for Audit
Clause 9- Performance Eval
perofrmance eval 9 - orgs and focus
data collection tech
Mgmt Process - Maturity framework
performance eval- understanding and acceptance
performance eval- reporting on Polcy Deployment
perforamance eval- reporting on polciy deployment
clause 9- performance Eval 9.1,2,3
IS Standard- auditing apps
Monitoring and mgmt internal audit 1st party
auditing mgmt Sys Obj
monitoring & mgmt - conducting interal Audits
performance eval- After internal Audit
mgmt review 9.3
mgmt review 9.3 part 2
clause 4 - context
clause 4.1
4.2 interesting parties
e.g interested party
4.3 determine scope
scope
trust boundaries on the cloud
context & leadership
clause 5 - leadership
clause 5 - leadership
selling IS & ISO 27001
selling IS & ISO part 2
5.1 Leadership
5.1 Leadership part 2
- Policy
ISC IS Policy A5
ISC IS Polices A5 eg
IS Policies A5 - Obj
5.3 Roles and Responsibilities
Info Mgmt
confidentiality
Integrity
Integrity
available measure eg.
Parkerian hexad
threat & threat agent
human threats
non human threats
Risk
threat & risk
vulneraability
Exposure
threat & threat agent
human threats 2
Risk analysis
risk strategies
countermeasures
categories of countermeasures
countermeasure - prevention
countermeasure - reduction
countermeasure- detection
countermeasure - repression
countermeasure- acceptance
due care
sec measures - chart
ISMS PDCA
ISMS framework
sec policy
sec policy contents
obj & the content of sec org
ISMS framework domains
IS roles
obj chart of Sec org
logical access ctrl
user responsibilities
crytography
symmetrical system
asymmetrical system
PKI
1 way encrypt
how to report inc
sec inc eg.
incident cycle
Escalation - Fun - hierarchical
ISO 27001 sec Processes
Importance of Measures
structing measures
NIST ctrl types
relationship between risk and measure
Obj of classification
effectsa of classfication
Phy risk
phy sec measure
phy rings
phy protection rings
the building
working space
phy obj
tech measures
ops ctrl
change measure
technical risk
phishing
spam
measuring against malware
virus- worm - trojan, hoax
spyware botnet
access mgmt principles
IAA concepts
BCM
DRP
redundancy options
org measures
dangers & risks
compliance
compliance eg
compliance eg
ISO 27001 cert
mgmt commitment
mgmt commitment 2
clause 7 -support
resoures 7.1
competence 7.2
awareness 7.3
project resources- e learning
competence, awareness and comms
competence 7.2 part 2
awareness 7.3
comms 7.4
comms -typical concerns
is info sec for u ?
awareness & comms
awareness & comms
clause 6 planning
actions to addrs risk & Opps general 6.1.1
action to addres risk 6.1.1
implementation approach
implementation approach project
implementation approach part 3
implement BSC
Implement BSC part 2
risk to ms achieving its obj
mgmt sys framework - docs
creating an ISMS
docs required
doc required - stakeholders
mgmt sys docs
mgmg sys docs
Mgmg sys Docs policy-> records
integrating mgmt sys req
tailoring to the org
mgmt sys format
mgmt sys format
doc info requirements
process roles
drafting docs
mgmt sys docs -publication
mgmt sys docs summary
mgmt sys framework - Improve
clause 10 - improvement
continual improvement
cont improve 2
CSI method
what is improvement
improve actions
comms graph
project framework
process approach Cobit
process approach cobit 5 model
alternative process model
interested parties- baseline
interested parties- main drivers
proj method IS stance
proj progression
proj review- key milestones
proj who des what?
implementation
A mgmt sys
ISMS =
Impplenting sec ctrl
in, Confidentiality
integrity- Available-
threat
risk assessment - term
27001 areas
chart
breakdown area
risk assessment chart
A15 Supplier relationship
standards
family
PID
selling IS to Sr mgmt
supplier assurance
org needs part 1
org needs part 2
solution
standard & scheme
benefits
summary- intitiation
structure of standard
clause 4-10
annex A ref ctrl
shall
shall be ..
est scope
guidance for scope
AWS Annex eg.
risk assessment
risk assessment
mandatory docs
mandatory recs 2
SOA sample spreadsheet
map of cert
map of cert 2
the audit
right to appeal
non- conformity
minor non- conformity
opportunity for improvement
noteworthy effort
observations
stage 1 audit
stage audit 2
A17.1.2 Implement IS cont.
A17.1.1 Plan IS cont.
A17 IS Aspect of BC Mgmt
Inc mgmt Policy eg.
A16.1.7 collect evidance
A16.1.6 Learning from IS Inc
A16.1.6 Learning from IS inc 2
A16.1.5 response to IS Inc
eg of IS mgmt Policy
A16.1.4 Assessment of Decision of IS events
A16.1.3 reporting IS weakness
A16.1.2 reporting IS events
A16.1.1 Responsibility & procedures
A16 IS inc mgmt
A16 IS inc Mgmt
A15.2.2 Mgmt Changes to Suppliers
A15.1.3 I &CT Suppliers
A15.1.2 Addrs sec with supplier
Eg of supplier relationship policy
A15.1.1 IS policy for suppleir relationships
A15.1.1 IS Policy for Supplier
A14.3.1 Protection of test data
A14.2.9 Sys acceptance testing
A14.2.8 Sys sec testing
A14.2.7 Outsource Dev
A14.26 secure Dev Env
A14.2.5 Sec Sys eng principles
A14.2.4 Restriction on changes to Software
A14.2.4 Tech review of Apps after Operation platform changes
A14.2.2 Sys Change Ctrl procedures 2
A14.2.2 Sys change ctrl procedures
A142.1 Secure dev policy
A141.3 protecting app service Trans
A14.1.2 Securing apps services on Public network
A14.1. IS req Analysis & specs
A14 Sys Acquisition Dev
A14.2. X Sys Acqisition
map of cert survilance
frequency of surveilance audits
surveilance audit sample
map of cert- re- cert
recert of audit plan
tool spectrum
file share
template & toolkits
DMS
risk mgmt & governance sys
3rd party support
A5.1
6.1 Internal org
6.2
7.1
7.2
7.3
8.1
8.2
8.3
9.1
9.2 user access mgmt
9.3
9.4
10.1 crypto
11.1 secure area
12
13 NW sec Mgmt
- Sec req of IS
15.1 IS in supplier
16.1 Mgm IS inc
17 IS cont
A14. sYs Acq
A13.2.4 Confidentiality or NDA
A13.2.2 Agreement of I transfer
A13.2.1 Info Transfer policy
A13.1.3 Segregation of Network
A13.1.2 Sec of Network Services
A13.1.1 Nw ctrl
A.13 Comms Sec 2
A13 Comm sec
Risk Treatment Plan
gap analysis
draft of SOA
Risk Ass 2 docs
residual Risk
27005 constraints
approach
CIA
CIA
tech Vulnerablities
18.1
Asset based risk ass
implement ISMS answers
answer
comparisiosn event- assets
iS
ansers
vul
threat CIA
asset owners
8.2
risk asse
key of ISMS
training team
sys & In Asset Owners
tech/fun personnel
IT Sec practitioners
Info Sec officer
Bus & Fun mger
bus mgmr
risk Owners
Sr exec Mgr
CIO
risk ass process
risk treatment
risk mgmrt ATV
A13 Comms Sec
A12.7.1 IS Audit Ctrl
A12.7 Restriction of Software
A12.6.1 Mgmt of Tech vul
A12.5.1 Install of SW on OS
A12.4.4 Clock sync
eg of Admin of Ops & log policy
eg of Protection of log In Policy
A12.4.2 Protection of Log INfo
event of logging eg ploicy
A12.4.1 Event logging
eg backup policy
A12.31 Info Backup
eg of ctrl against Malware policy
A12.2.1 ctrl against malware
A12.2.1 ctrl magainst malware
eg of polcy of seperation of Env
A121.4 seperation of Dev,testing
A11. Phy & env
Cap mgmg Polc Eg
A12.1.3 cap mgmt
A12.1.2 Ch mmgtr
eg of Doc operat mgmt proc
A12.1.1 Doc op proc
eg of Doc op mgmt procedure
A12 Op sec
A12 Ops sec
A12 Ops sec
A12 Ops sec
A11.2.9 clean desk
A11.2.8 Unattend user equipment
1.2.7 secure disposal of devices
A11.2.6 sec of devices and asset off prem
IS sec manual
5.3.
IS policy
A sec breach
addressing risk and opport 6.1.1
5 steps for risk mgm process 6.1
risk treatment plan
writing the risk meth
A11.2.5 removal of assets
