Видео

Yes - on the plan :) they take up a bit of time but I am nearly there. Thank you for the feedback. I hope to do more this week! Keep watching. 🙏

@@StuartBarker Thanks for the response. Sure. Waiting for the videos.

thank you :)

That is great - the main toolkit is currently on offer and worth a look. Thank you. 🙏

Every calendar year between external audit cycles. I have seen where people do once per 3 year cycle and get an observation, minor or major non conformity. I appreciate this doesnt seem consistent but it is auditor dependant. The best practice approach would be once per calendar year minimum but I have a video on audit planning that explains in more detail - this link should take you direct to the relevant section - ruclips.net/video/hz_hPt4DZvw/видео.html

Sorry the relevant section is 4 minutes and 9 seconds.

@@StuartBarker Yes, I agree that the internal audit program should be implemented regularly between external CAB audits. Perhaps I should have put my question more clearly - would you suggest that the entire ISMS (processes and controls) are to be audited every year, or a sampled approach is taken over the 3-year certification cycle on the basis of process criticality or risk exposure?

@dbellconsulting - the video that I link goes into the nuances of it but ISO 27001 is a risk based system so the audit program is based on risk. A good starting point is to audit the entire ISMS every year as I have seen that the ISMS itself often gets overlooked and I have seen auditors raise that as a non conformity. Start on the basis of once a year for the entire ISMS and with the knowledge that certain parts of the ISMS may require auditing more than once in that one year cycle. The video on audit planning sets out the exact way I would go about it and the variations / exceptions and considerations to take. For me, once per year would be the minimum to ensure an effective management system - if I was talking broad brush. If it is right for you to do a sampled approached over the 3 year certification cycle based on your risk and you are comfortable you can justify the approach then that should be fine but I would treat this more as an exception than the rule. 🙏

yes. It is one way to do it and the way I do it. 🙏

@ thank you so much

Working through them and it coming soon but you can jump on a free weekly clinic to ask me questions and run through. Website menu / learn / iso 27001 clinic - to book

This was included in the 2022 update to the template and is in the latest toolkit to make it explicit. I even pre fill it with examples. The previous assumption was people would know how the ISMS meets requirements but you cannot assume anything so I updated it to make it more explicit. Thanks for watching and good spot that many would not. Latest template and toolkit = it is included.

@@StuartBarker thank you. I must be working from the old version. You've reminded me to look at the updates. thank you. Your product is great. I'm getting through it!

@jack_b_za6415 You can jump on a free weekly clinic or grab a 1 to 1 as hard to answer in small comments but I would expect that you have a register of all your clients, what software they have purchased, the licenses that go with that. THEY will have a requirement under the intellectual property control to evidence licensing and software and if they rely on you they will expect that you can evidence it. Which alludes to what this control is about. Do you know, in total, what you have in place for your ISO 27001 scope ( I narrow it here but really you would want to know EVERYTHING you have ). The control wants what YOU have but it clearly makes sense, based on what you tell me and the requirements your clients have that you have this for clients and what you sell also. Hope makes sense - jump on a clinic or call to chat through if you need more.

Thank you and good luck with the exam. Let me know how you found it. 🙏

5.29 - hightable.io/iso-27001-annex-a-5-29-information-security-during-disruption/ 5.30 - hightable.io/iso-27001-annex-a-5-30-ict-readiness-for-business-continuity/ 5.29 - what are your information security requirements during a disruption and how do they differ from production 5.30 - what ICT disaster recovery do you have in place

@lecompt - A person can hold more than one role. This video is the explanation and help - > ruclips.net/video/_CP7vr-8MYk/видео.html

Appreciate the feedback. It is taken directly from a Teams recording of a real life session so yeah, not great but the content hopefully is on point. Appreciate the feedback though - check out the other actual training and implementation videos that are in 4k with dolby surround. 🙏

@@StuartBarker thank you The content is good. But i haven't Completed all the parts yet

I appreciate that. Thank you. Makes doing them worth while if they are helping people. 🙏

I think you are probably correct. I get caught up in the moment but hopefully it helped. You certainly know your onions! :) 🙏

Hey, happy to help! thanks for the feedback 🙏

I watched George Clooney back in the day in Batman. It did not make me Batman nor sadly George Clooney but inside, you know, and I know, I really am Batman. So maybe ....

Of course: hightable.io/how-to-write-deploy-and-implement-iso-27001-policies/

@paul4561 - you can book a free 1 to 1 with me on hightable.io - I have previously built and sold a company doing this although now I give knowledge away for free. Also this video is from a consultant coaching programme I do - ruclips.net/video/HojVRKC6FPU/видео.html - it is doable.

@@StuartBarker Thank you, must get chatting to you :)

Linkin with me and I can share with you... 👍

@@StuartBarker Thank you so much. How can I contact you? email, LinkedIn chat, or other ways?

Depends what kind of job you want there Florida Investor ! I would say it is information that you would pay someone to train you on and is based on 30+ years experience but only you can judge its value. As for landing a job ... I wanted to be a stripper but I don't think it's going to help me with that... I guess it all about context 🙏

Yes Ryan. This is part of the overall puzzle. This policy meets the requirements for having a cloud services policy and the requirements for cloud providers but remember that the standard is made up of many policies and Annex A controls that address specifics such as access control, network security, physical security, anti malware and much much more. The points you raise are addressed, but not here. Which out of context may seem strange but we are creating building blocks to create a house. What ever house you need and want. You can join the Q and A or drop me a 1 to 1 and I can cover for you in more detail than the comments allow. 🙏

One of many additional videos that support this area that will add some context to this 'how to' video - ruclips.net/video/pD9xeH-NlM8/видео.html

Your / You're welcome ☺️

@@StuartBarker Hahaha, so fair man, so fair.

Thank you - I cover what you need in the blog that goes with the video - it is here for reference - hightable.io/iso-27001-annex-a-5-7-threat-intelligence/ 🙏

Thank you! 🙏

Read this blog - hightable.io/iso-27001-when-you-have-no-office/ - but substitute dev ops for physical security. It is the same approach for you. Let me know if that not answer or you have questions but I think it will give you what you need 🙏

@@StuartBarker This helps. Thank you again for your help.

@@StuartBarker That was helpful. Thank you.

You can find it here: hightable.io/product/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities-template/. 🙏🙏🙏🙏