Name: ISO/IEC 27002. Information security controls
Rating: 4.5 (1565 reviews)

Hier kannst du dein Wissen und Können an Millionen von Teilnehmer:innen in aller Welt weitergeben und damit richtig Geld verdienen!

Weitere Infos

Dein Einkaufswagen ist leer.

Weiter einkaufen

Anmelden

Registrieren

Erstellt vonCristian Vlad Lupa, rigcert.education

Zuletzt aktualisiert 10/2025

Englisch

Das wirst du lernen

Implement an effective information security programme
Determine and apply appropriate security controls
Achieve compliance with ISO/IEC 27001
Understand information security best practices
Manage information security risks

Kursinhalt

6 Abschnitte • 105 Lektionen • 6 Std. 51 Min. Gesamtdauer

Introduction3:17
Information security, cybersecurity and privacy4:12
About the three concepts: information security, cybersecurity and privacy. The CIA triad (Confidentiality, Integrity, Availability).
The ISO/IEC 27000 series of standards4:35
About the standards in the ISO/IEC 27000 series of standards. Which are the most popular standards in this family and what is their purpose.
Standards on information security you can find here: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
An ISMS according to ISO/IEC 270013:53
What is a management system and what is an ISMS (Information Security Management System). What does an ISMS consist of. What is the purpose of ISO/IEC 27001 and ISO/IEC 27002.
About ISO/IEC 270027:21
A short history of ISO/IEC 27002. The structure of the standard. The four categories of controls (or themes): Organizational controls, People controls, Physical controls and Technological controls. About the attributes associated to each control in the standard.

Policies for information security6:30
About the need to establish an information security policy supported by topic-specific policies that address specific aspects.
Information security roles and responsibilities3:35
About the structure (or individuals) tasked to coordinate information security management in an organization.
Segregation of duties2:56
About the need to segregate (or to separate) conflicting duties and areas of responsibility (with examples).
Management responsibilities2:57
About the support of the top management for the ISMS and the need to require everyone in the organization to follow the information security policy and topic-specific policies.
Contact with authorities1:53
About the need for the organization to maintain contact with relevant authorities.
Contact with special interest groups2:14
About the need and the benefits of maintaining contacts with interest groups, information security forums and professional associations.
Threat intelligence3:11
About collecting and analyzing information about security threats, in order to produce threat intelligence.
Information security in project management4:29
About the need to integrate information security into all projects, regardless of their specific or size.
Inventory of information and other associated assets5:59
About how to develop and maintain an inventory of information and associated assets.
Acceptable use of information and other associated assets2:48
About the need to identify, document and implement rules for the acceptable use of information and assets.
Return of assets2:41
About the process of returning assets belonging to the organization when the employment or contract is terminated or changed.
Classification of information5:16
About the classification of information. Different information classification schemes. The recommendation for a topic-specific policy on information classification.
Labelling of information2:22
About the labelling of information in accordance with its classification.
Information transfer5:10
About the rules for transferring information with external parties, using electronic means, physical media and the verbal transfer of information.
Access control8:48
About the recommendation to define rules and a topic-specific policy on access control. Details about different access control methodologies.
Identity management2:52
About the solutions to ensure that individuals and systems who access information and associated assets are identified and access rights are assigned appropriately.
Authentication information5:52
About the need to control the allocation and management of authentication information. User awareness on the appropriate handling of authentication information.
Access rights4:02
About provisioning, reviewing, modifying and removing access rights to information and associated assets.
Information security in supplier relationships6:02
About managing the information security risks associated with the use of suppliers' products and services.
Addressing information security within supplier agreements6:24
About the need to agree with each supplier the relevant information security requirements depending on the type of relationship.
Managing information security in the ICT supply chain3:26
About the need to have processes and procedures to address information security risks associated with the ICT supply chain.
Monitoring, review and change management of supplier services3:30
About the need to monitor, review, evaluate and manage changes in supplier information security practices and the delivery of services to the organization.
Information security for use of cloud services5:45
About the need to establish processes to address information security when acquiring, using or exiting from cloud services.
Information security incident management planning and preparation5:16
About the processes to manage information security incidents. The difference between security events and incidents.
Assessment and decision on information security events2:13
About the need to assess information security events to decide if they represents incidents or not.
Response to information security incidents2:55
About the response that the organization should provide to information security incidents.
Learning from information security incidents1:32
About the need to use the information collected while managing security incidents for education purposes.
Collection of evidence3:21
About the need to have procedures for the identification, collection, acquisition and preservation of information that may be used as evidence in the investigation of information security incidents.
Information security during disruption2:53
About the need to have arrangements in place to maintain an adequate level of information security in case of major incident.
ICT readiness for business continuity4:37
About planning, maintaining and testing the ICT readiness based on the organization's business continuity objectives.
Legal, statutory, regulatory and contractual requirements3:14
About the identification of legal, regulatory and contractual requirements relevant for information security and the approach of the organization to ensure compliance.
Intellectual property rights2:43
About the need to have procedures and rules to protect intellectual property rights.
Protection of records2:13
About the rules to protect records from loss, destruction, falsification, unauthorized access and release.
Privacy and protection of PII2:54
About the need to comply to the requirements for privacy and the protection of personally identifiable information.
Independent review of information security2:32
About the need to arrange independent reviews of the organization's approach to manage information security.
Conformance with policies, rules and standards for information security1:59
About the process to review conformance with the information security policy and topic-specific policies.
Documented operating procedures3:57
About the need to document and implement procedures for operating information processing facilities.
Recapitulation organizational controls7:22
A brief recapitulation of the organizational controls in ISO/IEC 27002.
Organizational controls

Screening5:07
About the background checks that the organization should perform on all candidates for employment, before they join the organization.
Terms and conditions of employment2:57
About information security responsibilities that should be included in the terms and conditions for employment.
Information security awareness, education and training4:41
About the need for the organization to ensure that its personnel receive adequate training and awareness on information security.
Disciplinary process2:12
About the process that should be applied in case personnel do not comply with information security requirements.
Responsibilities after termination or change of employment3:14
About the responsibilities and duties that refer to information security and that remain valid after the employment is terminated or changed.
Confidentiality or non-disclosure agreements2:50
About the need for the personnel to sign confidentiality or non-disclosure agreements.
Remote working4:38
About the conditions and the risks associated with working from premises outside the control of the organization.
Information security event reporting3:13
About the need for personnel to report immediately any observed or suspected information security events.
Recapitulation people controls2:00
A recapitulation of the controls that refer to the persons working for, or on behalf, of the organization.
People controls

Physical security perimeters3:56
About defining and using security perimeters to protect areas where sensitive information and assets are located.
Physical entry5:31
About protecting secure areas with entry controls.
Securing offices, rooms and facilities1:06
About the security measures to protect offices, rooms and facilities.
Physical security monitoring2:32
About the need to monitor premises continuously to detect unauthorized physical access.
Protecting against physical and environmental threats3:12
About the controls intended to protect against natural disasters, intentional and unintentional physical threats to infrastructure.
Working in secure areas1:53
About secure areas and the controls for working in secure areas.
Clear desk and clear screen3:01
About the rules that should be enforced to ensure clear desks and clear screens.
Equipment siting and protection3:10
About siting and protecting equipment.
Security of assets off-premises3:08
About the security measures that should be implemented to protect assets taken outside the organization's assets.
Storage media5:44
About the measures intended to manage storage media throughout its life cycle.
Supporting utilities2:40
About protecting processing facilities from power failures and other disruptions.
Cabling security2:01
About protecting power and telecommunication cables from interception, interference and damage.
Equipment maintenance2:48
About the measure to ensure that equipment is maintained correctly.
Secure disposal or re-use of equipment3:10
About the security measures needed when equipment is disposed of or used for other purposes in the organization.
Recapitulation physical controls2:32
A recapitulation of the security controls that refer to physical objects.
Physical controls

User endpoint devices7:10
Guidelines for using endpoint devices. User awareness. Guidelines for using personal devices for work purposes (BYOD - Bring Your Own Device).
Privileged access rights4:17
About restricting and managing the allocation and use of privileged access rights.
Information access restriction3:00
Guidelines for restricting the access to information and associated assets.
Access to source code2:14
About the need to manage properly read and write access to source code and development tools.
Secure authentication4:56
Guidelines for the log-on procedures and technologies.
Capacity management3:14
About the monitoring of resources and the predicting future needs to ensure sufficient availability.
Protection against malware3:48
Guidelines for protecting against malware, including the awareness of users on the risks involved.
Management of technical vulnerabilities6:51
About the need to obtain and to review in time information about technical vulnerabilities.
Configuration management4:05
About the need to establish configurations (including configurations) to ensure that software, hardware, services and networks are in a consistent state and any unauthorized or incorrect changes are prevented.
Information deletion3:44
Guidelines on protecting information from unnecessary exposure with deletion.
Data masking3:43
Guidelines on protecting sensitive data (including PII) with masking techniques. About pseudonymization and anonymization.
Data leakage prevention3:47
Guidelines for what to consider for data leakage prevention solutions.
Information backup4:28
About taking, protecting and testing regularly backup copies of information, software and systems.
Redundancy of information processing facilities4:07
Guidelines on how to ensure sufficient redundancy for information processing facilities to meet availability needs.
Logging6:06
Guidelines on producing, protecting, storing and analyzing logs that record activities, exceptions, faults and other relevant events.
Monitoring activities4:01
Guidelines on how the organization should monitor systems, networks and applications for anomalous behavior and take appropriate actions to address security incidents.
Clock synchronization2:05
About the need to synchronize the clocks of information processing systems. Reasons and solutions.
Use of privileged utility programs2:19
About restricting and controlling the use of utility programs that can override system and application controls.
Installation of software on operational systems3:24
Guidelines on the procedures and measures to manage the installation of software on operational systems.
Networks security4:40
Generic guidelines to consider in order to protect networks and network devices and information in systems and applications.
Security of network services3:14
About the need to establish security mechanisms, service levels and service requirements for network services provided to the organization by third parties.
Segregation of networks2:53
Guidelines to consider for improved performance and security by splitting networks into separate domains.
Web filtering3:07
Guidelines on managing the exposure to malicious content associated with the access of personnel to external websites.
Use of cryptography6:32
Guidelines on using cryptography and on the management of cryptographic keys.
Secure development life cycle3:30
Guidelines on the rules to be considered for the secure development of software and systems.
Application security requirements6:59
Guidelines for specifying information security requirements when the organization develops or if it acquires applications.
Secure system architecture and engineering principles7:14
About the need to develop and to apply security engineering principles to all system development activities.
Secure coding5:13
Guidelines on establishing and applying principles for secure coding in software development.
Security testing in development and acceptance3:09
Guidelines on defining and implementing security testing processes in the development life cycle.
Outsourced development4:05
About aspects to consider when the organization decides to outsource system development.
Separation of development, test and production environments4:01
About the need to ensure a separation between development, testing and production environments. Reasons, solutions and exceptions.
Change management2:25
Generic information about managing changes to information systems and information processing facilities, so that information security is not negatively affected.
Test information2:32
About the need to protect the information used for testing purposes.
Protection of information systems during audit testing3:30
Guidelines for protecting operational systems during audits and other assurance activities that the organization intends to perform.
Recapitulation technological controls6:51
A recapitulation of the technological controls in ISO/IEC 27002.
Technological controls

Anforderungen

Familiarity with the ISO/IEC 27000 framework is useful, but not mandatory
An understanding of information security management principles

Beschreibung

This course details the information security controls in ISO/IEC 27002:2022.

It is intended to provide an overview of the 93 controls required for an ISMS (Information Security Management System).

The structure of the course includes an introductory section with a presentation of the ISO/IEC 27000 family of international standards, the position and the purpose of ISO/IEC 27002. The introductory section provides definitions for concepts like information security, cybersecurity and privacy and explains what is an ISMS and what it should consist of.

The second section of the course details the 37 Organizational controls in ISO/IEC 27002 including: roles and responsibilities, duties segregation, threat intelligence, information security in project management, information classification and labelling, access control, information transfer, supplier relationships from an information security perspective, ICT continuity, privacy and protection of PII or documented operating procedures as part of an ISMS.

Section three is about security controls that refer to the individuals working for or on behalf of the organization (People controls). It covers aspects like screening, terms and conditions of employment, training and awareness, disciplinary process or remote working.

The next section includes controls that address physical security (Physical controls) including: secure areas, entry controls, clear desk and clear screen, storage media, supporting utilities or the secure re-use and disposal of equipment.

Section number four covers Technological controls that refer to aspects like: the use of endpoint devices, data masking, information deletion, backup, cryptography, logging, networks security, secure development, secure coding, the protection of test information, web filtering, secure authentication, access to source code or the use of privileged utility programs.

The final section of the course provides information on the certification to ISO/IEC 27001 and ISO/IEC 27002 for both organizations and individuals.

This course includes a promotion

Für wen eignet sich dieser Kurs:

Information security managers
ISMS auditors and consultants
Information security management practitioners and enthusiasts
Cybersecurity and privacy practitioners
Those interested in the ISO 27k framework

Das wirst du lernen

Zugehörige Themengebiete entdecken

Kursinhalt

Introductory section5 Lektionen • 23 Min.

Organizational controls38 Lektionen • 2 Std. 28 Min.

People controls9 Lektionen • 31 Min.

Physical controls15 Lektionen • 46 Min.

Technological controls35 Lektionen • 2 Std. 27 Min.

One or two more things ...3 Lektionen • 15 Min.

Anforderungen

Beschreibung

Für wen eignet sich dieser Kurs: