About the need to establish an information security policy supported by topic-specific policies that address specific aspects.

About the structure (or individuals) tasked to coordinate information security management in an organization.

About the need to segregate (or to separate) conflicting duties and areas of responsibility (with examples).

About the support of the top management for the ISMS and the need to require everyone in the organization to follow the information security policy and topic-specific policies.

About the need for the organization to maintain contact with relevant authorities.

About the need and the benefits of maintaining contacts with interest groups, information security forums and professional associations.

About collecting and analyzing information about security threats, in order to produce threat intelligence.

About the need to integrate information security into all projects, regardless of their specific or size.

About how to develop and maintain an inventory of information and associated assets.

About the need to identify, document and implement rules for the acceptable use of information and assets.

About the process of returning assets belonging to the organization when the employment or contract is terminated or changed.

About the classification of information. Different information classification schemes. The recommendation for a topic-specific policy on information classification.

About the labelling of information in accordance with its classification.

About the rules for transferring information with external parties, using electronic means, physical media and the verbal transfer of information.

About the recommendation to define rules and a topic-specific policy on access control. Details about different access control methodologies.

About the solutions to ensure that individuals and systems who access information and associated assets are identified and access rights are assigned appropriately.

About the need to control the allocation and management of authentication information. User awareness on the appropriate handling of authentication information.

About provisioning, reviewing, modifying and removing access rights to information and associated assets.

About managing the information security risks associated with the use of suppliers' products and services.

About the need to agree with each supplier the relevant information security requirements depending on the type of relationship.

About the need to have processes and procedures to address information security risks associated with the ICT supply chain.

About the need to monitor, review, evaluate and manage changes in supplier information security practices and the delivery of services to the organization.

About the need to establish processes to address information security when acquiring, using or exiting from cloud services.

About the processes to manage information security incidents. The difference between security events and incidents.

About the need to assess information security events to decide if they represents incidents or not.

About the response that the organization should provide to information security incidents.

About the need to use the information collected while managing security incidents for education purposes.

About the need to have procedures for the identification, collection, acquisition and preservation of information that may be used as evidence in the investigation of information security incidents.

About the need to have arrangements in place to maintain an adequate level of information security in case of major incident.

About planning, maintaining and testing the ICT readiness based on the organization's business continuity objectives.

About the identification of legal, regulatory and contractual requirements relevant for information security and the approach of the organization to ensure compliance.

About the need to have procedures and rules to protect intellectual property rights.

About the rules to protect records from loss, destruction, falsification, unauthorized access and release.

About the need to comply to the requirements for privacy and the protection of personally identifiable information.

About the need to arrange independent reviews of the organization's approach to manage information security.

About the process to review conformance with the information security policy and topic-specific policies.

About the need to document and implement procedures for operating information processing facilities.

A brief recapitulation of the organizational controls in ISO/IEC 27002.

About the background checks that the organization should perform on all candidates for employment, before they join the organization.

About information security responsibilities that should be included in the terms and conditions for employment.

About the need for the organization to ensure that its personnel receive adequate training and awareness on information security.

About the process that should be applied in case personnel do not comply with information security requirements.

About the responsibilities and duties that refer to information security and that remain valid after the employment is terminated or changed.

About the need for the personnel to sign confidentiality or non-disclosure agreements.

About the conditions and the risks associated with working from premises outside the control of the organization.

About the need for personnel to report immediately any observed or suspected information security events.

A recapitulation of the controls that refer to the persons working for, or on behalf, of the organization.

About defining and using security perimeters to protect areas where sensitive information and assets are located.

About protecting secure areas with entry controls.

About the security measures to protect offices, rooms and facilities.

About the need to monitor premises continuously to detect unauthorized physical access. 

About the controls intended to protect against natural disasters, intentional and unintentional physical threats to infrastructure.

About secure areas and the controls for working in secure areas.

About the rules that should be enforced to ensure clear desks and clear screens.

About siting and protecting equipment.

About the security measures that should be implemented to protect assets taken outside the organization's assets.

About the measures intended to manage storage media throughout its life cycle.

About protecting processing facilities from power failures and other disruptions.

About protecting power and telecommunication cables from interception, interference and damage.

About the measure to ensure that equipment is maintained correctly.

About the security measures needed when equipment is disposed of or used for other purposes in the organization.

A recapitulation of the security controls that refer to physical objects.

Guidelines for using endpoint devices. User awareness. Guidelines for using personal devices for work purposes (BYOD - Bring Your Own Device).

About restricting and managing the allocation and use of privileged access rights.

Guidelines for restricting the access to information and associated assets.

About the need to manage properly read and write access to source code and development tools.

Guidelines for the log-on procedures and technologies.

About the monitoring of resources and the predicting future needs to ensure sufficient availability.

Guidelines for protecting against malware, including the awareness of users on the risks involved.

About the need to obtain and to review in time information about technical vulnerabilities.

About the need to establish configurations (including configurations) to ensure that software, hardware, services and networks are in a consistent state and any unauthorized or incorrect changes are prevented.

Guidelines on protecting information from unnecessary exposure with deletion.

Guidelines on protecting sensitive data (including PII) with masking techniques. About pseudonymization and anonymization.

Guidelines for what to consider for data leakage prevention solutions.

About taking, protecting and testing regularly backup copies of information, software and systems.

Guidelines on how to ensure sufficient redundancy for information processing facilities to meet availability needs.

Guidelines on producing, protecting, storing and analyzing logs that record activities, exceptions, faults and other relevant events.

Guidelines on how the organization should monitor systems, networks and applications for anomalous behavior and take appropriate actions to address security incidents.

About the need to synchronize the clocks of information processing systems. Reasons and solutions.

About restricting and controlling the use of utility programs that can override system and application controls.

Guidelines on the procedures and measures to manage the installation of software on operational systems.

Generic guidelines to consider in order to protect networks and network devices and information in systems and applications.

About the need to establish security mechanisms, service levels and service requirements for network services provided to the organization by third parties.

Guidelines to consider for improved performance and security by splitting networks into separate domains.

Guidelines on managing the exposure to malicious content associated with the access of personnel to external websites.

Guidelines on using cryptography and on the management of cryptographic keys.

Guidelines on the rules to be considered for the secure development of software and systems.

Guidelines for specifying information security requirements when the organization develops or if it acquires applications.

About the need to develop and to apply security engineering principles to all system development activities.

Guidelines on establishing and applying principles for secure coding in software development.

Guidelines on defining and implementing security testing processes in the development life cycle.

About aspects to consider when the organization decides to outsource system development.

About the need to ensure a separation between development, testing and production environments. Reasons, solutions and exceptions.

Generic information about managing changes to information systems and information processing facilities, so that information security is not negatively affected.

About the need to protect the information used for testing purposes.

Guidelines for protecting operational systems during audits and other assurance activities that the organization intends to perform.

A recapitulation of the technological controls in ISO/IEC 27002.

About the certification of organizations and individuals in the field of information security management.

A presentation of my other courses on information security management as well as the content available at rigcert.education