All Episodes
Displaying 1 - 20 of 71 in total
Episode 1 — Orientation & Outcomes
ISO 27001 certification begins with understanding the broader ISO 27000 family of standards that form the foundation for information security management. ISO 27000 pro...
Episode 2 — ISMS & PDCA in Practice
The ISMS is more than documentation; it is a governance framework built on the Plan-Do-Check-Act (PDCA) cycle that embeds continual improvement into security operation...
Episode 3 — What Changed
The 2022 revision of ISO 27001 and 27002 modernized the framework to reflect today’s digital threat landscape. The control set was condensed from 114 to 93 by merging ...
Episode 4 — 27002 Attributes & the SoA
ISO 27002:2022 introduced a new attribute model to help organizations slice and categorize controls in multiple ways. Each control now includes attributes such as cont...
Episode 5 — Clause 4.1 + 4.2
Clause 4.1 requires understanding the organization’s context—internal and external factors that influence the ISMS’s purpose and outcomes. Clause 4.2 extends this by m...
Episode 6 — Clause 4.3 — Determining ISMS scope
Clause 4.3 defines one of the most critical early deliverables in ISO 27001 implementation: the formal ISMS scope. The scope establishes the boundaries within which co...
Episode 7 — Clause 4.4 — ISMS processes and interactions
Clause 4.4 elevates the ISMS from documentation to a functioning management system by requiring defined processes and their interactions. For exam candidates, this mea...
Episode 8 — Clause 5.1 + 5.2 — Leadership & policy evidence
Clause 5.1 requires top management to demonstrate leadership and commitment to the ISMS, while Clause 5.2 mandates an information security policy aligned to strategic ...
Episode 9 — Clause 5.3 — Roles, responsibilities, authorities
Clause 5.3 ensures that roles, responsibilities, and authorities for the ISMS are clearly defined and communicated. Effective implementation depends on assigning owner...
Episode 10 — Clause 6.1 — Actions to address risks & opportunities
Clause 6.1 introduces ISO 27001’s risk-based thinking by requiring organizations to plan actions to address both risks and opportunities. This clause bridges governanc...
Episode 11 — Clause 6.1.2 — Risk assessment methodology
Clause 6.1.2 requires the organization to define and apply a consistent methodology for information security risk assessment. This methodology must specify how risks a...
Episode 12 — Clause 6.1.3 — Risk treatment planning
Clause 6.1.3 outlines the requirements for developing and maintaining a risk treatment plan, which defines how identified risks will be managed. Organizations must dec...
Episode 13 — Clause 6.2 — Objectives & planning to achieve them
Clause 6.2 focuses on establishing measurable information security objectives consistent with the organization’s policy, risks, and opportunities. These objectives ope...
Episode 14 — Clause 6.3 — Planning of changes
Clause 6.3 requires organizations to plan ISMS-related changes systematically to avoid unintended consequences. Changes may involve personnel, processes, systems, or p...
Episode 15 — Clause 7.1 + 7.2 — Resources; Competence
Clauses 7.1 and 7.2 emphasize the human and material foundation of the ISMS—adequate resources and competent personnel. Clause 7.1 ensures that sufficient financial, t...
Episode 16 — Clause 7.3 + 7.4 — Awareness; Communication
Clause 7.3 requires organizations to ensure that people doing work under their control are aware of the information security policy, their contribution to ISMS effecti...
Episode 17 — Clause 7.5 — Documented information
Clause 7.5 sets requirements for creating, updating, and controlling documented information necessary for the ISMS. The standard distinguishes between documents (livin...
Episode 18 — Clause 8.1 — Operational planning and control
Clause 8.1 translates strategy into execution by requiring the organization to plan, implement, and control the processes needed to meet ISMS requirements, including c...
Episode 19 — Clause 8.2 + 8.3 — Risk assessment & treatment in operations
Clauses 8.2 and 8.3 require conducting risk assessments at planned intervals and implementing risk treatment plans—bringing the methodology from Clause 6.1.2 and the p...
Episode 20 — Clause 9.1 — Monitoring, measurement, analysis & evaluation
Clause 9.1 requires organizations to determine what needs to be monitored and measured, the methods, the timing, the responsibility, and how results are analyzed and e...