All Episodes
Displaying 21 - 40 of 71 in total
Episode 21 — Clause 9.2 — Internal audit
Clause 9.2 establishes the internal audit as a formal, independent check on ISMS conformity and effectiveness. For the exam, remember that audits must be planned, impl...
Episode 22 — Clause 9.3 + 10 — Management review; Nonconformity; Continual improvement
Clause 9.3 requires top management to conduct reviews at planned intervals to ensure the ISMS remains suitable, adequate, and effective. For exam purposes, recognize t...
Episode 23 — A.5.1–5.2 — Policies for InfoSec; Roles & responsibilities
A.5.1 requires establishing a set of information security policies that provide direction and support consistent with business objectives and relevant laws and regulat...
Episode 24 — A.5.3–5.4 — Segregation of duties; Management responsibilities
A.5.3 addresses segregation of duties (SoD), a foundational control that reduces fraud and error by distributing tasks and authorities among different people. For the ...
Episode 25 — A.5.5–5.6 — Contact with authorities; Special interest groups
A.5.5 requires organizations to establish and maintain appropriate contact with relevant authorities, such as regulators, law enforcement, and national or sector Compu...
Episode 26 — A.5.7–5.8 — Threat intelligence; Security in project management
A.5.7 introduces threat intelligence as a structured capability to collect, analyze, and share information about adversaries, techniques, vulnerabilities, and emerging...
Episode 27 — A.5.9–5.10 — Asset inventory; Acceptable use
A.5.9 requires an accurate, current inventory of information and other associated assets, including hardware, software, data sets, cloud resources, identities, and ser...
Episode 28 — A.5.11–5.12 — Return of assets; Classification of information
A.5.11 mandates that employees, contractors, and third parties return all organizational assets upon termination or change of role. For the exam, highlight that “asset...
Episode 29 — A.5.13–5.14 — Labelling of information; Information transfer
A.5.13 builds on classification by requiring that information be labelled according to handling requirements. For the exam, understand that labels may be visual (docum...
Episode 30 — A.5.15–5.16 — Access control; Identity management
A.5.15 requires that access to information and other associated assets be limited to authorized users, processes, or devices, in accordance with business and security ...
Episode 31 — A.5.17–5.18 — Authentication information; Access rights
A.5.17 requires organizations to protect authentication information throughout its lifecycle, emphasizing creation, issuance, use, storage, and revocation. For exam pu...
Episode 32 — A.5.19–5.20 — Supplier relationships; Supplier agreements
A.5.19 establishes that supplier relationships must be governed to protect the organization’s information and services. For the exam, focus on risk-based segmentation ...
Episode 33 — A.5.21–5.22 — ICT supply chain; Monitoring/review of supplier services
A.5.21 extends supplier governance to the broader ICT supply chain, recognizing that products and services depend on multiple tiers of vendors, firmware, open-source c...
Episode 34 — A.5.23–5.24 — Use of cloud services; Incident mgmt planning & prep
A.5.23 focuses on governing the use of cloud services so that risk treatment is consistent with enterprise policy and legal obligations. For the exam, explain that gov...
Episode 35 — A.5.25–5.26 — Event assessment/decision; Incident response
A.5.25 establishes a disciplined mechanism to assess events and decide whether they constitute information security incidents, preventing alert fatigue and ensuring co...
Episode 36 — A.5.27–5.28 — Learning from incidents; Collection of evidence
A.5.27 requires organizations to institutionalize learning from incidents, transforming individual events into durable improvements. For the exam, emphasize that “lear...
Episode 37 — A.5.29–5.30 — Security during disruption; ICT readiness for BC
A.5.29 focuses on maintaining information security when normal operations are disrupted, such as during disasters, severe outages, or crisis events. For the exam, reme...
Episode 38 — A.5.31–5.32 — Legal/regulatory/contractual; Intellectual property rights
A.5.31 requires organizations to identify and comply with all applicable legal, regulatory, and contractual requirements related to information security. For the exam,...
Episode 39 — A.5.33–5.34 — Protection of records; Privacy & PII protection
A.5.33 mandates that records—authoritative evidence of activities performed—are protected so they remain authentic, reliable, and usable for as long as needed. For the...
Episode 40 — A.5.35–5.36 — Independent review; Compliance with policies/rules/standards
A.5.35 requires independent reviews of information security to verify that management arrangements and controls remain suitable and effective. “Independent” means obje...