All Episodes
Displaying 41 - 60 of 71 in total
Episode 41 — A.5.37 — Documented operating procedures
A.5.37 requires organizations to establish, document, and maintain operating procedures that guide consistent, controlled execution of security-relevant tasks. For the...
Episode 42 — A.5 Integration Capstone — Pitfalls, auditor patterns, mappings
This capstone episode synthesizes Annex A.5’s governance and organizational controls, highlighting how misalignments commonly appear in audits and how to map requireme...
Episode 43 — A.6.1–6.2 — Screening; Terms & conditions of employment
A.6.1 requires appropriate background screening of candidates, contractors, and third-party users in accordance with relevant laws, regulations, and ethics, proportion...
Episode 44 — A.6.3–6.4 — Awareness, education & training; Disciplinary process
A.6.3 establishes the obligation to provide awareness, education, and training so that all personnel understand security policies, their responsibilities, and how to a...
Episode 45 — A.6.5–6.6 — Responsibilities after termination/change; NDAs
A.6.5 ensures that information security responsibilities remain clear when employment terminates or roles change. For the exam, emphasize time-bound deprovisioning of ...
Episode 46 — A.6.7–6.8 — Remote working; Event reporting
A.6.7 establishes requirements for managing security in remote working arrangements, recognizing that homes, hotels, and public locations introduce different risks tha...
Episode 47 — A.7.1–7.2 — Perimeters; Physical entry
A.7.1 requires defining physical security perimeters that protect areas containing critical information assets and supporting infrastructure. For the exam, note the la...
Episode 48 — A.7.3–7.4 — Securing offices/rooms/facilities; Physical security monitoring
A.7.3 requires implementing protective measures for offices, rooms, and facilities proportionate to the assets they house. For the exam, emphasize practical safeguards...
Episode 49 — A.7.5–7.6 — Environmental threats; Working in secure areas
A.7.5 addresses protection against environmental threats—natural, accidental, or man-made—that could disrupt facilities or damage information assets. For the exam, foc...
Episode 50 — A.7.7–7.8 — Clear desk/screen; Equipment siting & protection
A.7.7 codifies clear desk and clear screen practices so that sensitive information is not exposed to casual observation or theft. For the exam, remember that this appl...
Episode 51 — A.7.9–7.10 — Off-premises assets; Storage media
A.7.9 requires controls for assets used off-premises, recognizing that laptops, tablets, phones, developer kits, and even lab equipment are exposed to theft, loss, and...
Episode 52 — A.7.11–7.12 — Supporting utilities; Cabling security
A.7.11 addresses supporting utilities—power, water, HVAC, and communications—whose failure can render even perfectly secured systems unavailable or damaged. For the ex...
Episode 53 — A.7.13–7.14 — Equipment maintenance; Secure disposal/re-use
A.7.13 mandates that equipment be maintained correctly to ensure availability, integrity, and safety, with maintenance scheduled, authorized, and recorded. For exam pr...
Episode 54 — A.8.1–8.2 — User endpoint devices; Privileged access rights
A.8.1 consolidates expectations for user endpoint devices by requiring managed configurations, protection mechanisms, and governance proportional to data sensitivity a...
Episode 55 — A.8.3–8.4 — Information access restriction; Access to source code
A.8.3 requires restricting access to information and associated assets according to business need, classification, and risk. For the exam, connect policy to mechanism:...
Episode 56 — A.8.5–8.6 — Secure authentication; Capacity management
A.8.5 requires secure authentication mechanisms that match the sensitivity of systems and data, making this control central to exam questions about assurance levels, f...
Episode 57 — A.8.7–8.8 — Anti-malware; Technical vulnerability management
A.8.7 mandates protection against malware across endpoints, servers, email, and web gateways, recognizing that modern threats blend commodity payloads with living-off-...
Episode 58 — A.8.9–8.10 — Configuration management; Information deletion
A.8.9 requires establishing secure configuration baselines and maintaining them through change discipline, making it a frequent exam target for questions about drift c...
Episode 59 — A.8.11–8.12 — Data masking; Data leakage prevention
A.8.11 formalizes data masking so that sensitive fields are obfuscated or tokenized in contexts where full values are not required, such as analytics, testing, support...
Episode 60 — A.8.13–8.14 — Information backup; Redundancy of processing facilities
A.8.13 requires organizations to back up information, software, and system images at intervals aligned to business needs, with protection, testing, and documentation s...