Comprehensive Guide to ISO 27001 Implementation, Risk Assessment, and Business Continuity

is not relate to GRC mhm so so in that why I'm asking you mean what might they ask in interviews H so uh see the

questions that they would ask is completely firstly dependent on the job role right so even in GRC there are

multiple job roles there are job roles that are only specific for implementation there are job roles only

specific for doing risk assessments there are only job roles only specific for auditing because if you if you uh

ask me when you go to big very big organizations they have a dedicated risk vertical so their job is to only perform

risk assessments then there is a separate vertical or team who only does internal audits right so that completely

depend depends on the job role but however for your uh entire GRC on a whole right so there the expectation is

that you should be having the basic understanding of the GRC uh domain that is you'll have to uh you should have

understanding on various standards especially ISO 270001 then also uh your sock2 framework

your pcss nist right so then you have um multiple other risk management Frameworks you have uh ISO 31,000 n risk

management framework right so these are are the minimum prerequisits that any GRC role will

demand so they can uh ask you a wide range of questions starting from uh asking you how do you decide on a scope

or what are the parameters that you are considering for any ISO certification then how are you actually performing

risk assessment they might ask a specific topic within a risk assessment like they can ask you questions like

explain me what is risk treatment what is a residual risk what is risk appetite right so uh it can be a wide range of

questions okay n yeah thank you no issues yes V please go ahead uh yeah hi Nan uh like I was

studying this business continuity risk assessment and like as we studied in the course

also so I was having that is the both risk assessment are same or there is any perspective change or any kind of

methodology change which we need to consider no the risk assessment on a whole is same there is not as there's no

specific risk assessment done for your Bia the risk assessment that you do right infosec that will that should be

so comprehensive that it is covering all three uh Triads confidentiality integrity and availability so this risk

assessment is used as an input for your Bia because in risk assessment we'll be understanding what is the impact right

what what is the actual uh threat what is the actual vulnerability and if at all it this risk is uh bound to happen

What will be the impact to my uh information and information systems right and we'll also know what are the

controls that are in place so this will be an input to our business impact analysis so there's no specific another

risk assessment that we do okay okay uh so so just the main Crux Remains the Same but in case of business

continuity we only focus on the business continuity aspect right correct absolutely so there business uh impact

analysis as the name Sayes so we are trying to understand what is going to be impact to my business if at all a

particular system or a process is not available say uh simple example could be there can be a production server okay so

if at all that production server is not running if at all it is uh not working or you are unable to access it so what

will be my impact it can be due to n number of reasons it can be due to somebody uh

someone hacked into it somebody changed your password or there is some physical damage to the server the reason might be

uh and there might be a number of reasons but at the end of the day what is the impact that I'm going to have if

at all that asset is down that is what the whole objective of business impact analysis then after that we'll

understand okay now the asset is down we got to know how soon do we have to recover this asset what is the minimum

time frame within which I need to recover that asset back uh restore the asset

back that means here we are calculating RTO which is nothing but recovery time objective which will help us to decide

what is the maximum amount of downtime that we are okay to agree upon and then along with this we should also calculate

something called as RPO recovery Point objective see just by restoring the system is not enough we should also

restore all of its configurations all of its functionality all of its backend data right so this data what is the

amount of data that we want to restore is decided by r so again how much data loss is okay for

us is what we decide based on RPO so the more stringent that is the more uh stringent you RTO and RPO the more

complex and more costlier you are controls are going to be okay okay uh and like when we decide

while uh this calculating impact or calculating likelihood when we are deciding so the criteria which we decide

this is acceptable this is not acceptable or this is minor major or catastrophic so who who does this decide

or like how how we come to that conclusion that this are you talking about the

impact yeah impact or uh yeah impact yeah yeah so this business impact analysis is done with the stakeholders

say you are the owner of the production server so I am doing the business impact analysis so I come to you I sit with you

and understand I'll explain you what is the objective of the activity then I will ask you because you are the owner

you are the best person within the organization I will ask you and I will explain okay if at all the asset is down

due to XYZ reasons what will be the impact to your process what will be the impact to the

organization then it is the business owner only who will be deciding what is the maximum downtime that he's okay to

agree or what what is the amount of data that they are okay to lose so it's all decided by the uh I mean

decided with the business owner however just like how we develop a risk assessment methodology right so we'll

also develop a business business impact assessment methodology where we clearly categorize so if at all the impact is so

and so that that is 10 processes are affected we have a impact of 10,000 rupees we have 50 customers affected

right then six systems are affected due to this so you can clearly mention that and tell this constitutes a low impact

for me so and so downtime so and so uh customers affected so on so monetary loss is going to be a medium impact high

impact so that we need we need to decide as part of the methodology so that everybody follows one single uh

methodology within the organization okay okay and like in in case of like like in is SMS we mostly

follow like asset based risk assessment so here is there any methodology which is preferred or like like whichever is

okay like how we will decide this methodology in the business continuity so uh that that is what there is no

asset based of something as part of business impact analysis right so here your assets are only going to uh get

compromised if at all your assets are compromised then your Associated processes will get start getting

compromised right so here what how we we usually do a business impact analysis is first we

will understand or first we will try to uh identify what are those critical processes within the organization or the

teams right so you you'll have it team you'll have engineering team you'll have devops team right then we sit with them

we'll understand what are the various processes that those team members have right then with that process we'll

understand what are the assets that are involved within a particular process then we try and understand okay for all

for this process for a de development as a process there might be a development server there might be test server there

would be your source code analysis tools right so there will be multiple uh there will be cicd pipeline there will be your

GitHub repo right so there will be multiple assets so we'll pick up each and every uh asset and we'll discuss

with the stakeholder asking okay what if your development server is down what will be the impact to the organization

if at all the GitHub repository is down it is not accessible what is going to be the impact so like that we will sit and

do a business impact analysis with the stakeholders okay okay okay thanks thanks thanks no

issues good next uh whoever has a question you can get started okay I see there is one uh message in

the chat B okay could you please elaborate about ISO implementation from uh starting to end what needs to be done

and how Okay so uh it it it is not only specific to your ISO this is a generic U methodology or a generic timeline for

any of the audit so the first first and foremost activity is to decide on the scope of the audit it can be an internal

audit it can be an external audit it can be even a gap assessment any any kind of an audit or an assessment first we have

to decide on the scope and how does this scope come into picture so usually it is the top management of the organization

that is going to decide on the scope because ISO is not a mandatory certification majority of the

organizations choose for ISO or any other certifications in order to expand their business so what are those

processes or what are those functions that that is giving business to the organization those businesses or those

processes will be decided as scope for example if you are a product organization so your products will be in

scope thereby the teams that are developing these products will automatically fall in the scope so it

might be uh so once you decide this main scope then we need to identify what are the interfaces or the dependencies so

interfaces are those departments that will help the main inscope departments to function properly so per se if at all

we have a product development team or a development or engineering team as a main scope Department in order for this

product development team or engineering team to carry out their day-to-day operations we'll have multiple

interfacing departments starting from your HR team then your physical security team then your it team the devops team

who manages the infra then the legal team your infosec team the GRC and compliance team then the finance team

like this we there are multiple dependencies so we have to sit and understand what are these dependent uh

sorry what are these inter facing departments and there could also be a dependency say your entire infra is

hosted on cloud right so this entire cloud and environment will be your dependency that is your cloud service

provider is your biggest dependency because your entire infra is hosted there or what if there is only

applications are developed in house but your production environment is on cloud so that's again a dependency for you so

like this we have to identify what are the main in scope departments your interfaces and dependencies that will

collectively form our scope once we do the scoping we do something called as a gap assessment so

Gap assessment is very simple it is a process for us to understand where are we exactly standing as on date against

the requirements of the standard so what is our current posture or a current level when it comes to the best

practices that the standard is asking us to do so you do a gap assessment you get to know what are going good what what

needs to be improved what needs to be completely changed then you take actions against each of those gaps and start

remediating them then you also perform something called as risk assessment in order to identify the risks for

compromise of confidentiality integrity and availability of the information and once you do that once every all the

risks are treated all the gaps are closed we go for an internal audit then in ISO specifically we need to also do a

management review meeting and once we do all this we are good to go for the external audit so this is how a typical

life cycle of a audit looks like so hi Nan this is the so I would like to

know I mean you just mentioned that you need we need to have the scoping document

we need to complete the scoping first so uh I mean if I can add to this like plus scope scoping plus then context of the

organization and then isms objective I think prior to the Gap assessment these document we should have um because so

that we we would we should like um I mean the the output of these um I mean so that we can Asser the Gap

assessment and uh with processes so correct me if I'm wrong so your context of the organization what do you mean by

context of the organization basically the context uh I mean um in scoping do document what we

do we set the boundaries what all the functions and the Departments are are we are going to cover as per the isms um I

mean the planning so that's all I mean the context of the organization maybe the internal parties external parties

involved involvement their issues uh whatever the the risk um the external parties are having the internal parties

that ising cross 4.1 4.2 issue issue management and needs and expectations exactly before that is the theoretical

way that the standard is telling but in real life that will not work so in real life setting the context of the

organization or understanding the context of the organization is nothing but understanding the processes of the

organization so if at all you want to either implement or audit right you need to have certain basic understanding of

the organization and its process in terms of firstly you'll have to understand what exactly is the

organization doing is it providing Services it is selling products if at all it is giving I mean either of them

any organization will do so what are the geographical locations that the organization is catering to what are the

geographical locations that the organization is actually present in who are the customers of the organization so

like this this basic understanding we should have before even we go further and in reality we don't understand first

the issues the needs and expectations and then do the scoping no that will be practically impossible in real life so

first we establish the scope and then for all the once you set up the boundary within that boundary you start

identifying the issues you start identifying the interested parties what are their needs what are their

expectations you perform risk assessment so that's how you do okay my second question is um uh I

have a customer and um they are having the external audit uh to be scheduled in uh November month

okay so they have set up the stage one audit in M and they have taken time three months of time to perform uh to go

with the external audit in the month of I would say January for example okay so uh in November month stage

one yeah so I'm the I'm the external um body um I mean um I'm I'm taking care of their internal audit and overall I'm I

mean I'm preparing them so that they can face the external audit and and can get the certification so so do I need to

complete the All Phases of the audit like in including the implementation phase the auditing phase I mean um um I

mean um performing a gap assessment and then the I mean Gap assessment is a part of the implementation and then

performing the internal audit finding all the gaps and um and releasing a report highlighting all the gaps and

then remediating all the gaps all the observations so uh are you asking that before you go for an external audit you

need to finish all these aspects is that what you ask because they

don't sorry I'm sorry no pra your voice is breaking what I'm trying to understand

is are you asking me that you as an organization do you are you asking that do you need to complete the scoping Gap

assessment risk assessment internal audit everything before going for external audit what was your question

yeah yeah before going for stage one audit do I need to complete the internal audit because internal to perform an

internal audit it takes more time complete it taking the evidences because it takes more time and there are there

are many challenges to get all those evidences so so what what I can do I mean correct me if I'm wrong if I can go

with with the stage stage one audit and get ready the client with all the uh four to uh eight Clauses and then 9 to

10 we have enough time um so that um for the internal audit so is it okay we can go like this because you can't do that

you can only stage one audit stage two audit both the audits are part of your external audits right so in the what is

the ultimate objetive sorry sorry I mean the exitor has given us

more time uh uh to the client to perform the stage to audit so so there is no of that time what what I'm trying to say is

so your stage one audit and stage two audit like the audit will be split into two two stages only during your initial

certification of iso ISO 27,1 okay exact in stage one audit all that the Auditors will be doing is document review so

you'll have to present to the uh Auditors all the documentations that you have all the mandatory documents

policies procedures your registers everything you need to present if you are telling that you are not performing

The Intern exactly right in that case you'll not be able to share your internal audit report you'll not be able

to share your Capa sheet corrective action register so that a gap from your stage

one audit usually the would not allow so if I why because okay okay only in internal

audit we will get to know whether the processes are actually being followed as per the policy as per the procedures as

per the requirements of the standard or not right so you will you as an organization will get a confirmation or

confidence that your processes are fine only if you face an internal audit without that you go without that going

into external audit would be uh not a wise decision and usually Auditors will also not

allow mhm mhm because say okay they you they they allow you okay in stage one you finished you submitted all the

documents expect except your internal audit report and your corrective action register okay now you say that okay now

you'll be like okay stage one is there stage will also be there you'll do a normal internal audit it's not a

thorough audit now what if there are very very very big gaps in your external audit states to audit it's going to be a

nightmare exactly so usually Auditors will not allow for stage one audit without your

internal audit being performed okay got it thanks a lot thanks no issues

yes uh next question please hi Vish are here yes hi Vishnu hi n so once we have defined the in scope

no uh you said about the interface and dependencies can you state an example for that in case of a product company H

so for a product company so say you are uh product ABC product okay so the team who is developing the product will be

the main scope right then your QA team will be the main scope MH yeah these two could be the usual scope again depending

on the naming conventions of the organization I'm keeping it very simple one team is developing one team is

testing okay yes and you can also have your uh Team who is pushing uh the code managing the production okay that will

be also main scope Department these three now and we can consider that as your team C you can name it whatever

internally now for these three teams to perform there needs to be some uh dependency right there needs to be some

departments who help them to carry out their day-to-day process for example your it or the devops team are the ones

who will handle the infra on which your applications are hosted on which your uh codes are developed Etc so this will be

one interfacing Department your HR HR will be interfacing physical security or admin will be an interfacing Department

our our team in compliance or GRC team is also an interfacing Department legal Finance right all these would be your

interfacing departments so interfacing team departments are those that will help the

main in scope departments to carry out their day-to-day operations no issues thank you're

welcome yes guys next question hi prati here one more question I have uh related to the anure controls okay so have now

2022 version correct there are 93 controls in that MH um 93 controls these are not the

mandatory controls correct correct controls are there which is there in the mentioned in the Clauses Clauses are not

your controls yeah these are the Clauses I'm talking about these are the m m

mandatory documents I would say correct okay huh so I'm just I'm just confirming if I'm wrong if I'm you're

confirming okay let me explain so yeah as you rightly mentioned the Clauses starting from 4 till 10 are mandatory

so Clause 0 1 2 and 3 are only are non-operational Clause because these Clauses talk more about the standard

itself they explain the applicability of the standard they explain what is isms they explain you the terms and

definitions and reference those are all just for our understanding purposes the actual Clause starts from 4 till

10 these seven these eight Clauses are arranged in a pdca cycle plan do check act model okay now when it comes to anex

as you rightly mentioned there are 93 controls arranged in four different domains and absolutely right not all 93

controls are mandatory so how do we decide whether control is mandatory or not mandatory is

by doing a risk assessment so when you do a risk assessment you identify a particular risk in order to mitigate or

treat a particular risk you need to implement a control that control is where you pick from

annexure a it is not mandatory that you have to take controls from annexure a only you can take controls from nist you

can take controls from sock 2 you can take controls from pcss any other standard ISO is not objecting you but at

the end of the day we need to develop something called as s SOA statement of applicability this document will have

the list of all the controls that are applicable to the organization along with the status of

what why exactly is the control applicable or not applicable the reason basically what is the current

implementation status whether it is implemented it is planned it is not planned at all so

on so from s SOA or basically in the SOA you will mention what controls are applicable and what controls are not

applicable to you as an organization okay with the justification yes absolutely justification should be

provided okay okay so suppose if I'm asking uh to the stakeholder like I need this

evidence relevant to this control okay so if they are saying like we we do have a policy in place but we do not have any

document any process document any procedure document in place so so do I need to pass that control or do I ask

them to yeah because your policy is a governing document which states what needs to be done for a particular uh

operation or a particular process your sop or the procedure is the document that will have step step by-step

guidelines as to how exactly is the process executed so even if you do not have a

policy or a procedure both will become a finding okay got it so you need to raise that as a minor non-compliance and give

a timeline to the stakeholders to develop the SOP and we need to ensure that the

process is in line with the SOP and the SOP is in line with the process again there should be no Gap in

that okay got it thanks excuse me can you repeat once again that uh 4 to 10 classes are

M and then uh uh classes we need to pick up pick any any classes no no no your Clause 4 to 10 of the iso standard are

mandatory controls your annexure controls are not mandatory the controls you will get to know what is needed what

is not needed only after doing a thorough risk assessment but it's at the same time we can't say that okay access

control is not applicable to me no that's going to be a major non-compliance because for every

organization Access Control will be applicable irrespective of the process that they are following right so we have

to do a thorough risk assessment and we need to check okay what are those controls that are applicable to us what

are the controls that are not applicable to us and then select the controls and document them in the document called as

statement of applicability or S SOA okay can I give you one example for non-mandatory controller oh

yes whatever it is so for example say you are in scope right your your scope is only a certain service that you are

providing say customer service okay so in this case there is no development activities in place it's a mere customer

uh like a call center that you are running so there's no development activities so you're entire controls of

sdlc will not come into picture though all those secure development life cycle controls will be not

applicable and say there is a dedicated control for cloud security if at all all of your infra is hosted on Prim there is

no Cloud environment then again the cloud security control will be not applicable because you do not have a

process around it so that will be after risk assessment only we need to consider yes yes after

risk assessment we need to consider what are all the controls is applicable for us then we need to

DOA correct absolutely s SOA then after s SOA you have to start implementing the

controls okay okay uh s full form statement of applicability okay okay

okay this has to be finally approved by both people both people are so that again depends on your

infosec governance so you might you can have a infosec steering committee you can get approved from ceso right so

based on the infosec governance that you have in the organization the approval can be

taken okay thank you thank you very much no issues Nan I one more question which is

related with asset inventory MH uh so asset inventory is a mandatory document correct yes absolutely in asset

inventory um um the control says you should have asset inventory in place which which which should include all the

end user and um and end user devices plus software softwares or Hardware devices all the things so we need to

focus of the critical critical end user devices or the softwares or all the assets yeah all the Assets in

scope okay it can be a laptop it can be a server database it can be your uh mobile phones if at all your

organization is allowing removable media your policies procedures any physical records any type of an asset that can be

compromised on CIA confidentiality Integrity availability those if custom yeah if customer says like um prati we

don't we we do have a lot of list um we need to mention in um in in the in that tracker so do is it okay if we can

provide you the the high or critical um list list here so what will I do in that case do I need the others other assets

are getting uh uh I mean they are not addressed right what is the whole what is the objective of documenting an asset

inventory so that you as an organization will clearly are clearly having a picture as to what are your assets who

are who is managing these assets who is the owner for these assets what is the valuation for the asset in terms of CIA

how sensitive or critical this asset is so if at all if you are not documenting as part of your inventory

then how will you track that asset okay yes irrespective of the criticality you have to document it as part of asset

inventory okay but uh uh second question is related with The Gap assessment you just

mentioned that we need to perform a um risk assessment and with the help of that risk assessment we can we can go

with for the statement of applicability documentation part and we can analyze what all the controls are applicable and

not applicable with the required justification correct so so uh I mean instead of this can we do in in the

other way to find out the uh applicable controls like we can perform the Gap assessment there we can we can take the

remark we we'll be sitting up to the C with the customers and asking if this control is relevant to you to your

organization or not I mean we will be going with all the not the objective of Gap assessment

Gap assessment you do to understand where are you currently standing see the end goal is ISO compliance that means

you need to follow all the requirements stated by the iso standard right now if at all you want to reach there you first

have to know where are you currently standing right MH that is why we do a gap assessment the name itself is what

are the gaps in a in a process or in the in your or organization what are those gaps so you do an assessment or you do

an audit only you can think okay so I if you are getting confused it is nothing but another assessment or an evaluation

that you do to understand what all controls are compliant what are what are clauses are compliant and what are non-

compant what we need to develop newly what we need to modify what are the changes that we need to bring upon that

is where that is why you do a gap assessment but Gap assessment sheet which I have seen most of the time I've

seen Gap assessment sheet is having the the questions related with all the Clauses and related with all the

controls yes so the customer is just is just fulfilling uh I mean the um take out like if this if this is if they are

having this document comprehensive Gap assessment see at the end of the day you are hired as a GRC Prof professional you

we are the subject matter experts who knows what needs to do or what are what are we supposed to do or what are we not

supposed to do so we should be the one who is asking the questions live understand their process and telling

whether it is a gap or it is not a gap against the requirements specified in the

standard okay so at that at that point of time if the customer says that this control is not applicable for example so

you need to understand you need to ask them justification why it is not applicable why do you think it is not

applicable okay they are they are giving the justification that this is why um this is this control is not applicable

some justification they have given me so this will benefit uh to prepare the statement of applicability correct but

again you we have to analyze whether it is right or wrong so you are sitting with the development team okay and they

are telling source code repository or access to source code control is not applicable to me because I don't want to

implement access to the source code I am okay to give access to anybody in the organization what do you think is it an

applicable control not applicable control I am a Spock okay you are doing an assessment of software

development right I tell that I don't want to implement access to my source code I am okay to give access to anybody

in the organization so please make Access Control not applicable to us are you okay with this no no huh so we need

to also assess whatever inputs that the stakeholders are giving because they don't know they don't know ISO they

don't know infosec they don't know anything they are not subject matter experts so we need to pitch in our

opinion we need to provide our recommendation and tell them what is right what is

wrong okay about that thanks a lot thanks no issues yes guys next

question hey Nan hi good evening thanks foring lot of just one little question yes might we

it has a lot of you know the information you know everyone has their own view but just I want your

expertise sure what are the basically you know the common challenges generally uh organization faces when

they basically start preparing for uh ISO audit you mean to say in the external

audit or during the entire implementation phase during the entire implementation pH it's just like phras

the companies maybe start they want one main major challenge which is common across

all the organizations is buying or uh cooperation from the stakeholders because everybody even till

date thinks that whatever we do as part of GRC it's only an overhead for them we will tell them to have Pro proper um

access controls Implement MFA then ensure all the patches are getting deployed ensure there is a change

request for all the Chang that they make right we we we tell them to do all these things so even till date even after so

many breaches and now that even people are aware of what is the importance of infos still common challenges the

stakeholders buy that means you will not get cooperation at the end of the day you will be the one the GRC team members

are the one running behind each and every team member to asking them to implement uh uh things asking them for

evidence telling them to to follow certain things so that is still there and second common uh problem or

challenge could be in terms of uh support from the top management if at all your top there is no support from

Top management forget your implementation because implementing any control again comes with a cost it needs

proper uh I mean um you need time you right then you need again customer uh your sorry stakeholder support other

team member support right so only your top management can help you give all these things if at all your top

management is not supportive then we'll not be able to do anything and third uh very important uh

issue again common issue is awareness still people don't know what is information security they simply think

that it is an overhead they they'll be like okay you guys are coming GRC team is coming they're giving us more work so

that awareness is still not there so these are the three common challenges that are present in any organization

across the globe absolutely right yeah thank you no issues uh yes prakar I see you've raised

your hands please go ahead hello sorry yeah yes I have a question uh so uh I just want to

understand if you want to audit the uh ODC which is offshore delivery Center MH so what can be the Clauses or controls

that can be applicable from uh ISO 27,1 standpoint majorly again my question to you what is the scope when you say ODC

Center I don't have proper context here what does this OD ODC Center do secured uh Center

what what does secured Center mean what kind of processes are happening in this Center uh means uh

support support the operations basically the support operations takes place are you telling

it is a customer support call center uh support in terms of uh application support I would say Okay

internal support team sits there yes yes yes yes okay so you want to uh yeah please

continue uh like uh uh that's a secured way wherein we need to like assess the access who is coming

in who is going out the entire area itself okay so if at all it is a support team right so your um controls u i I'm

telling what would not be applicable that is for sure your secure development will not be applicable mhm okay then uh

if at all there all the assets all the servers of that team is on PR I'm considering scope only of this team okay

not not any other scope if there is nothing on cloud it is going the cloud Security will not be

applicable okay okay right so like this we need to start and analyze see your access controls will be applicable asset

management will be applicable Incident Management will be applicable change management is applicable patch

management is applicable right okay so majority of the controls will still be applicable there are only specific

controls that are process dependent which are not applicable and irrespective of the team that you are uh

getting certified right your Clauses from four till 10 will be applicable mandatory okay okay all the CL CES from

4 till 10 are mandatory okay okay I'm not even telling it is applicable I'm telling it is

mandatory that means everybody has to follow that okay okay yes got it got it and

suppose if um they ask to audit in terms of like uh uh ISO and pcss and socks okay so should we have to pick up the

common controls of all this uni controls or uh how it should be okay so so for you as a GRC team for again you'll have

to do the audit you'll have to so that you get to know what is the ex current posture right so yeah you can develop

something called as a UCF unified control framework because see access management is present in ISO in sock in

PCI also management is also there Incident Management is also there however the difference is your uh ISO

does not mandate when it comes to access it does not mandate how often your access reviews has to be done what is

the minimum length of password okay however pcss mandates it so if you want to achieve complaints to

PCI you have to ensure you have at least 14 characters of password so in your UCF you you now

you're picking access password length as control from three standards making it one control so if at all you have 14

character password you are compant with all three standards okay okay good so like that you can develop a UCF this

will help you also and the stakeholders also they also know okay if I follow this 15 points I am complained they also

be relieved and you your job will also become easier okay okay and should we have to mention that in a column or

something these controls is you can mention yes can give a reference password length 14 characters you can

mention and you can give ISO control number a do so and so sock control principal so and so PC control 8.7 do

something like that you can give a reference okay okay got it yeah thank you no

issues cool next hi N I asked one question n yes narim please go ahead actually I just want to understand this

auditor and implementor will both will have separate exams or is that the same exam and what is the examination body n

okay so you are asking uh ISO 270001 lead implementor and Lead auditor yes yes yes H yes lead implementor and Lead

auditor are two different exams however the industry expects the GRC professionals to have practical

implementation and auditing knowledge and Lead auditor CER C ification lead implementor certification is not

commonly asked so it is not a mandatory requirement so I would personally suggest simply don't spend money on lead

implementor lead auditor both you instead you can uh focus on lead auditor certification but there is no compromise

on the skill set both implementation and auditing skill set is mandatory okay thanks and is what is the

examination body we are going to to write so there are two examination bodies cqi IRA and exampler Global these

are the two certification Bodies Okay so cqa is very expensive exampler Global is on a affordable note

right so that is why we have partnered with exampler global so for all of my students I personally recommend them for

exampler Global only until and unless it is a mandatory requ requirement I don't suggest anybody to sell out 40,000

45,000 for lead aitor certification where you can finish that in less than 12 uh 13,000 in exampler global so

that's why I personally recommend all of my students for exampler Global only okay thank you than no

issues hello uh okay one at a time okay Bindu go ahead okay I have one doubt regarding BCP

and okay could you provide some examples of how to ensure BCP and Dr in various

areas of an organization especially I am interested in understand best practices for implementing BCP and Dr across the

different functionalities MH okay firstly you need to understand the basic difference between what is business

continuity and what is disaster recovery business continuity is nothing but ensuring your processor processes are

still continuing in an event of a disaster or an incident irrespective of what is

happening we want to ensure that the minimum set of processes are continuing to run then Disaster Recovery is nothing

but okay you'll in in in case of a disaster or in case of a huge data breach or an incident will not be able

to run with the full-fledged infra right now multiple assets might be down due to an incident or something so Disaster

Recovery as the name suggests recovering back from a disaster ensuring you are going back to the previous normal

working condition that is disaster recovery so both BCP and Dr are major part of your availability principle so

for ensuring you you have a proper bcpd process in place we we have to ensure that our assets or infrastructure and

processes is resilient that is even if one of my system is down I need to have a capability that there is secondary

systems running so that even if my primary system is down my process is not

affected because I still have other two systems but how how do you actually decide do you need actually a secondary

system live live uh system or is it okay if uh there the you have you can work with only primary system so how do we

know that the very uh the backbone of your bcpd is business impact analysis as I was explaining so we need to

understand sit with the stakeholders and understand what will be the impact to me as an organization if at all a

particular asset is not working if at all it is down according to the impact then we'll

ask them okay consider an asset is down what is the maximum amount of downtime that you are okay to

withstand that is nothing but your RTO so if at all the stakeholder States okay I'm okay to uh I'm okay with the

downtime of only 1 hour then we will decide the RTO to be at least 45 to 50 minutes so we still have 10 minutes

grace period so we have to ensure that our infrastructure is so Reliant uh resilient that if at all now the asset

is down within 45 to 50 minutes it is up and back running then we also ask them okay the

asset is down what is the amount of data that you are ready to lose they are telling okay uh data is not that

important I can uh uh have a data loss of up to one week so from this you got RPO as one week right now this is how

you decide your backups for that particular asset you take a weekly backup because the stakeholder only

agreed that he is okay to lose data of one week so that is how you decide your RT and

RPO to I always give two examples one is your net banking application you're doing a bcpd for a bank your net banking

or a mobile banking application is one then the internal hrms portal is the other application so first you sit with

the net banking application team and you ask them okay I'm doing a Bia what is the RTO or what is the amount of

downtime that you are okay to agree there they will tell zero seconds I don't want my application to be down

even for a single second also here the RTO is 0o minutes that means irrespective of what is happening we

have to ensure that the application is still running so what we can do we can have a multiple mirrored

configuration right you can we have to ensure all the all of the instances are working together even if one instance is

down we still have other instance which will be able to CER to the traffic then RPO again we will ask them they'll tell

okay no again I don't want to lose even a single second of data again you have multiple databases with mirrored

configuration all are running at the same time with parallel uh I mean uh with parallel sync of data so even if

one database is down we have other databases to back off Backup so when it comes to the hrms application they will

tell okay it is not very critical it is attendance and other Le tracking I am okay to have downtime of one week so

here we need not have any secondary instance instance for this you can have only one instance and you can have a

backup based on the data LW that they are agreeing right accordingly as soon as the as soon as you get to know the

asset is down or the application is down you can start your Dr process and you can recover for the asset based on the

time frame that is set so the more stringent you are RTO RPO the more uh aggressive your controls needs to

be okay thank you so much no issues no issues uh kusharas please go ahead hi nanjan actually I needed help

regarding uh I have got a like job responsibility of implementing business continuity in my organization so my

organization have support functions like hrit and another Fields And there are Revenue generators right so as for my

understanding I would like to understand how we do the business impact analysis of the non Revenue generators because

for Revenue generators you still can work on it but how to do business impact analysis and business continuity for

non-revenue generators who are just supporting the um main Revenue generator or the bigger team uh in any kind of

backend support but not leading from the front end to get Revenue so how can we do the business impact analysis or maybe

the business continuity for those functions so they might they might not be the direct Revenue generators but as

you mentioned they are the backend support team yes yes if at all these these teams are not available definitely

your Revenue generation teams will get affected right yes again the same logic so this backend

support team can be anything like a backend support say they have a ticketing tool okay for example a jira

or service now I'm just giving an example okay so you'll have to sit with them and understand what is their actual

process firstly understand how are they giving support to the other departments what is the dependency of other teams on

this support teams or non-revenue generation teams what are the applications that this teams are using

what are the assets that are present with this team and you have to again do a business impact analysis here the

impact will be basically concentrated on the revenue generation teams say uh as I mentioned they might have a ticketing

tool like jira per yes so for example if jira is down you have to understand now what will be the impact to the other

teams if at all their jira is not working definitely they'll not be able to get any requests they'll not be able

to respond to any requests they'll not be able to close any requests that means it's a direct impact to the revenue

generation teams so that's how we have to map it okay so one more thing like if if we have a one set of questions uh to

understand like uh whatever so in that case do we need to maintain two separate forms for uh conducting business impact

analysis like for one is for the support the objective is same simple objective okay if your asset application or

process is down what is the impact that's all got it and if certain thing is not applicable they can just mention

it as not applicable and but we should right but we should go through like one form and one process across the

absolutely one methodology to be followed across the organization there's no two methodologies that is why the

impact also not every impact is high not every impact is low we have to develop that Matrix so if at

all 10 customers are affected 10,000 rupees is getting lost right if I have a very uh if I have a so and so legal

implication Etc you can have multiple parameters if all of this is happening it's become a low impact say if 50

customers are getting affected one lakh rupe of financial impact that is a high impact for me so you can develop this

metrics to understand the impact or to to categorize the impact but at the end of the day it is

the RTO and it is the RT RPO that is very very important for us got

it thank you so much no issues uh Joshua I see that you have raised your hand please go ahead yeah

right thank you for this uh session I just want to bring it like what's the difference like we SE a lot

of iso 27,1 lead auditor coures as you mentioned like X from examplar and like cqi like right and also we we see a lot

of courses in Udi and lot of online courses also so how far it is valid when it comes to and even the career

perspective so which is more valid or is there anything we have to consider on that see irrespective of the course the

main objective should be to get the develop the skill set that the industry is asking so what is the industry asking

three things first is practical understanding or practical understanding on implementing and auditing of your ISO

27,1 standard requirements right secondly ability to perform risk assessment thirdly your lead auditor

certification and to be frank none of the courses that are available outside in the market is capable enough of or

they are not catering to this because at the end of the day all of them are only uh focusing on getting you guys a

certificate that's all that is lead aitor certificate so the trainer also is not from GRC background they'll teach

whatever they have in the as part of their course content they'll have a classes from morning 10: to 6:00 morning

10: a.m. to evening 6 p.m 5 days you have the class sixth day you'll write the exam nobody will understand anything

it will be very very very very theoretical only I have some of my students also

here so uh that that is why we from Ministry of security we we started this ISO training practical training only so

as to ensure that we are helping the students with practical skill set that the industry is

asking so we so I I am the actual I am the trainer who will be teaching ISO so I basically uh take up uh take this

practical implementation and auditing training of iso so I uh explain with the help of real life examples and real life

implementation documents so I first simplify the requirement explain what is the standard asking you us to do and

I'll not stop there I'll also showcase real life implementation documents and I'll explain what is that we are

actually doing in real life in order to achieve compliance and that's where you develop practical understanding

n when are you starting this so my next batch is starting from 28th of September oh and what will be timings

usually so the classes will be only on weekends Saturday and Sunday morning 10:00 a.m. to 1: p.m. IST so we'll have

in total 36 hours of live online classes on Zoom yeah so can you just share the link

to register uh sure definitely uh let me uh ping you the link if you can send the same link to me

also I'll I'll drop it in the chat so that you guys can fill uh your fill the form right give me a

moment I need to refer some someone so that's why sure definitely I will I will uh share the link here just give me a

moment I'm searching for that link thank you [Music]

B give me just give me a moment I'm really just give me a moment e

yeah so I have dropped the registration link on the chat so all of you can use this link and show your interest so

probably kushy from my team she will uh reach out to you all I am looking for

cesa sorry I am looking for cesa training cesa training also we provide you can fill the same form same form yes

you can fill the same form she will help you okay okay thank you no issues uh yes bav yeah do we need any minimum of

professional experience in cyber security you to pursue or certific if no there's no minimum experience needed for

LA or li like any other domain like some is from or like so not needed for lead auditor lead implementor not needed even

for my training it is not needed because I will start everything from the scratch Basics only I will

teach oh thank you you no Nan 42,1 also you're starting 42,000 uh yes we have a batch we

recently started a batch we we have also started 4 2001 yes can we get into that or is it really the

syllabus already been covered more uh the recent batch has already started

so you can uh we'll be we are launching a new batch soon so again you can fill the same form and uh we'll definitely

reach out to you and if at all you guys don't want to fill any form I will share the direct

WhatsApp chat link for me you guys can directly DM me I'll help you with any of your

queries so I also let me share my WhatsApp uh link so you can just click on this link you'll be able to chat with

me right so whatever queries you might have it might need not be only for training even if you have any query in

terms of any of uh your uh career or any if you are stuck in any of the audit or if you want any guidance mentoring

anything I'm always open to help infos professionals you can always reach out to me on the WhatsApp number that I've

shared any any other questions guys I know we have reached uh 10 minutes uh uh over

but however uh I'm still okay to uh take questions if at all you guys have any questions please ask

me uh Nan uh just one question um uhuh sure do we have I mean um do we have multiactor

authentication related controls there in anex um secure authentication is the control okay and if I would like to um

collect some data center related controls so where where I can see those controls I can see some of them which is

there in physical uh um control so you I'll I'll get the answer from you only so it is a on-prem data center Cent

right correct huh so now uh can you tell me what all will be applicable what process will be applicable you can tell

me start naming I do not I have any idea because I have tested only only the

environmental related controls there in data center very simple uh you need not worry much see in data center you have

assets you have to manage them end to end asset management is applicable correct assets you need to again access

access management will be applicable you'll be deploying patches patch management is applicable your data

center will have servers databases network devices so you'll have to harden them right so secure configuration will

be applicable right your password policies will be applicable you can't uh leave

your servers ases you have to deploy one or other malware solution so anti- malware control will be applicable again

it is a data center very critical so we have to have a proper bcpd in place business continuity is applicable then

we should we should also be prepared to handle any kind of an incidents what if there is a Mal malware attack or a Dos

attack so your entire incident management is applicable physical security is

obviously applicable then you you would be storing sensitive data in the database so encryption is

applicable MH your data center has to talk to I mean the user users will should be able to connect to the data

center assets right network security is applicable very simple you just understand what is the data center what

is the functionality of a particular process or a team see I did not do anything I just did a basic run through

and all these I got like more than 15 domains of controls very simple and your data

center there'll be multiple vendors right so your vendor management is applicable there vendor risk

management GRC is very very very simple okay so so data center suppose data center is having their own in uh

audit performed and they they are having an audit report so do we need to RI that report and do we need to test again uh

data center related controls as per ISO 27 ,1 or we can asking for manage data center right for example net magic

entity data center like those kind of data centers you're asking yes huh so once again you we need to understand

what is the shared responsibility what is the data center responsible to do and what is uh what are we as an

organization are responsible to do so definitely your physical security is complete responsibility of your data set

Center only so end to end physical security controls are managed by them but there are data centers this net

magic and entity only apart from providing just the cage they will also manage the assets they will only provide

their own servers they will only ensure uh managing uh patching ensuring that um your incidents are taken care ensuring

that uh changes they are only doing everything they will only have admin privilege so once again it completely

depends on the shared responsibility what is the data center responsible to do and what we as an organization are

responsible to do accordingly the controls will be applicable to us which we need to implement the rest of the

controls that the data center is responsible we can make use of their ISO their sock their PCI certificates and

ensure and we'll get a confidence that all of that is proper okay because they don't allow us to

audit they'll have thousands of customers if they start allowing to audit every minute there'll be hundreds

of requests to them so that's why we have to rely on their existing certifications

okay one more doubt okay yes before audit okay uh team will come okay our internal team internal audit team has to

submit the their findings isn't it okay they conducted the internal audit or not they need to submit the report to the ex

AIT then only they will start it isn't it or what is it can you please repeat can you please

repeat uh tomorrow is going to come for finding for

observations okay okay okay before they will start they will ask uh uh they will ask

they will talk to internal audit team whether they have done internal audit or not based on the do they will start the

external audit yes absolutely okay without internal audit confirmation they won't start even the

audit internal AIT should be completed yes okay fine thank you no issues n engin um there are two

controls which has been um ex excluded from um from the current version so I have read somewhere but I

don't remember those controls there controls that have been deleted that have been merged also yes but that does

not mean that there is lack of controls here in annexure a now noops all the control control that are

present that were present earlier are still present in one or the other form in the existing 93 controls so majorly

what they have done is they have clubbed multiple controls as one single control okay so have they also changed

the um um the sequence of the Clause number 10 sequence of clause number is not

changed there is no major changes in the Clauses major changes is on the anex control

only okay okay any other doubts guys Nan I have a query what is TUV

Su uh they are basically lead auditor they provide certificates again tuvs is another training

company but at the end of the day you'll be getting certificate either from cqi IRA or exampler Global

only okay so we have you I mean if at all you want La certificate you have to Ure the training companies either

Affiliated to either of them if they are telling we give certificate on our own that is not globally valid don't fall

for the Trap it is uh not valid you'll simply end up wasting money it should be either exampler

Global or cqi IRA so Nan uh um 28th you going to start your new batch yes is it for for

internal auditor uh or or the the Implement I mean the the lead auditor or the or lead implementor so mine will

cover both implementation as well as audit so as I in mentioned I mainly focus on developing the Practical

understanding if you have the Practical understanding on a particular control you can use it for both implementation

and audit so if you know what is the standard asking us to do for a

particular requirement and what are we doing in real life what are we supposed to do this knowledge you can use it for

implementation if at all you have given a responsibility to implement right so that you can convey the same to the

stakeholders and get things implemented the same knowledge you can use to audit the existing implemented controls

okay so you also provide the certification yes from Ministry of security we do provide certificate of

this GRC course and we also help you with lead auditor certification also

great we definitely do that okay okay and uh one more question I have just came in my mind um suppose

if there is a new customer uh um I I mean I've been assigned a new customer and the new customer is aiming for the

uh certification ISO certification 270001 so what will be the duration um I can have from them I mean this much time

this much time I would need to complete your overall process starting uh to the end so is it is it for is it for 6

months I need to take a time from them for lead exam is it no not for exam for for preparing them to get impation okay

I'll tell you see scoping we will do in less than one week Gap assessment we'll do in less than one week or at Max two

weeks risk assessment also will be completed now starts the actual part of implementing the control and treating

the risk so this completely depends on how supportive is your internal stakeholders how are you getting proper