Question 1a) A series published by theISO (International Organization for Standardization), and therefore the IEC (InternationalElectrotechnical Commission), describes how to implementinformation security bestpractices.This is done by introducing ISMS (Information Security Management System) requirements.ISMS could be a systematic approach to risk management, including measures to addressthe three pillars of data security: people, processes and technology.This series consists of 46 individual standards, including ISO 27000, which outlines the familyand also explains key terms and definitions.You don't have to fully understand the ISOstandards to determine how theseries works, some of which are not relevant to your organization, but there are just a fewcore standards to get used to.ISO27001It is the core standard for the ISO 27000 series and includes ISMS implementationrequirements. It is important to remember thatISO IEC 27001: 2013 isthe only standard in the series that an organization can audit andapprove.This is to provide an overview of everything needed to achieve compliance. This has beenextended with eachsubsequent standard.ISO27002This is a supplemental standard that provides an overview of data security management thatorganizations may find more valuable in their implementation.Organizations only need to implement controls that they consider relevant. This becomesapparent during the risk assessment. Thecontrols are described in Appendix A of ISO 27001, which is basically a brief overview, butISO 27002 provides a more comprehensive overview of how each control works,its purpose,and how to implement it. To do.ISO27017 and ISO27018Introduced in 2015, these complementary ISO standards explain how businesses can protectsensitive information in the cloud.This has become especially important these days as businesses move much of their sensitiveinformationto online servers.ISO 27017 may be a code of practice for information security that provides additionalinformation on how Annex A controls apply to information stored in the cloud.ISO 27001 has the option to treat these asseparate control sets. Therefore, select the setof controls in Appendix A for "normal" data and the set of controls in ISO27017 for the datain the cloud.
