Framework - ISO 27001 (Cyber)
Episodes
Welcome to Framework - ISO 27001
14 Oct 2025
Contributed by Lukas
Dive into a fast, no-fluff overview of what this podcast delivers, who it’s for, and how each episode helps you level up with practical, real-world ...
Episode 70 — A.8.33–8.34 — Test information; Protecting systems during audit testing
14 Oct 2025
Contributed by Lukas
A.8.33 governs test information—data and artifacts used to verify functionality and security—so that confidentiality, integrity, and legality are ...
Episode 69 — A.8.31–8.32 — Separation of dev/test/prod; Change management
14 Oct 2025
Contributed by Lukas
A.8.31 enforces separation between development, test, and production to prevent inadvertent changes, data leakage, and unauthorized access. For the ex...
Episode 68 — A.8.29–8.30 — Security testing in development & acceptance; Outsourced development
14 Oct 2025
Contributed by Lukas
A.8.29 requires structured security testing throughout development and acceptance, proving that controls operate as intended before release. For the e...
Episode 67 — A.8.27–8.28 — Secure system architecture & engineering; Secure coding
14 Oct 2025
Contributed by Lukas
A.8.27 focuses on secure system architecture and engineering, requiring designs that partition trust, minimize attack surface, and enforce least privi...
Episode 66 — A.8.25–8.26 — Secure development lifecycle; Application security requirements
14 Oct 2025
Contributed by Lukas
A.8.25 requires a secure development lifecycle (SDLC) that embeds security from concept to retirement, not as a late-stage gate. For the exam, describ...
Episode 65 — A.8.23–8.24 — Web filtering; Use of cryptography
14 Oct 2025
Contributed by Lukas
A.8.23 establishes web filtering to manage risk from browsing and outbound HTTP/S traffic, acknowledging that the browser is a primary threat vector. ...
Episode 64 — A.8.21–8.22 — Security of network services; Segregation of networks
14 Oct 2025
Contributed by Lukas
A.8.21 requires that network services—whether internal or provided by third parties—be specified and secured to meet business and security require...
Episode 63 — A.8.19–8.20 — Software installation on operational systems; Network security
14 Oct 2025
Contributed by Lukas
A.8.19 restricts software installation on operational systems to prevent drift, reduce attack surface, and maintain license and support compliance. Fo...
Episode 62 — A.8.17–8.18 — Clock synchronization; Privileged utility programs
14 Oct 2025
Contributed by Lukas
A.8.17 mandates synchronized time across systems so that events recorded in different places can be reliably correlated. For the exam, stress why this...
Episode 61 — A.8.15–8.16 — Logging; Monitoring activities
14 Oct 2025
Contributed by Lukas
A.8.15 requires that logging be planned, consistent, and comprehensive enough to reconstruct significant actions affecting information security. For t...
Episode 60 — A.8.13–8.14 — Information backup; Redundancy of processing facilities
14 Oct 2025
Contributed by Lukas
A.8.13 requires organizations to back up information, software, and system images at intervals aligned to business needs, with protection, testing, an...
Episode 59 — A.8.11–8.12 — Data masking; Data leakage prevention
14 Oct 2025
Contributed by Lukas
A.8.11 formalizes data masking so that sensitive fields are obfuscated or tokenized in contexts where full values are not required, such as analytics,...
Episode 58 — A.8.9–8.10 — Configuration management; Information deletion
14 Oct 2025
Contributed by Lukas
A.8.9 requires establishing secure configuration baselines and maintaining them through change discipline, making it a frequent exam target for questi...
Episode 57 — A.8.7–8.8 — Anti-malware; Technical vulnerability management
14 Oct 2025
Contributed by Lukas
A.8.7 mandates protection against malware across endpoints, servers, email, and web gateways, recognizing that modern threats blend commodity payloads...
Episode 56 — A.8.5–8.6 — Secure authentication; Capacity management
14 Oct 2025
Contributed by Lukas
A.8.5 requires secure authentication mechanisms that match the sensitivity of systems and data, making this control central to exam questions about as...
Episode 55 — A.8.3–8.4 — Information access restriction; Access to source code
14 Oct 2025
Contributed by Lukas
A.8.3 requires restricting access to information and associated assets according to business need, classification, and risk. For the exam, connect pol...
Episode 54 — A.8.1–8.2 — User endpoint devices; Privileged access rights
14 Oct 2025
Contributed by Lukas
A.8.1 consolidates expectations for user endpoint devices by requiring managed configurations, protection mechanisms, and governance proportional to d...
Episode 53 — A.7.13–7.14 — Equipment maintenance; Secure disposal/re-use
14 Oct 2025
Contributed by Lukas
A.7.13 mandates that equipment be maintained correctly to ensure availability, integrity, and safety, with maintenance scheduled, authorized, and reco...
Episode 52 — A.7.11–7.12 — Supporting utilities; Cabling security
14 Oct 2025
Contributed by Lukas
A.7.11 addresses supporting utilities—power, water, HVAC, and communications—whose failure can render even perfectly secured systems unavailable o...
Episode 51 — A.7.9–7.10 — Off-premises assets; Storage media
14 Oct 2025
Contributed by Lukas
A.7.9 requires controls for assets used off-premises, recognizing that laptops, tablets, phones, developer kits, and even lab equipment are exposed to...
Episode 50 — A.7.7–7.8 — Clear desk/screen; Equipment siting & protection
14 Oct 2025
Contributed by Lukas
A.7.7 codifies clear desk and clear screen practices so that sensitive information is not exposed to casual observation or theft. For the exam, rememb...
Episode 49 — A.7.5–7.6 — Environmental threats; Working in secure areas
14 Oct 2025
Contributed by Lukas
A.7.5 addresses protection against environmental threats—natural, accidental, or man-made—that could disrupt facilities or damage information asse...
Episode 48 — A.7.3–7.4 — Securing offices/rooms/facilities; Physical security monitoring
14 Oct 2025
Contributed by Lukas
A.7.3 requires implementing protective measures for offices, rooms, and facilities proportionate to the assets they house. For the exam, emphasize pra...
Episode 47 — A.7.1–7.2 — Perimeters; Physical entry
14 Oct 2025
Contributed by Lukas
A.7.1 requires defining physical security perimeters that protect areas containing critical information assets and supporting infrastructure. For the ...
Episode 46 — A.6.7–6.8 — Remote working; Event reporting
14 Oct 2025
Contributed by Lukas
A.6.7 establishes requirements for managing security in remote working arrangements, recognizing that homes, hotels, and public locations introduce di...
Episode 45 — A.6.5–6.6 — Responsibilities after termination/change; NDAs
14 Oct 2025
Contributed by Lukas
A.6.5 ensures that information security responsibilities remain clear when employment terminates or roles change. For the exam, emphasize time-bound d...
Episode 44 — A.6.3–6.4 — Awareness, education & training; Disciplinary process
14 Oct 2025
Contributed by Lukas
A.6.3 establishes the obligation to provide awareness, education, and training so that all personnel understand security policies, their responsibilit...
Episode 43 — A.6.1–6.2 — Screening; Terms & conditions of employment
14 Oct 2025
Contributed by Lukas
A.6.1 requires appropriate background screening of candidates, contractors, and third-party users in accordance with relevant laws, regulations, and e...
Episode 42 — A.5 Integration Capstone — Pitfalls, auditor patterns, mappings
14 Oct 2025
Contributed by Lukas
This capstone episode synthesizes Annex A.5’s governance and organizational controls, highlighting how misalignments commonly appear in audits and h...
Episode 41 — A.5.37 — Documented operating procedures
14 Oct 2025
Contributed by Lukas
A.5.37 requires organizations to establish, document, and maintain operating procedures that guide consistent, controlled execution of security-releva...
Episode 40 — A.5.35–5.36 — Independent review; Compliance with policies/rules/standards
14 Oct 2025
Contributed by Lukas
A.5.35 requires independent reviews of information security to verify that management arrangements and controls remain suitable and effective. “Inde...
Episode 39 — A.5.33–5.34 — Protection of records; Privacy & PII protection
14 Oct 2025
Contributed by Lukas
A.5.33 mandates that records—authoritative evidence of activities performed—are protected so they remain authentic, reliable, and usable for as lo...
Episode 38 — A.5.31–5.32 — Legal/regulatory/contractual; Intellectual property rights
14 Oct 2025
Contributed by Lukas
A.5.31 requires organizations to identify and comply with all applicable legal, regulatory, and contractual requirements related to information securi...
Episode 37 — A.5.29–5.30 — Security during disruption; ICT readiness for BC
14 Oct 2025
Contributed by Lukas
A.5.29 focuses on maintaining information security when normal operations are disrupted, such as during disasters, severe outages, or crisis events. F...
Episode 36 — A.5.27–5.28 — Learning from incidents; Collection of evidence
14 Oct 2025
Contributed by Lukas
A.5.27 requires organizations to institutionalize learning from incidents, transforming individual events into durable improvements. For the exam, emp...
Episode 35 — A.5.25–5.26 — Event assessment/decision; Incident response
14 Oct 2025
Contributed by Lukas
A.5.25 establishes a disciplined mechanism to assess events and decide whether they constitute information security incidents, preventing alert fatigu...
Episode 34 — A.5.23–5.24 — Use of cloud services; Incident mgmt planning & prep
14 Oct 2025
Contributed by Lukas
A.5.23 focuses on governing the use of cloud services so that risk treatment is consistent with enterprise policy and legal obligations. For the exam,...
Episode 33 — A.5.21–5.22 — ICT supply chain; Monitoring/review of supplier services
14 Oct 2025
Contributed by Lukas
A.5.21 extends supplier governance to the broader ICT supply chain, recognizing that products and services depend on multiple tiers of vendors, firmwa...
Episode 32 — A.5.19–5.20 — Supplier relationships; Supplier agreements
14 Oct 2025
Contributed by Lukas
A.5.19 establishes that supplier relationships must be governed to protect the organization’s information and services. For the exam, focus on risk-...
Episode 31 — A.5.17–5.18 — Authentication information; Access rights
14 Oct 2025
Contributed by Lukas
A.5.17 requires organizations to protect authentication information throughout its lifecycle, emphasizing creation, issuance, use, storage, and revoca...
Episode 30 — A.5.15–5.16 — Access control; Identity management
14 Oct 2025
Contributed by Lukas
A.5.15 requires that access to information and other associated assets be limited to authorized users, processes, or devices, in accordance with busin...
Episode 29 — A.5.13–5.14 — Labelling of information; Information transfer
14 Oct 2025
Contributed by Lukas
A.5.13 builds on classification by requiring that information be labelled according to handling requirements. For the exam, understand that labels may...
Episode 28 — A.5.11–5.12 — Return of assets; Classification of information
14 Oct 2025
Contributed by Lukas
A.5.11 mandates that employees, contractors, and third parties return all organizational assets upon termination or change of role. For the exam, high...
Episode 27 — A.5.9–5.10 — Asset inventory; Acceptable use
14 Oct 2025
Contributed by Lukas
A.5.9 requires an accurate, current inventory of information and other associated assets, including hardware, software, data sets, cloud resources, id...
Episode 26 — A.5.7–5.8 — Threat intelligence; Security in project management
14 Oct 2025
Contributed by Lukas
A.5.7 introduces threat intelligence as a structured capability to collect, analyze, and share information about adversaries, techniques, vulnerabilit...
Episode 25 — A.5.5–5.6 — Contact with authorities; Special interest groups
14 Oct 2025
Contributed by Lukas
A.5.5 requires organizations to establish and maintain appropriate contact with relevant authorities, such as regulators, law enforcement, and nationa...
Episode 24 — A.5.3–5.4 — Segregation of duties; Management responsibilities
14 Oct 2025
Contributed by Lukas
A.5.3 addresses segregation of duties (SoD), a foundational control that reduces fraud and error by distributing tasks and authorities among different...
Episode 23 — A.5.1–5.2 — Policies for InfoSec; Roles & responsibilities
14 Oct 2025
Contributed by Lukas
A.5.1 requires establishing a set of information security policies that provide direction and support consistent with business objectives and relevant...
Episode 22 — Clause 9.3 + 10 — Management review; Nonconformity; Continual improvement
14 Oct 2025
Contributed by Lukas
Clause 9.3 requires top management to conduct reviews at planned intervals to ensure the ISMS remains suitable, adequate, and effective. For exam purp...
Episode 21 — Clause 9.2 — Internal audit
14 Oct 2025
Contributed by Lukas
Clause 9.2 establishes the internal audit as a formal, independent check on ISMS conformity and effectiveness. For the exam, remember that audits must...
Episode 20 — Clause 9.1 — Monitoring, measurement, analysis & evaluation
14 Oct 2025
Contributed by Lukas
Clause 9.1 requires organizations to determine what needs to be monitored and measured, the methods, the timing, the responsibility, and how results a...
Episode 19 — Clause 8.2 + 8.3 — Risk assessment & treatment in operations
14 Oct 2025
Contributed by Lukas
Clauses 8.2 and 8.3 require conducting risk assessments at planned intervals and implementing risk treatment plans—bringing the methodology from Cla...
Episode 18 — Clause 8.1 — Operational planning and control
14 Oct 2025
Contributed by Lukas
Clause 8.1 translates strategy into execution by requiring the organization to plan, implement, and control the processes needed to meet ISMS requirem...
Episode 17 — Clause 7.5 — Documented information
14 Oct 2025
Contributed by Lukas
Clause 7.5 sets requirements for creating, updating, and controlling documented information necessary for the ISMS. The standard distinguishes between...
Episode 16 — Clause 7.3 + 7.4 — Awareness; Communication
14 Oct 2025
Contributed by Lukas
Clause 7.3 requires organizations to ensure that people doing work under their control are aware of the information security policy, their contributio...
Episode 15 — Clause 7.1 + 7.2 — Resources; Competence
14 Oct 2025
Contributed by Lukas
Clauses 7.1 and 7.2 emphasize the human and material foundation of the ISMS—adequate resources and competent personnel. Clause 7.1 ensures that suff...
Episode 14 — Clause 6.3 — Planning of changes
14 Oct 2025
Contributed by Lukas
Clause 6.3 requires organizations to plan ISMS-related changes systematically to avoid unintended consequences. Changes may involve personnel, process...
Episode 13 — Clause 6.2 — Objectives & planning to achieve them
14 Oct 2025
Contributed by Lukas
Clause 6.2 focuses on establishing measurable information security objectives consistent with the organization’s policy, risks, and opportunities. T...
Episode 12 — Clause 6.1.3 — Risk treatment planning
14 Oct 2025
Contributed by Lukas
Clause 6.1.3 outlines the requirements for developing and maintaining a risk treatment plan, which defines how identified risks will be managed. Organ...
Episode 11 — Clause 6.1.2 — Risk assessment methodology
14 Oct 2025
Contributed by Lukas
Clause 6.1.2 requires the organization to define and apply a consistent methodology for information security risk assessment. This methodology must sp...
Episode 10 — Clause 6.1 — Actions to address risks & opportunities
14 Oct 2025
Contributed by Lukas
Clause 6.1 introduces ISO 27001’s risk-based thinking by requiring organizations to plan actions to address both risks and opportunities. This claus...
Episode 9 — Clause 5.3 — Roles, responsibilities, authorities
14 Oct 2025
Contributed by Lukas
Clause 5.3 ensures that roles, responsibilities, and authorities for the ISMS are clearly defined and communicated. Effective implementation depends o...
Episode 8 — Clause 5.1 + 5.2 — Leadership & policy evidence
14 Oct 2025
Contributed by Lukas
Clause 5.1 requires top management to demonstrate leadership and commitment to the ISMS, while Clause 5.2 mandates an information security policy alig...
Episode 7 — Clause 4.4 — ISMS processes and interactions
14 Oct 2025
Contributed by Lukas
Clause 4.4 elevates the ISMS from documentation to a functioning management system by requiring defined processes and their interactions. For exam can...
Episode 6 — Clause 4.3 — Determining ISMS scope
14 Oct 2025
Contributed by Lukas
Clause 4.3 defines one of the most critical early deliverables in ISO 27001 implementation: the formal ISMS scope. The scope establishes the boundarie...
Episode 5 — Clause 4.1 + 4.2
14 Oct 2025
Contributed by Lukas
Clause 4.1 requires understanding the organization’s context—internal and external factors that influence the ISMS’s purpose and outcomes. Claus...
Episode 4 — 27002 Attributes & the SoA
14 Oct 2025
Contributed by Lukas
ISO 27002:2022 introduced a new attribute model to help organizations slice and categorize controls in multiple ways. Each control now includes attrib...
Episode 3 — What Changed
14 Oct 2025
Contributed by Lukas
The 2022 revision of ISO 27001 and 27002 modernized the framework to reflect today’s digital threat landscape. The control set was condensed from 11...
Episode 2 — ISMS & PDCA in Practice
14 Oct 2025
Contributed by Lukas
The ISMS is more than documentation; it is a governance framework built on the Plan-Do-Check-Act (PDCA) cycle that embeds continual improvement into s...
Episode 1 — Orientation & Outcomes
14 Oct 2025
Contributed by Lukas
ISO 27001 certification begins with understanding the broader ISO 27000 family of standards that form the foundation for information security manageme...