ISO/IEC 27001:2022 Foundation
I recently had a short gig at a local internet carrier where I got in touch with the topic of ISO/IEC 27001 - which is fundamentally relevant to the protection of information.
Briefly, the standard deals with the implementation, maintenance, and continuous improvement of an Information Security Management System, abbreviated to ISMS. This system ensures that standard measures (‘controls’) are implemented so that information is safe.
I never fully understood how Risks, Controls, Processes, and Policies worked together in a unified way and how they fit into the bigger picture. I did ITIL and Cobit5 Fundamentals years ago and gained a lot from that, but how it all connected into one comprehensive framework always eluded me. So, I recently decided to take a self-learner course with an included exam on the ISO/IEC 27001:2022 standard at CertiProf. In total, I put maybe 20 hours into it, but it was sufficient and worth it. It’s actually quite a small standard, the official ISO PDF is -even included with the entire control Annex A- below 30 pages in total. As i was honestly interested in the topic and not only the cert, additionally, I purchased a used book on the 27001:2013 version (which is basically identical to the 2022 one aside from major remodeling of Annex A).
Understanding how Confidentiality, Integrity, and Availability eventually define the controls, what the purpose of Annex A and its 4 groups of controls are, was very interesting. A Statement of Applicability (SoA) includes justifications for including or excluding all the standard controls. And of course, the risk identification, assessment, analysis, and actions to be taken - great course.
It’s a dry topic, but I really liked it. I passed the exam on Sunday with 95% and enjoyed learning about the topic. I can recommend a short journey into this norm for everyone interested in IT Governance.