Volg ICTI

Sieuwert Explains – Free Youtube Channel

| Sieuwert van Otterloo | Security

We have started a Youtube channel called “SieuwertExplains” with short instruction videos on IT standards and compliance topics. It is intended as a free learning resource for people that want to improve their knowledge. The channel can be found here: https://www.youtube.com/@sieuwertexplains

The ISO 27001 series

On the channel we will make a series on ISO 27001. The planned episodes described below:

ISO 27001 introduction: What is it and why you might need it

ISO 27001 structures information security around an Information Security Management System (ISMS) that combines risk management, continuous improvement, and a catalogue of security controls. Built on the CIA principles (confidentiality, integrity, availability), it helps organizations reduce the impact of cyber, data, and physical threats by linking context, risks, and controls.

Organizations typically establish an ISMS, implement controls, conduct internal audits, and seek external certification. ISO 27001 is relevant across security, privacy, development, DevOps, and management roles, and provides certification to demonstrate appropriate technical and organizational measures, including for GDPR compliance.

ISO 27001: high level structure: context, risks and improvement

The HLS (Chapters 4-10) defines the ISMS as the auditable core of ISO 27001. It starts with setting context and scope (Chapter 4), followed by management responsibility and support (Chapter 5). The ISMS is driven by risk management (Chapter 6), where risks are identified, treated, and formally linked to controls via the Statement of Applicability.

Chapters 7-8 cover ISMS support and operations, while Chapter 9 focuses on performance monitoring through KPIs, audits, and management reviews. Chapter 10 addresses continual improvement through corrective actions and learning from incidents. Overall, the HLS follows a Plan-Do-Check-Act cycle connecting context, risks, controls, evaluation, and improvement.

Implementing ISO 27001 A5: Organisational controls

The organisational controls in ISO 27001 focus on managing risks related to governance, processes, and responsibilities. They cover governance and policy structures (A5.1-A5.8), asset management and information handling (A5.9-A5.14), and identity and access management through role-based access control (A5.15-A5.18).

The controls also address supplier and cloud security (A5.19-A5.22), incident management as a cycle of detection, response, and learning (A5.24-A5.27), business continuity and recovery planning (A5.29-A5.30), and compliance with legal and regulatory requirements such as GDPR (A5.31-A5.37). Together, these controls ensure information security is governed, monitored, and continuously improved in daily operations.

Implementing ISO 27001 A6: People controls

People controls in ISO 27001 focus on the human side of information security. They aim to reduce risks caused by mistakes, lack of awareness, or malicious behavior by setting clear expectations throughout the employee lifecycle. This includes screening for sensitive roles, clear security responsibilities in contracts, regular security awareness and role-specific training, and fair disciplinary measures when rules are broken. The controls also address confidentiality after employees leave, secure remote working, and making sure staff know how to report security incidents. Together, people controls help build a security-aware culture where employees understand their role in protecting information and support of the ISMS.

Implementing ISO 27001 A7: Physical controls

ISO 27001 physical controls are meant to protect facilities, equipment, and information against unauthorized access and environmental threats. They cover securing perimeters, entry points, offices, and sensitive areas, supported by monitoring measures such as alarms and cameras. The controls also address environmental risks, secure working practices, clear desk and screen rules, protection of assets and media (on- and off-premises), resilience of utilities and cabling, and the secure maintenance, disposal, and reuse of equipment.

Implementing ISO 27001 A5: Technological controls

ISO 27001 technological controls protect information systems through secure configuration, access control, monitoring, and security-by-design. They cover endpoint and access security, system reliability and protection against technical threats (e.g. malware, vulnerabilities, backups, cryptography), and continuous logging and monitoring. The controls also embed security into networks and software development through secure network design, segregation, secure development lifecycles, application security, testing, and change management. This ensures systems are securely designed, operated, and maintained throughout their lifecycle.

Preparing for an ISO 27001 audit

Getting certified

If you have watched and studied all the “SieuwertExplains” videos on ISO 27001, you can obtain the “ISO 27001 foundation” certication. You do this by filling in this exam, and paying a certification fee (€ 49 ex VAT). Once we receive the fee we will review your answers and you send you the certificate via email. The certificate is issued via Accredible.

Further topics

We are considering to make additional episodes on GDPR and privacy, AI Act and other compliance topics.

 

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts. He is a also an ISO 27001 and NEN 7510 auditor and AI researcher.