Jason Edwards
Framework - ISO 27001 (Cyber)
The ISO/IEC 27001 Framework is the internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a systematic approach to managing sensitive information through risk management, governance, and control implementation. At its core, ISO 27001 helps organizations protect the confidentiality, integrity, and availability of data—whether stored, processed, or transmitted—by aligning security practices with business objectives and regulatory requirements. The framework is built around a risk-bas...
Author
Jason Edwards
Category
Podcast website
Latest episode
Oct 14, 2025
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Welcome to Framework - ISO 27001 14.10.2025 1:56
Dive into a fast, no-fluff overview of what this podcast delivers, who it’s for, and how each episode helps you level up with practical, real-world takeaways. In this trailer, you’ll hear the show’s promise, the format you can expect, and a sneak peek at the kinds of stories, tips, and expert insights coming your way. Hit follow to get new episodes as they drop and start listening smarter from day...
Episode 70 — A.8.33–8.34 — Test information; Protecting systems during audit testing 14.10.2025 13:19
A.8.33 governs test information—data and artifacts used to verify functionality and security—so that confidentiality, integrity, and legality are preserved. For the exam, distinguish data sources and handling: anonymized or synthetic data preferred over raw production; masking or tokenization when realism is required; and strict retention and segregation for test artifacts like logs, screenshots,...
Episode 69 — A.8.31–8.32 — Separation of dev/test/prod; Change management 14.10.2025 11:57
A.8.31 enforces separation between development, test, and production to prevent inadvertent changes, data leakage, and unauthorized access. For the exam, stress environment isolation, distinct identities and credentials, segregated networks, and differentiated data sets—production PII or secrets must not appear in dev/test without approved masking or synthetic generation. Tooling should prevent cr...
Episode 68 — A.8.29–8.30 — Security testing in development & acceptance; Outsourced development 14.10.2025 13:37
A.8.29 requires structured security testing throughout development and acceptance, proving that controls operate as intended before release. For the exam, differentiate testing modalities and purposes: unit and integration tests that encode security invariants; SAST for code weaknesses; DAST and IAST for runtime behavior; software composition analysis for dependencies; fuzzing and negative testing...
Episode 67 — A.8.27–8.28 — Secure system architecture & engineering; Secure coding 14.10.2025 14:56
A.8.27 focuses on secure system architecture and engineering, requiring designs that partition trust, minimize attack surface, and enforce least privilege at every layer. For the exam, emphasize architectural tactics—segmentation, brokered access, defense-in-depth, fail secure defaults, and explicit data flow controls—tied to assets, classifications, and availability objectives. Engineers must doc...
Episode 66 — A.8.25–8.26 — Secure development lifecycle; Application security requirements 14.10.2025 14:05
A.8.25 requires a secure development lifecycle (SDLC) that embeds security from concept to retirement, not as a late-stage gate. For the exam, describe SDLC phases with explicit security tasks: threat modeling during design; security requirements and acceptance criteria before coding; secure build pipelines with dependency hygiene; code reviews and static analysis during implementation; dynamic te...
Episode 65 — A.8.23–8.24 — Web filtering; Use of cryptography 14.10.2025 15:27
A.8.23 establishes web filtering to manage risk from browsing and outbound HTTP/S traffic, acknowledging that the browser is a primary threat vector. For the exam, emphasize policy-aligned controls that block known malicious domains, enforce safe browsing categories, and apply content inspection where lawful and appropriate to detect malware and data exfiltration. Modern approaches pair DNS-layer...
Episode 64 — A.8.21–8.22 — Security of network services; Segregation of networks 14.10.2025 13:06
A.8.21 requires that network services—whether internal or provided by third parties—be specified and secured to meet business and security requirements. For the exam, think beyond raw connectivity: services include routing, switching, DNS, DHCP, VPN, load balancing, DDoS protection, and content filtering. Contracts and internal SLAs should define availability, performance, logging, change processe...
Episode 63 — A.8.19–8.20 — Software installation on operational systems; Network security 14.10.2025 13:10
A.8.19 restricts software installation on operational systems to prevent drift, reduce attack surface, and maintain license and support compliance. For the exam, distinguish between development/test flexibility and production control: in operational environments, only authorized, vetted software from approved repositories may be installed, with changes governed by documented requests, peer review,...
Episode 62 — A.8.17–8.18 — Clock synchronization; Privileged utility programs 14.10.2025 21:59
A.8.17 mandates synchronized time across systems so that events recorded in different places can be reliably correlated. For the exam, stress why this matters: investigations, non-repudiation, and regulatory reporting all depend on consistent, traceable timestamps. Organizations typically standardize on secure time sources (e.g., authenticated NTP or cloud time services), designate stratum hierarc...
Episode 61 — A.8.15–8.16 — Logging; Monitoring activities 14.10.2025 13:25
A.8.15 requires that logging be planned, consistent, and comprehensive enough to reconstruct significant actions affecting information security. For the exam, connect logging scope to risk and classification: higher-value systems need richer telemetry—authentication results, admin actions, configuration changes, data access decisions, process creation, and network flows—captured with sufficient co...
Episode 60 — A.8.13–8.14 — Information backup; Redundancy of processing facilities 14.10.2025 14:52
A.8.13 requires organizations to back up information, software, and system images at intervals aligned to business needs, with protection, testing, and documentation sufficient to restore operations reliably. For the exam, emphasize policy-driven schedules by data class, immutable or versioned storage to resist ransomware, off-site or cross-region replication, and encryption with independent key m...
Episode 59 — A.8.11–8.12 — Data masking; Data leakage prevention 14.10.2025 14:07
A.8.11 formalizes data masking so that sensitive fields are obfuscated or tokenized in contexts where full values are not required, such as analytics, testing, support tooling, or user interfaces. For the exam, differentiate static masking (creating sanitized copies), dynamic masking (on-the-fly at query or API layers), and tokenization (reversible mapping through a controlled vault). The control...
Episode 58 — A.8.9–8.10 — Configuration management; Information deletion 14.10.2025 12:49
A.8.9 requires establishing secure configuration baselines and maintaining them through change discipline, making it a frequent exam target for questions about drift control and evidence. Candidates should explain baseline sources (vendor hardening guides, CIS benchmarks), enforcement methods (IaC templates, GPOs/MDM, golden images), and monitoring for deviation via configuration assessment tools....
Episode 57 — A.8.7–8.8 — Anti-malware; Technical vulnerability management 14.10.2025 13:21
A.8.7 mandates protection against malware across endpoints, servers, email, and web gateways, recognizing that modern threats blend commodity payloads with living-off-the-land techniques. For the exam, differentiate signature detection from behavioral and memory-based approaches, and tie control selection to asset criticality and operating contexts such as OT or isolated environments. Effective an...
Episode 56 — A.8.5–8.6 — Secure authentication; Capacity management 14.10.2025 13:50
A.8.5 requires secure authentication mechanisms that match the sensitivity of systems and data, making this control central to exam questions about assurance levels, factor strength, and attack resistance. Candidates should distinguish between multi-factor authentication methods (knowledge, possession, inherence), the protocols that carry them (FIDO2/WebAuthn, OTP, certificate-based), and lifecycl...
Episode 55 — A.8.3–8.4 — Information access restriction; Access to source code 14.10.2025 15:35
A.8.3 requires restricting access to information and associated assets according to business need, classification, and risk. For the exam, connect policy to mechanism: role- or attribute-based models, group-centric entitlements, conditional access, and content-aware controls that enforce least privilege across files, databases, APIs, and collaboration tools. Enforcement should be auditable—who acc...
Episode 54 — A.8.1–8.2 — User endpoint devices; Privileged access rights 14.10.2025 14:39
A.8.1 consolidates expectations for user endpoint devices by requiring managed configurations, protection mechanisms, and governance proportional to data sensitivity and threat. For the exam, emphasize standard builds, automated patching, EDR with behavioral detections, device encryption, application allow-listing where feasible, and hardened browser/email settings to resist phishing and drive-by...
Episode 53 — A.7.13–7.14 — Equipment maintenance; Secure disposal/re-use 14.10.2025 14:08
A.7.13 mandates that equipment be maintained correctly to ensure availability, integrity, and safety, with maintenance scheduled, authorized, and recorded. For exam preparation, distinguish preventive maintenance (vendor-recommended service intervals, firmware updates, filter replacements) from corrective maintenance after faults, and remember access controls for maintainers—identity verification,...
Episode 52 — A.7.11–7.12 — Supporting utilities; Cabling security 14.10.2025 14:26
A.7.11 addresses supporting utilities—power, water, HVAC, and communications—whose failure can render even perfectly secured systems unavailable or damaged. For the exam, focus on redundancy and monitoring: dual power feeds or phases where practical, uninterruptible power supplies sized to graceful shutdown or failover, generator capacity with fuel logistics, and environmental controls to maintain...
Episode 51 — A.7.9–7.10 — Off-premises assets; Storage media 14.10.2025 19:03
A.7.9 requires controls for assets used off-premises, recognizing that laptops, tablets, phones, developer kits, and even lab equipment are exposed to theft, loss, and uncontrolled networks when outside secure facilities. For the exam, emphasize baseline safeguards: full-disk encryption with centrally managed keys, strong authentication with MFA, hardened configurations, automatic screen lock, and...
Episode 50 — A.7.7–7.8 — Clear desk/screen; Equipment siting & protection 14.10.2025 11:38
A.7.7 codifies clear desk and clear screen practices so that sensitive information is not exposed to casual observation or theft. For the exam, remember that this applies to printed materials, removable media, whiteboards, unlocked sessions, and unattended devices. Policies should require locking screens when away, securing documents in drawers or cabinets, and using secure disposal for notes and...
Episode 49 — A.7.5–7.6 — Environmental threats; Working in secure areas 14.10.2025 13:52
A.7.5 addresses protection against environmental threats—natural, accidental, or man-made—that could disrupt facilities or damage information assets. For the exam, focus on risk-based safeguards such as fire detection and suppression appropriate to equipment, water leak detection, surge protection, redundant power paths, and climate control to maintain temperature and humidity within safe ranges....
Episode 48 — A.7.3–7.4 — Securing offices/rooms/facilities; Physical security monitoring 14.10.2025 13:33
A.7.3 requires implementing protective measures for offices, rooms, and facilities proportionate to the assets they house. For the exam, emphasize practical safeguards: controlled keys and badge zones, tamper-evident cabinets for network gear, secure window and door hardware, and policies that prevent unattended exposure of displays and documents. Sensitive areas must be clearly identified, with v...
Episode 47 — A.7.1–7.2 — Perimeters; Physical entry 14.10.2025 13:47
A.7.1 requires defining physical security perimeters that protect areas containing critical information assets and supporting infrastructure. For the exam, note the layered defense model: public zones, reception areas, controlled office space, and restricted rooms such as data centers or network closets. Each zone carries different controls—barriers, signage, surveillance, and entry validation—sca...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.