Learn by Doing: Practical guide
About the author
Noureddine Kanzari is a cybersecurity expert with an extensive background in IT risk
management and cybersecurity instruction. With a diverse range of certifications that includes
being a PECB Certified Trainer, DORA Senior Lead Manager, NIST Cybersecurity Consultant,
Senior Lead Incident Manager, Senior Lead SOC 2 Analyst, Data Protection Officer (DPO),
DORA Senior Lead Manager, ISO 42001 Senior Lead Auditor, ISO 42001 Senior Lead
Implementer, Senior Lead SCADA Security Manager, ISO 22301 Senior Lead Implementer,
ISO 22301 Senior Lead Auditor,EBIOS Risk Manager, ISO 27005 Senior Lead Risk Manager,
ISO 27001 Senior Lead Implementer, ISO 27001 Senior Lead Auditor, Cisco Certified
Specialist in Security Core and Enterprise Core, NSE4 Network Security Professional, Palo
Alto Instructor, Devops Tools Engineer, LPIC-3 Enterprise Professional Security, LPIC-3
Enterprise Professional Virtualization & High Availability, LPIC-2, LPIC-1, Suse Certified Linux
Administration, and a Certified Security Auditor in computer security,
Noureddine Kanzari's professional journey is characterized by a series of impactful roles and
accomplishments. Throughout his career, he has held various pivotal positions, including:
Chief Information Security Officer (CISO)
Audit Team Leader
Cybersecurity Instructor
Technical Manager
Training Manager
His extensive experience and leadership have contributed significantly to enhancing
cybersecurity practices, risk management strategies, and organizational resilience.
2
Contents
1. ORGANIZATIONAL CONTROLS ............................................................................................ 4
1.1 Independent review of information security (5.35) .............................................................. 4
1.2 Practical Application of Clause 5.35: Case Study: ”Tech Solutions” ................................... 8
1.3 Compliance with policies, rules and standards for information security (5.36) .................. 15
1.4 Practical Application of Clause 5.36: Case Study: ”Tech Solutions” ................................. 18
1.5 Documented operating procedures (5.37)......................................................................... 29
1.6 Practical Application of Clause 5.37: Case Study: ”Tech Solutions” ................................. 33
3
1. ORGANIZATIONAL CONTROLS
1.1 Independent review of information security (5.35)
Control 5.35:
The organization’s approach to managing information security and its implementation including
people, processes and technologies should be reviewed independently at planned intervals, or
when significant changes occur.
Control attributes:
 Control type: When it acts : Preventive, Corrective
 Information security properties: Confidentiality, Integrity, Availability
 Cybersecurity concepts: Which phase of cybersecurity it supports : Identify, Protect
 Optional capabilities: Which operational area it belongs to : Information_security_assurance
 Security domains: Which domain it relates to : Governance and Ecosystem
Control type
Information security
properties
Cybersecurity
concepts
Confidentiality
Integrity
Availability
Identify
Préventive
Corrective
Protect
Optional capabilities
Security domains
Information_security_assurance
Gouvernance and
Ecosystem
Control description:
 The organization needs to have a process where someone who isn’t directly involved in
the day-to-day information security work looks at how the organization is protecting its
data.
 The organization must regularly schedule these reviews (e.g., once a year or every six
months).
 The goal is to check if the security measures (like policies or controls) are working, need
improvement, or need changes.
Example: Imagine a small online store that saves customer data. Every year, they hire an
external cybersecurity expert to check if their password policies, data encryption, and
employee training are strong enough to keep customer information safe.
 The reviewer must be independent, meaning they don’t work in the department being
reviewed to avoid bias.
4
 They could be:
o An internal auditor from another department.
o An independent manager not involved in the security team.
o An external company specializing in security reviews.
 The reviewer needs to have the right skills to understand information security.
Example: The online store hires a cybersecurity consultant who doesn’t work for them.
This consultant knows a lot about data protection and isn’t influenced by the store’s
employees, so they can give an honest opinion.
 The reviewer shouldn’t report to the same boss as the people whose work they’re
reviewing. This ensures they can be honest without fear of pressure.
Example: If the IT manager is responsible for security, the reviewer shouldn’t be
someone who reports to the IT manager. Instead, it could be someone from the finance
department or an outside expert.
 After the review, the results are shared with the manager who requested the review
and, if needed, with top management (like the CEO or board).
The organization keeps records of these reviews (like a report or notes).
Example: The consultant writes a report saying the online store’s antivirus software is
outdated. This report goes to the store’s manager and the owner, and they keep a copy
of it.
 If the review finds problems (e.g., security policies aren’t followed, or the measures
don’t meet goals), the organization must fix them.
Example: The consultant finds that employees aren’t locking their computers when they
leave their desks, which is against the security policy. The manager then organizes
training to remind everyone to lock their screens.
 In addition to regular reviews, the organization should do extra reviews when:
o Laws or regulations change: For example, if a new data protection law (like
GDPR) comes into effect, the organization checks if its security measures
comply.
5
o Significant incidents occur: If the online store gets hacked, they need a review to
figure out what went wrong.
o New or changed business: If the store starts selling internationally, they need to
review security for handling more customer data.
o New or changed products/services: If the store adds a mobile app, they review
security for the app.
o Major changes to security controls: If they switch to a new encryption system, a
review ensures it’s working properly.
 Simple Example Scenario
Imagine you run a small bakery with a website where customers order cakes online. To
follow ISO 27002’s independent review requirements:
o Step 1: You decide to have a review every year to check if your website’s
security (like protecting customer payment details) is good.
o Step 2: You hire a local IT security expert who doesn’t work for your bakery.
They know about cybersecurity and can check your website fairly.
o Step 3: The expert checks your website and finds that your payment system is
secure, but your employees share passwords, which is risky.
o Step 4: The expert writes a report and shares it with you (the owner). You keep
the report in your files.
o Step 5: You fix the problem by creating a rule that every employee must have
their own password and can’t share it.
o Step 6: If a new law about online payments comes out, or if your website gets
hacked, you call the expert back for an extra review.
6
Control evidence:
Checks to be performed
 If independent audits are carried out
Evidence
 Audit reports
7
1.2 Practical Application of Clause 5.35: Case Study: ”Tech Solutions”
8
9
10
11
12
13
14
1.3 Compliance with policies, rules and standards for information security (5.36)
Control 5.36:
Compliance with the organization’s information security policy, topic-specific policies, rules and
standards should be regularly reviewed.
Control attributes:
 Control type: When it acts : Preventive
 Information security properties: Confidentiality, Integrity, Availability
 Cybersecurity concepts: Which phase of cybersecurity it supports : Identify, Protect
 Optional capabilities: Which operational area it belongs to : Information_security_assurance,
Legal_and_compliance
 Security domains: Which domain it relates to : Governance and Ecosystem
Control type
Information security
properties
Préventive
Confidentiality
Integrity
Availability
Cybersecurity
concepts
Optional capabilities
Identify
Information_security_assurance
Protect
Legal_and_compli-
Security domains
Gouvernance and
Ecosystem
ance
Control description:
 Managers or owners (of services, products, or data) need to regularly check if their team
is following the organization’s security policies, rules, and legal requirements. This
ensures everything stays secure.
Example:
Imagine you run a small online store. Your security policy says all customer data must be
encrypted. As the manager, you need to check if your website is actually encrypting
customer information (like credit card details). You might:
o Look at the website settings to confirm encryption is active (e.g., HTTPS is used).
o Ask your IT team to show proof that encryption software is working.
o Use a tool that automatically checks if encryption is applied correctly and sends
you a report every month.
15
 If you find something isn’t following the security rules (non-compliance), you need to
figure out why, decide how to fix it, take action, and check if the fix worked.
Example:
Let’s say you discover that your online store’s customer data isn’t encrypted because a
new employee turned off the encryption setting by mistake.
a) Identify the cause: You investigate and find out the employee didn’t know the
encryption rule.
b) Evaluate corrective actions: You decide the fix involves turning encryption back on and
training employees on security rules.
c) Implement corrective actions: You turn encryption back on and hold a training session
for all employees.
d) Review the fix: A week later, you check the website again to confirm encryption is
working and ask employees if they understand the rules now.
 Managers must keep records of what they checked, what problems they found, and what
they did to fix them. They should share these records with independent reviewers (like
auditors) when asked.
Example:
For your online store, you write down:
o The date you checked the encryption.
o The problem you found (encryption was off).
o What you did to fix it (turned it back on, trained staff).
o The date you confirmed the fix worked.
 Fixes should happen quickly, especially if the problem is risky (e.g., could lead to a data
breach). If the fix takes time, you should at least report progress during the next review.
Example:
If the encryption issue in your store could let hackers steal customer data, you’d fix it
immediately (e.g., within a day). If the fix is more complex, like upgrading your entire
system, you might not finish by the next monthly review. In that case, you’d report,
“We’ve started upgrading the system, and it’s 50% done,” during the review.
16
Control evidence:
Checks to be performed
 If managers and owners of products, services
or information identify how to verify that the
information security requirements defined in
the information security policy, specific
policies, rules, standards and other applicable
regulations are met
Evidence
 Audit reports
17
1.4 Practical Application of Clause 5.36: Case Study: ”Tech Solutions”
18
19
20
21
22
23
24
25
26
27
28
1.5 Documented operating procedures (5.37)
Control 5.37:
Operating procedures for information processing facilities should be documented and made
available to personnel who need them..
Control attributes:
 Control type: When it acts : Preventive, Corrective
 Information security properties: Confidentiality, Integrity, Availability
 Cybersecurity concepts: Which phase of cybersecurity it supports : Protect, Recover
 Optional capabilities: Which operational area it belongs to : Information_security_assurance
 Security domains: Which domain it relates to : Governance and Ecosystem, Defense
Control type
Information security
properties
Cybersecurity
concepts
Confidentiality
Integrity
Availability
Rrcover
Préventive
Corrective
Protect
Optional capabilities
Information_security_assurance
Security domains
Gouvernance and
Ecosystem
Defense
Control description:
 you should write down procedures for certain activities, especially in these cases:
o When many people need to do the same task consistently
Example: Imagine a company where multiple employees need to update the
antivirus software on their computers. A documented procedure ensures everyone
follows the same steps, like downloading the update from a trusted source and
restarting the system, so no one skips a step or does it differently.
o When the task is done rarely and might be forgotten
Example: Suppose a company only updates its firewall settings once a year. A
documented procedure acts like a checklist (e.g., "Step 1: Log into the firewall
admin panel, Step 2: Check for firmware updates") so employees don’t forget how
to do it correctly.
o When the task is new and risky if done wrong
29
Example: A company is setting up a new cloud server for the first time. A procedure
outlines how to configure it securely (e.g., enabling encryption, setting strong
passwords) to avoid mistakes that could expose sensitive data.Example: A company
is setting up a new cloud server for the first time. A procedure outlines how to
configure it securely (e.g., enabling encryption, setting strong passwords) to avoid
mistakes that could expose sensitive data.
o When handing over tasks to new staff
Example: If an IT employee leaves and a new person takes over managing
backups, a written procedure ensures the new employee knows exactly how to
schedule backups, where to store them, and who to contact if something goes
wrong.
 The procedures should cover these key points to make sure everything is clear and
secure:
o Responsible Individuals
Specify who is in charge of doing the task or overseeing it.
Example: “The IT Manager, is responsible for approving software updates.
Contact at sarah@company.com if there’s an issue.”
o Secure Installation and Configuration of Systems
Explain how to set up systems (like servers or software) securely to avoid
vulnerabilities.
Example: For installing a new computer, the procedure might say, “Install
Windows, enable the firewall, and set a password with at least 12 characters,
including numbers and symbols.”
o Processing and Handling of Information (Automated and Manual)
Describe how to handle data, whether it’s processed by a computer or manually
by people.
Example: For handling customer data, the procedure might say, “All customer
emails must be stored in the encrypted CRM system, and paper forms must be
scanned and then shredded.”
30
o Backup and Resilience
Detail how to back up data and ensure systems can recover if something fails.
Example: “Back up the company database every night at 2 AM to an external hard
drive stored in a locked cabinet. Test the backup monthly to ensure it works.”
o cheduling Requirements and Interdependencies
Explain when tasks should happen and how they connect to other systems.
Example: “Run the payroll software update only after the accounting system is
backed up, as the payroll system depends on accounting data.”
o Instructions for Handling Errors or Exceptions
Provide steps for what to do if something goes wrong, like a system crash or
unauthorized access.
Example: “If the antivirus software flags a file, quarantine it immediately and notify
the IT team. Do not open utility programs without IT approval.”
o Support and Escalation Contacts
List who to contact for help, including external vendors if needed.
Example: “For server issues, contact the IT helpdesk at 555-1234. If unresolved
after 1 hour, escalate to the vendor support line at 555-5678.”
o Storage Media Handling Instructions
Explain how to safely use and store things like USB drives, external hard drives, or
CDs.
Example: “Label all USB drives with the department name and store them in a
locked drawer when not in use. Encrypt all data before transferring to a USB.”
o System Restart and Recovery Procedures
Describe how to restart a system or recover it after a failure.
Example: “If the server crashes, power it off, wait 5 minutes, then restart. If it
doesn’t work, restore the system from the latest backup stored on the external
drive.”
31
Control evidence:
Checks to be performed
Evidence
 If
operational
procedures
(systems,
applications, databases, network and security
equipment
and
solutions,
etc.)
are
documented
 Whether the documentation of operational
operating procedures is kept up to date
 If the changes to operating procedures are
approved by the relevant managers
 Operating procedures
 History of procedure updates
 If the operational operating procedures are
made available to anyone who needs them
 If these procedures are protected against
unlawful alterations
32
1.6 Practical Application of Clause 5.37: Case Study: ”Tech Solutions”
33
Purpose
To ensure new computers are set up securely to protect company information and systems, following
ISO 27002 guidelines.
Scope
This procedure applies to all employees setting up a new computer in the organization.
Responsible Individuals


IT Administrator (Primary): John Smith, john.smith@company.com, 555-1234
Backup Contact: IT Helpdesk, helpdesk@company.com, 555-5678
Procedure Steps
1. Secure Installation and Configuration






Verify the computer is from an approved vendor and has not been tampered with.
Install the latest version of the approved operating system (e.g., Windows 11 Pro).
Enable the firewall during installation.
Set a strong admin password (at least 12 characters, including letters, numbers, and symbols).
Install only approved software listed in the company’s software inventory (e.g., antivirus,
Microsoft Office).
Disable unnecessary services (e.g., remote desktop) unless approved by the IT Administrator.
2. Processing and Handling of Information



Configure the computer to save all company data to the encrypted network drive (\companyserver\data).
Do not store sensitive data (e.g., customer information) on the local hard drive.
For manual handling, print sensitive documents only on secure printers and shred them after use.
3. Backup and Resilience



Set up automatic backups of critical files to the company’s cloud backup system every night at 1
AM.
Test the backup restoration process within 7 days of setup to confirm it works.
Ensure the computer has an uninterruptible power supply (UPS) to prevent data loss during
power outages.
4. Scheduling Requirements



Complete the setup within 2 business days of receiving the computer.
Ensure the computer is connected to the company network before installing software that
requires internet access (e.g., antivirus updates).
Coordinate with the IT Administrator to avoid conflicts with other system updates.
34
5. Handling Errors or Exceptional Conditions



If the installation fails (e.g., software won’t install), stop immediately and contact the IT
Helpdesk.
Do not use unauthorized utility programs (e.g., third-party repair tools) without IT approval.
If the computer shows signs of malware (e.g., slow performance, pop-ups), disconnect it from
the network and notify the IT Administrator.
6. Support and Escalation Contacts



For setup issues, contact the IT Helpdesk at helpdesk@company.com or 555-5678.
If unresolved after 1 hour, escalate to the external vendor support line (TechSupport Inc., 5559012).
For urgent security issues, contact the IT Administrator immediately.
7. Storage Media Handling



If using a USB drive to transfer setup files, ensure it is encrypted and labeled with “IT
Department – Setup.”
Store USB drives in the locked IT cabinet when not in use.
Do not use personal USB drives for company setups.
8. System Restart and Recovery




If the computer fails to boot, power it off, wait 2 minutes, and restart.
If the issue persists, restore the system from the latest backup on the cloud server.
Follow the restoration steps in the “Backup Recovery Guide” (available on the company
intranet).
Contact the IT Helpdesk if recovery fails.
Review and Updates


This procedure is reviewed annually or when new risks are identified.
Last updated: May 20, 2025, by John Smith.
Notes


Always follow company security policies during setup.
Report any deviations from this procedure to the IT Administrator immediately.
35