6.1 Internal Organization
ISO 27001 Annex : A.6 Organization of Information Security its object is to establish a management framework for initiating and controlling the implementation and functioning of information security within the organization.
6.1.1 Information Security Roles and Responsibilities
Control- All responsibilities related to information security should be well defined and assigned.
Implementation Guidance- Allocation of information security responsibilities should be carried out in compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual assets and the implementation of specific information security procedures should be defined. Responsibilities for information security risk management activities and, in particular, for the acceptance of residual risks should be defined. When necessary, further guidance should be provided for specific sites and information processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for the protection of assets and for the implementation of specific security processes. Individuals with assigned responsibility for information security can delegate security tasks to others. But they remain responsible and must decide whether any delegated tasks are conducted correctly or not
Related Product : ISO 27001 Lead Auditor Training And Certification ISMS
Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:
1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details describing the responsibility should be documented;
3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of supplier relations.
Other Information- Many organizations assign an information security officer to take ultimate responsibility for information security development and implementation, and to help access recognition. However, individual management will often remain responsible for the resourcing and implementation of the controls. It is common practice to appoint an owner for all assets which are then responsible for their regular security.
6.1.2 Segregation of Duties
Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.
Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of collusion in should be considered while designing the controls. Small organizations may find it impossible to accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If segregation is challenging, other measures such as task reporting, audit trails and management supervision should be considered.
Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional abuse of the assets of the organization.
6.1.3 Contact with Authorities
Control- It is necessary to maintain proper communications with the relevant authorities.
Implementation Guidance- Organizations should have processes in place that determine when and by whom officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have been violated).
Other Information- Internet-assaulted organizations may require authorities to take measures against the attack. Holding these connections may also be a necessity to support incident management or business continuity and contingency planning processes in information security. Contacts with regulatory bodies are also useful when anticipating and preparing potential changes in the laws or regulations that the organization needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and safety , and protection such as fire departments, telecommunication (routing and availability) suppliers, and water (equipment cooling).
6.1.4 Contact with Interest groups
Control- Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.
Implementation Guidance
- Membership of community groups or forums should be considered as a way to:
1. Improve skills and keep up to date on appropriate safety details about the best practices;
2. Ensuring an up-to – date and complete understanding of information security;
3. Receive early warnings about threats and vulnerabilities, updates and patches;
4. Enable expert information security advice;
5. Share and exchange information on new technology, products, threats or vulnerabilities;
6. provide correct liaison points for events relevant to information security
Other Information- Information sharing agreements to enhance co-operation and coordination of security issues can indeed be developed. These agreements will define confidential information security requirements.
Also Read : ISO 27001 Annex : A.5 Information Security Policies
6.1.5 Information Security in Project Management
Control- Throughout project management, the confidentiality of information should be discussed irrespective of project type
Implementation Guidance- Information security should be incorporated with the project management method(s) of the organization to ensure the identification and response to threats in information security as part of a project. This is commonly applicable to any project irrespective of its purpose , e.g. a core business process project, IT, facilities management, and other supporting processes.
- The methods of project management should consider:
1. The goals of information security are part of the project’s priorities;
2. An early assessment of the information security risk in order to determine appropriate controls are carried out in the project;
3. Information security is part of all phases of the project methodology;
Information security issues will be discussed and reviewed on a regular basis in all programs. Responsibilities for information security should be specified and delegated to different roles as specified in project management methods.
At Infosavvy we help you get acquainted with every control belonging to the standard ISO 27002 and make you understand the various role and responsibilities required by the organization, keeping in mind the confidentiality of assets. we provide training for IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI)) (training certified by TÜV SÜD) and also incorporate faculties that make learning easy and experiential for the participants so that they can excel in managing ISMS.
Questions related to this topic
- What is Annex A.6 Organization of Information Security ?
- What is Implementation Guidance for Information Security Roles and Responsibilities?
- What is Segregation of Duties?
- What are the benefits of ISO 27001 Annex : A.6 Organization of Information Security?
- What is Information Security in Project Management?
- Explain Annex A.6 Organization of Information Security?
- What are the controls of ISO 27001 Annex : A.6 Organization of Information Security?
ISO 27001 Requirements
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement
ISO 27001 Annex A Controls
Annex A.5 Information Security Policies
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews
About ISO 27002
- ISO 27002 – INTRODUCTION
- ISO 27002 Information technology Security techniques Code of practice for information security controls
This Blog Article is posted by
Infosavvy, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – www.infocerts.com