Category: ISO 27001:2022

ISO 27001:2022 clause 5.1 Leadership and Commitment

Top management shall demonstrate leadership and commitment with respect to the information security management system by:

  • ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
  • ensuring the integration of the information security management system requirements into the organization’s processes;
  • ensuring that the resources needed for the information security management system are available;
  • communicating the importance of effective information security management and of conforming to the information security management system requirements;
  • ensuring that the information security management system achieves its intended outcome ;
  • directing and supporting persons to contribute to the effectiveness of the information security management system;
  • promoting continual improvement; and
  • supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

Top management shall demonstrate leadership and commitment with respect to the information security management system

Demonstrating leadership and commitment from top management is crucial for the successful implementation and maintenance of an effective Information Security Management System (ISMS).This clause identifies specific aspects of the management system where top management are expected to demonstrate both leadership and commitment. These include but are not limited to:

  • Accountability for the effectiveness of the management system;
  • Ensuring the policy and objectives are established and are compatible with the context and strategic direction of the organisation;
  • Ensuring the integration of the management system are embedded into business processes;
  • Promoting the use of the process approach and risk-based thinking
  • Ensuring adequate resources are in place;
  • Ensuring the management system achieves its intended results;
  • Engaging, directing and supporting persons to contribute to the effectiveness of the management system

Here are some key ways in which top management can show leadership and commitment in this context:

  1. Policy Development: Top management must Create an Information Security Policy. Top management should take the lead in developing a comprehensive information security policy that aligns with the organization’s objectives. This policy should set the tone for the entire ISMS.
  2. Resource Allocation: Top management must allocate Adequate Resources. Ensure that sufficient resources, including budget, personnel, and technology, are allocated to implement and maintain the ISMS effectively.
  3. Communication: Top management must ensure communication of Objectives. Clearly communicate the importance of information security and the objectives of the ISMS to all employees. Regularly reinforce this message to ensure awareness and understanding throughout the organization.
  4. Leading by Example: Top management must ensure adherence to Policies. Top management should lead by example by adhering to the information security policies and procedures. This creates a culture of compliance throughout the organization.
  5. Training and Awareness: Top management must support Training Programs. It must provide support for ongoing training and awareness programs related to information security. This helps employees understand their roles and responsibilities in maintaining the security of information assets.
  6. Risk Management: Top management must ensure active Involvement in Risk Management. Top management should actively participate in risk assessments and risk management processes to ensure that the organization is identifying and addressing potential threats and vulnerabilities.
  7. Monitoring and Review: Top management must regular Review of ISMS. Conduct regular reviews and assessments of the ISMS to ensure its effectiveness. This includes reviewing security controls, incident reports, and the overall performance of the system.
  8. Continuous Improvement: Top management must promote Continuous Improvement. Encourage a culture of continuous improvement by fostering innovation and adapting the ISMS to changing threats and technologies.
  9. Compliance with Standards: Top management must ensure adherence to Standards. Ensure that the ISMS complies with relevant standards and regulations. This demonstrates a commitment to meeting legal and regulatory requirements.
  10. Incident Response: Top management must ensure effective Incident Response. Top management should be involved in the development and testing of incident response plans. In the event of a security incident, their leadership is crucial for a coordinated and effective response.
  11. Integration with Business Processes: Top management must integrate ISMS with Business Processes. Ensure that the ISMS is integrated into the organization’s overall business processes. This alignment helps in embedding security practices into everyday operations.

Demonstrating leadership and commitment at the highest levels of an organization is fundamental to creating a strong and resilient information security culture. It sets the tone for the entire organization and reinforces the importance of safeguarding information assets.

Top management must ensure that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization.

Aligning the information security policy and objectives with the strategic direction of the organization is crucial for the overall success and effectiveness of the Information Security Management System (ISMS). Here’s why and how top management can ensure this alignment:

Why Alignment is Important:

  1. Support Organizational Goals: Aligning the information security policy with the strategic direction ensures that security measures support, rather than hinder, the achievement of organizational goals.
  2. Resource Allocation: It helps in the proper allocation of resources, ensuring that investments in information security contribute directly to the organization’s strategic priorities.
  3. Risk Management: Ensures that security measures are aligned with the organization’s risk appetite and that potential risks to the achievement of strategic objectives are adequately addressed.
  4. Cultural Integration: Integrating information security into the strategic direction helps to embed a security-conscious culture throughout the organization.

How Top Management Can Ensure Alignment:

  1. Active Involvement: Top management should actively participate in the development of the information security policy, ensuring that it reflects the organization’s strategic priorities.
  2. Regular Review: Periodically review the information security policy and objectives to ensure they remain aligned with the evolving strategic direction of the organization.
  3. Communication: Effectively communicate the importance of information security in achieving the organization’s strategic goals. This helps create awareness and buy-in across all levels of the organization.
  4. Integration with Business Processes: Integrate information security considerations into various business processes, ensuring that security becomes an integral part of day-to-day operations.
  5. Risk Assessment: Conduct regular risk assessments to identify and assess the impact of potential threats on the organization’s strategic objectives. Adjust the information security measures accordingly.
  6. Performance Metrics: Establish performance metrics and key performance indicators (KPIs) that are in line with both information security objectives and broader organizational goals.
  7. Training and Awareness: Provide training and awareness programs that emphasize the relationship between information security and the organization’s strategic success.
  8. Adaptability: Ensure that the information security policy and objectives are adaptable to changes in the business environment, technology landscape, and regulatory requirements.
  9. Leadership by Example: Top management should lead by example, demonstrating through their actions and decisions that information security is a fundamental aspect of the organization’s strategy.
  10. Continuous Improvement: Foster a culture of continuous improvement, where the information security policy is regularly reviewed and updated to address emerging threats and changes in the organizational landscape.

By integrating information security into the strategic planning and decision-making processes, top management ensures that the organization is well-positioned to address security challenges in a way that complements and enhances its overall strategic objectives.

f leadership are not actively involved e.g. don’t participate in management reviews or cannot demonstrate to the external auditor there is a leadership representative taking it seriously during an audit then the organisation will almost certainly fail. Auditors talk about the spirit of ISO 27001 coming from the top and if they don’t see that they will probably look much more deeply and skeptically during the audit.

As has been stated many times before information security management is a business critical philosophy and must be compatible with an organisations business objectives and processes for it to work in practice. Without leadership support, or a requirement to do 25 things before someone actually does the job they want to do, the ISO 27001 journey will struggle to get off the ground. Being able to demonstrate this leadership commitment is essential for clause 5.1, and that’s where a more serious information security management system comes into play that both evidences leadership commitment to investing in an ISMS and having the evidence they have been involved e.g. in management reviews and broader ISMS decision making as well as the required annual external audits for ISO 27001. If a statutory financial accountant saw all the financial accounting just being done with spreadsheets instead of a professional accounting application they might question its integrity and spend longer than if the work was done with any recognized solution. It is the same for information security management. Using the right tools and having the right people involved breeds confidence. Having those foundations in place makes this clause easy to demonstrate and compliance simply requires documented evidence as notes to reinforce that leadership and commitment is in place and addressing clause 5.1 

Top management must ensure of the integration of the information security management system requirements into the organization’s processes.

Integrating the Information Security Management System (ISMS) requirements into the organization’s processes is critical for the effective implementation and sustainability of information security practices. Top management plays a key role in ensuring this integration. Here are some key steps and considerations for top management to ensure the successful integration of ISMS requirements into organizational processes:

  1. Leadership and Advocacy: Top management must demonstrate Leadership. Top management should actively advocate for the integration of ISMS requirements and lead by example in incorporating security considerations into decision-making processes.
  2. Policy Alignment: Top management must align ISMS Policies with Organizational Processes.Ensure that the information security policies are aligned with the organization’s overall policies and objectives. This alignment sets the foundation for integration.
  3. Risk-Based Approach: Top management must implement a Risk-Based Approach. Integrate risk management practices into the organization’s processes, ensuring that security measures are commensurate with the identified risks.
  4. Communication: Top management must communicate Expectations. Clearly communicate to all levels of the organization the expectations regarding the integration of ISMS requirements. This includes emphasizing the importance of information security in daily operations.
  5. Training and Awareness: It must provide Training Programs. Offer training and awareness programs to employees to ensure they understand the ISMS requirements and how these relate to their specific roles and responsibilities.
  6. Process Mapping: It must map ISMS Requirements to Processes. Identify and map ISMS requirements to existing organizational processes. This helps in understanding where security controls need to be implemented.
  7. Embed Security Controls: It must embed Controls into Processes. Integrate security controls seamlessly into existing processes, making them a natural part of day-to-day operations. This minimizes disruptions and resistance to change.
  8. Performance Metrics: It must define Key Performance Indicators (KPIs). Establish performance metrics that measure the effectiveness of security controls integrated into processes. This helps in monitoring and continuous improvement.
  9. Incident Response Integration: It must integrate Incident Response Procedures. Ensure that incident response procedures are integrated into broader organizational incident management processes to facilitate a coordinated and effective response to security incidents.
  10. Regular Audits and Reviews: It must conduct Regular Audits. Implement regular audits and reviews to assess the effectiveness of ISMS integration into processes and identify areas for improvement.
  11. Collaboration with Departments: It must collaborate with Departments. Work closely with different departments to understand their specific needs and challenges, and tailor ISMS integration accordingly.
  12. Adaptability: It must adapt to Changes. Ensure that the ISMS and its requirements are adaptable to changes in technology, business processes, and the overall organizational environment.
  13. Compliance Monitoring: It must monitor Compliance. Regularly monitor and ensure compliance with ISMS requirements, addressing any deviations promptly.

By actively promoting and overseeing the integration of ISMS requirements into organizational processes, top management helps create a culture where information security is an integral and natural part of how the organization operates. This proactive approach enhances the effectiveness of the ISMS and strengthens the overall security posture of the organization.

Top management must ensuring that the resources needed for the information security management system are available.

Ensuring the availability of resources is a critical responsibility for top management in the successful implementation and maintenance of an effective Information Security Management System (ISMS). Here are key considerations and actions that top management should take to fulfill this responsibility:

  1. Resource Assessment: The organization must conduct a Resource Assessment. Identify and assess the resources required for the implementation and maintenance of the ISMS. This includes financial resources, human resources, technology, and any other necessary assets.
  2. Budget Allocation: Allocate Sufficient Budget. Ensure that an adequate budget is allocated to support the implementation and ongoing operation of the ISMS. This budget should cover training, technology infrastructure, security tools, and other related expenses.
  3. Staffing and Skills: Ensure Adequate Staffing. Assess the staffing needs for the ISMS and ensure that there are sufficient personnel with the necessary skills and expertise to carry out information security functions.
  4. Training and Awareness: Invest in Training Programs. Allocate resources for training programs to enhance the skills and awareness of employees regarding information security. This includes training for IT staff, as well as general awareness programs for all employees.
  5. Technology Infrastructure: Invest in Technology. Provide the necessary resources for acquiring and maintaining technological infrastructure that supports information security measures. This includes hardware, software, and security tools.
  6. Third-Party Support: Consider External Support. If needed, consider outsourcing certain aspects of information security or obtaining external expertise to supplement in-house capabilities. Allocate resources for engaging external support, if necessary.
  7. Regular Review: Periodic Resource Review. Regularly review the resource allocation to ensure that it remains sufficient and effective in addressing the evolving needs of the ISMS.
  8. Emergency Response: Allocate Resources for Incident Response. Ensure that resources are allocated specifically for incident response activities, including investigation, mitigation, and recovery efforts in the event of a security incident.
  9. Compliance Monitoring: Allocate Resources for Compliance. Allocate resources to monitor and ensure compliance with relevant regulatory requirements, standards, and internal policies.
  10. Communication and Buy-In: Communicate Resource Needs. Clearly communicate to top management and other relevant stakeholders the resource needs of the ISMS, emphasizing the importance of these resources for the organization’s overall security posture.
  11. Continuous Improvement: Support Continuous Improvement. Encourage a culture of continuous improvement, where resources are continually assessed and adjusted to address emerging threats and changing business environments.
  12. Flexibility and Adaptability: Be Flexible and Adaptive. Recognize that resource needs may change over time, and be prepared to adapt resource allocations based on evolving risks and organizational requirements.

By ensuring the availability of resources for the ISMS, top management sets the foundation for a robust and sustainable information security program. This proactive approach helps in maintaining a strong security posture and effectively mitigating risks to the organization’s information assets.

Top management must communicate the importance of effective information security management and of conforming to the information security management system requirements. Ensuring that the Information Security Management System (ISMS) achieves its intended outcome is a critical responsibility for top management. This involves overseeing the implementation, monitoring, and continuous improvement of the ISMS to effectively protect information assets. Here are key actions and considerations for top management in this regard:

  1. Define Clear Objectives: Set Clear ISMS Objectives. Clearly define the objectives of the ISMS, ensuring they align with the organization’s overall business goals and risk management strategies.
  2. Leadership and Commitment: Demonstrate Leadership. Continuously demonstrate leadership and commitment to information security. This includes visibly supporting the ISMS and its objectives.
  3. Allocate Adequate Resources: Ensure Resource Availability. Provide the necessary resources, including budget, personnel, and technology, to support the effective implementation and maintenance of the ISMS.
  4. Establish Key Performance Indicators (KPIs): Define Performance Metrics. Establish measurable Key Performance Indicators (KPIs) that reflect the effectiveness of the ISMS in achieving its intended outcomes. This may include metrics related to risk reduction, incident response, and compliance.
  5. Regular Performance Evaluation: Conduct Regular Reviews. Periodically review the performance of the ISMS against established KPIs. This allows top management to assess the system’s effectiveness and identify areas for improvement.
  6. Monitoring and Measurement: Implement Monitoring Mechanisms. Put in place mechanisms for ongoing monitoring and measurement of key aspects of the ISMS, such as the effectiveness of security controls and incident response capabilities.
  7. Risk Management: Monitor and Manage Risks: Stay actively involved in the risk management process. Regularly assess and reassess risks to information assets, ensuring that the ISMS adapts to changing threat landscapes.
  8. Regular Audits and Assessments: Conduct Audits and Assessments. Arrange for regular internal and external audits to assess the compliance and effectiveness of the ISMS. Use the findings to drive improvement initiatives.
  9. Review Security Incidents: Analyze Security Incidents. In the event of security incidents, conduct thorough reviews to understand the root causes, assess the effectiveness of incident response measures, and implement corrective actions.
  10. Continuous Improvement: Promote a Culture of Improvement. Foster a culture of continuous improvement within the organization. Encourage feedback and actively seek opportunities to enhance the ISMS.
  11. Document Lessons Learned: Document lessons learned from incidents, audits, and reviews. Apply these lessons to refine processes and enhance the resilience of the ISMS.
  12. Communication and Reporting: Regularly communicate the performance of the ISMS to relevant stakeholders, including executives, board members, and employees. Transparency is crucial for accountability.
  13. Adapt to Organizational Changes: Ensure that the ISMS is adaptable to organizational changes, such as mergers, acquisitions, or changes in business strategies.
  14. Legal and Regulatory Compliance: Stay informed about changes in legal and regulatory requirements. Ensure that the ISMS remains in compliance with relevant standards and regulations.
  15. Employee Awareness: Promote Employee Awareness. Continuously promote awareness among employees regarding their roles and responsibilities in supporting the ISMS objectives.

By actively overseeing these aspects, top management plays a pivotal role in ensuring that the ISMS achieves its intended outcome of safeguarding information assets and mitigating risks. This ongoing commitment contributes to a resilient and effective information security posture within the organization.

Top management must ensure that the information security management system achieves its intended outcome.

Ensuring that the Information Security Management System (ISMS) achieves its intended outcome is a critical responsibility for top management. This involves overseeing the implementation, monitoring, and continuous improvement of the ISMS to effectively protect information assets. Here are key actions and considerations for top management in this regard:

  1. Define Clear Objectives:
    • Set Clear ISMS Objectives: Clearly define the objectives of the ISMS, ensuring they align with the organization’s overall business goals and risk management strategies.
  2. Leadership and Commitment:
    • Demonstrate Leadership: Continuously demonstrate leadership and commitment to information security. This includes visibly supporting the ISMS and its objectives.
  3. Allocate Adequate Resources:
    • Ensure Resource Availability: Provide the necessary resources, including budget, personnel, and technology, to support the effective implementation and maintenance of the ISMS.
  4. Establish Key Performance Indicators (KPIs):
    • Define Performance Metrics: Establish measurable Key Performance Indicators (KPIs) that reflect the effectiveness of the ISMS in achieving its intended outcomes. This may include metrics related to risk reduction, incident response, and compliance.
  5. Regular Performance Evaluation:
    • Conduct Regular Reviews: Periodically review the performance of the ISMS against established KPIs. This allows top management to assess the system’s effectiveness and identify areas for improvement.
  6. Monitoring and Measurement:
    • Implement Monitoring Mechanisms: Put in place mechanisms for ongoing monitoring and measurement of key aspects of the ISMS, such as the effectiveness of security controls and incident response capabilities.
  7. Risk Management:
    • Monitor and Manage Risks: Stay actively involved in the risk management process. Regularly assess and reassess risks to information assets, ensuring that the ISMS adapts to changing threat landscapes.
  8. Regular Audits and Assessments:
    • Conduct Audits and Assessments: Arrange for regular internal and external audits to assess the compliance and effectiveness of the ISMS. Use the findings to drive improvement initiatives.
  9. Review Security Incidents:
    • Analyze Security Incidents: In the event of security incidents, conduct thorough reviews to understand the root causes, assess the effectiveness of incident response measures, and implement corrective actions.
  10. Continuous Improvement:
    • Promote a Culture of Improvement: Foster a culture of continuous improvement within the organization. Encourage feedback and actively seek opportunities to enhance the ISMS.
  11. Document Lessons Learned:
    • Document and Apply Lessons Learned: Document lessons learned from incidents, audits, and reviews. Apply these lessons to refine processes and enhance the resilience of the ISMS.
  12. Communication and Reporting:
    • Communicate ISMS Performance: Regularly communicate the performance of the ISMS to relevant stakeholders, including executives, board members, and employees. Transparency is crucial for accountability.
  13. Adapt to Organizational Changes:
    • Ensure Adaptability: Ensure that the ISMS is adaptable to organizational changes, such as mergers, acquisitions, or changes in business strategies.
  14. Legal and Regulatory Compliance:
    • Monitor Compliance: Stay informed about changes in legal and regulatory requirements. Ensure that the ISMS remains in compliance with relevant standards and regulations.
  15. Employee Awareness:
    • Promote Employee Awareness: Continuously promote awareness among employees regarding their roles and responsibilities in supporting the ISMS objectives.

By actively overseeing these aspects, top management plays a pivotal role in ensuring that the ISMS achieves its intended outcome of safeguarding information assets and mitigating risks. This ongoing commitment contributes to a resilient and effective information security posture within the organization.

Top management must directing and supporting persons to contribute to the effectiveness of the information security management system

Top management plays a crucial role in directing and supporting individuals throughout the organization to contribute effectively to the Information Security Management System (ISMS). Here are key actions and considerations for top management in this regard:

  1. Clear Communication:
    • Articulate Expectations: Clearly communicate the importance of information security and the role each individual plays in supporting the ISMS. Emphasize the organization’s commitment to security.
  2. Establishing a Security Culture:
    • Promote a Security Culture: Foster a culture where information security is considered everyone’s responsibility. This involves creating awareness and instilling a sense of ownership regarding security practices.
  3. Training and Education:
    • Provide Training Programs: Offer regular training programs to enhance the knowledge and skills of employees in information security best practices. This includes awareness training and role-specific security education.
  4. Role-specific Guidance:
    • Provide Role-specific Guidance: Clearly define and communicate the information security responsibilities associated with each role within the organization. Tailor guidance to the specific needs of different departments.
  5. Support for Compliance:
    • Ensure Compliance Support: Provide the necessary support and resources to help individuals understand and comply with information security policies, standards, and procedures.
  6. Resource Allocation:
    • Allocate Adequate Resources: Ensure that individuals have access to the resources and tools needed to fulfill their information security responsibilities. This includes technology, training, and support.
  7. Leadership by Example:
    • Demonstrate Leadership: Top management should lead by example in adhering to information security practices. This helps set the tone for the entire organization and reinforces the importance of security.
  8. Encourage Reporting:
    • Promote Reporting of Security Concerns: Establish channels for employees to report security incidents, concerns, or potential vulnerabilities without fear of reprisal. Encourage a culture of openness and reporting.
  9. Regular Communication:
    • Maintain Open Communication Channels: Keep communication channels open to address questions, concerns, and feedback related to information security. This includes regular updates and town hall meetings.
  10. Recognition and Incentives:
    • Recognize Contributions: Acknowledge and recognize individuals who actively contribute to the effectiveness of the ISMS. Consider incorporating information security achievements into employee recognition programs.
  11. Performance Appraisals:
    • Include Security in Performance Appraisals: Integrate information security performance metrics into individual performance appraisals to emphasize the importance of security responsibilities.
  12. Feedback Mechanisms:
    • Encourage Two-way Feedback: Establish mechanisms for individuals to provide feedback on information security processes, policies, and their effectiveness. Use this feedback for continuous improvement.
  13. Empowerment and Autonomy:
    • Empower Employees: Empower individuals to take ownership of information security in their respective roles. Provide autonomy within established security frameworks.
  14. Regular Audits and Reviews:
    • Participate in Audits and Reviews: Participate in audits and reviews of information security processes to ensure that individuals are following established procedures and that the ISMS is effective.
  15. Continual Improvement:
    • Encourage Continuous Improvement: Encourage a mindset of continuous improvement in information security practices. Individuals should be proactive in identifying and addressing potential security enhancements.

By actively directing and supporting individuals in contributing to the effectiveness of the ISMS, top management helps create a collaborative and security-conscious environment. This approach is essential for building a resilient information security culture within the organization.

Top management must promoting continual improvement.

Promoting continual improvement is a fundamental aspect of effective leadership in any management system, including the Information Security Management System (ISMS). Here are key actions and considerations for top management to promote continual improvement in the context of information security:

  1. Establish a Culture of Continuous Improvement:
    • Promote a Mindset: Foster a culture where continuous improvement is not just encouraged but expected. Emphasize that improvement is an ongoing process, not a one-time initiative.
  2. Set Clear Objectives:
    • Define Improvement Objectives: Clearly define improvement objectives within the ISMS. These objectives should align with the organization’s overall goals and address emerging threats and vulnerabilities.
  3. Performance Monitoring:
    • Regularly Monitor Performance: Implement mechanisms to monitor the performance of the ISMS, including key performance indicators (KPIs). Regularly review these metrics to identify areas for improvement.
  4. Feedback Mechanisms:
    • Encourage Feedback: Establish channels for employees to provide feedback on information security processes, policies, and potential areas for improvement. Encourage an open and constructive feedback culture.
  5. Risk Management and Lessons Learned:
    • Integrate Lessons Learned: Incorporate lessons learned from security incidents, audits, and reviews into the improvement process. Analyze root causes and use insights to enhance security measures.
  6. Regular Audits and Assessments:
    • Conduct Regular Audits: Conduct internal and external audits to assess the effectiveness of the ISMS. Use audit findings to identify weaknesses and opportunities for improvement.
  7. Benchmarking:
    • Benchmark Against Best Practices: Compare the organization’s information security practices against industry best practices and standards. Identify areas where the organization can align itself with or surpass established benchmarks.
  8. Employee Involvement:
    • Involve Employees: Actively involve employees in the improvement process. Encourage them to contribute ideas and suggestions for enhancing information security practices in their respective areas.
  9. Training and Skill Development:
    • Invest in Training Programs: Allocate resources for ongoing training programs to enhance the skills and knowledge of employees in information security. Ensure that employees are well-equipped to address evolving security challenges.
  10. Regular Reviews by Top Management:
    • Periodic Reviews: Conduct periodic reviews of the ISMS at the top management level. Assess the overall effectiveness of security measures and make strategic decisions for continual improvement.
  11. Adaptability to Changing Threat Landscape:
    • Stay Adaptive: Recognize that the threat landscape is dynamic. Ensure that the ISMS is adaptive and responsive to emerging threats. Update security measures as needed to address new risks.
  12. Document and Communicate Improvements:
    • Document Changes: Keep detailed records of improvements made to the ISMS. Communicate these changes to relevant stakeholders to ensure transparency and awareness.
  13. Celebrate Achievements:
    • Acknowledge Success: Acknowledge and celebrate achievements related to information security improvements. Recognizing success boosts morale and reinforces the importance of continual improvement.
  14. Management Review Meetings:
    • Conduct Management Review Meetings: Hold regular management review meetings to discuss the performance of the ISMS, review improvement initiatives, and make strategic decisions to enhance information security.
  15. Commitment to Resources:
    • Allocate Resources for Improvement: Ensure that adequate resources, including budget and personnel, are allocated to support improvement initiatives identified within the ISMS.

By actively promoting continual improvement, top management contributes to the agility and resilience of the organization’s information security posture. This proactive approach helps the organization stay ahead of evolving threats and challenges in the dynamic field of information security.

Top management must supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

Supporting other relevant management roles in demonstrating leadership is crucial for the overall effectiveness of an organization’s Information Security Management System (ISMS). Top management’s support can empower other leaders to take ownership of information security within their specific areas of responsibility. Here are key actions and considerations for top management to support and promote leadership in various management roles:

  1. Clearly Communicate Expectations:
    • Articulate Information Security Expectations: Clearly communicate to other management roles the expectations regarding information security within their areas of responsibility. Emphasize the importance of their leadership in promoting a secure environment.
  2. Provide Training and Awareness:
    • Offer Specialized Training: Provide specialized training and awareness programs tailored to the roles and responsibilities of different management functions. This ensures that leaders understand their unique contributions to information security.
  3. Define Information Security Roles:
    • Clearly Define Roles and Responsibilities: Clearly define the information security roles and responsibilities of each management position. This includes specifying how they contribute to the overall success of the ISMS.
  4. Resource Allocation:
    • Ensure Adequate Resources: Support other management roles by ensuring they have the necessary resources, including budget, personnel, and technology, to fulfill their information security responsibilities effectively.
  5. Set Information Security Objectives:
    • Collaboratively Set Objectives: Collaborate with other management roles to set specific information security objectives that align with the overall business goals and the ISMS. Encourage leaders to integrate these objectives into their strategic plans.
  6. Integrate Information Security into Processes:
    • Assist in Process Integration: Work with other management roles to integrate information security considerations into their specific business processes. This helps embed security practices into daily operations.
  7. Performance Metrics:
    • Establish Performance Metrics: Collaboratively establish key performance indicators (KPIs) for information security that align with the responsibilities of different management roles. Use these metrics to measure and improve performance.
  8. Regular Reviews and Audits:
    • Participate in Reviews: Actively participate in regular reviews and audits of information security practices within each department or functional area. Provide support in addressing findings and implementing corrective actions.
  9. Promote a Security Culture:
    • Encourage Leadership in Security Culture: Encourage leaders to foster a security-conscious culture within their teams. Promote behaviors that prioritize information security and embed it in the organizational culture.
  10. Recognition and Rewards:
    • Acknowledge Achievements: Recognize and acknowledge the achievements of leaders who demonstrate strong leadership in information security. Consider incorporating security-related goals into performance evaluations and recognition programs.
  11. Encourage Communication Channels:
    • Facilitate Open Communication: Create channels for open communication between top management and other management roles regarding information security matters. Encourage the reporting of concerns and the sharing of best practices.
  12. Continuous Improvement Initiatives:
    • Support Improvement Initiatives: Support other management roles in identifying and implementing continuous improvement initiatives related to information security. Provide guidance and resources for enhancing security measures.
  13. Share Best Practices:
    • Facilitate Knowledge Sharing: Encourage the sharing of information security best practices among different management roles. Foster a collaborative environment where leaders can learn from each other.
  14. Lead by Example:
    • Demonstrate Leadership: Model strong leadership in information security by consistently adhering to security practices and demonstrating a commitment to the organization’s information security objectives.
  15. Regular Coordination Meetings:
    • Hold Coordination Meetings: Conduct regular coordination meetings with leaders from different departments to discuss information security updates, challenges, and strategic initiatives.

By actively supporting and empowering other management roles, top management contributes to a holistic and organization-wide approach to information security. This collaborative effort enhances the overall resilience and effectiveness of the ISMS.

Reference to “business” can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

According to ISO/IEC 27001, the term “business” refers to the activities that an organization undertakes to achieve its intended outcomes. These activities can include a wide range of functions, operations, processes, and services that contribute to the organization’s objectives. The standard recognizes that organizations vary widely in their nature, size, structure, and objectives, and, therefore, the interpretation of “business” is flexible. By interpreting “business” broadly, the ISMS standard acknowledges that the scope of information security management should cover all aspects of an organization’s operations that are essential to its existence and objectives. This includes, but is not limited to:

  1. Core Business Processes: The primary functions or operations that directly contribute to the organization’s products or services.
  2. Supporting Functions: Activities that support and enable the core business processes, such as human resources, finance, IT services, and administration.
  3. Strategic Initiatives: Projects or initiatives that are critical to the organization’s strategic goals and objectives.
  4. Stakeholder Interactions: Interactions with customers, partners, suppliers, and other stakeholders that are integral to the organization’s success.
  5. Legal and Regulatory Compliance: Activities related to compliance with laws, regulations, and contractual obligations that impact the organization’s operations.
  6. Risk Management: Processes for identifying, assessing, and managing risks that could affect the achievement of organizational objectives.

By taking a broad view of “business” in the context of the ISMS, organizations can ensure that their information security efforts are comprehensive and aligned with the entirety of their operations. This approach helps in identifying and mitigating risks across all aspects of the organization, contributing to a more robust and effective information security posture.

Documents required:

  1. Information Security Policy : A documented information that establishes the framework for the ISMS and sets out the organization’s approach to information security.
  2. Scope of the ISMS: A documented statement that defines the scope of the ISMS, outlining the boundaries and applicability of the system.
  3. Information Security Risk Assessment and Treatment Process: A documented procedure or set of documents that describe how the organization conducts risk assessments, assesses risks, and defines risk treatment plans.
  4. Statement of Applicability: A documented information that identifies the controls selected and applied, and the justification for their inclusion based on the risk assessment.
  5. Information Security Objectives: Documented information that specifies the organization’s information security objectives, including details on how they will be achieved.
  6. Roles, Responsibilities, and Authorities: Documents defining the roles, responsibilities, and authorities related to information security, including those of top management and other relevant roles.
  7. Communication Plan: A documented information that outlines the communication processes and responsibilities for internal and external communications related to the ISMS.
  8. Documentation Control Procedure: A documented procedure specifying how documents are approved, reviewed, updated, and made available.

Records required:

  1. Records of Management Reviews : Records of management reviews, including minutes of meetings, decisions, and actions related to the performance and effectiveness of the ISMS.
  2. Records of Training, Awareness, and Competence : Records demonstrating that employees are aware of their information security responsibilities and have received appropriate training.
  3. Records of Risk Assessments and Treatment Plans : Records of risk assessments, including the identification of risks, assessment of their impact and likelihood, and the development of treatment plans.
  4. Records of Security Incidents :Records documenting information security incidents, including their nature, impact, and corrective actions taken.
  5. Records of Corrective Actions :Records documenting corrective actions taken in response to incidents, non conformities, or the results of audits and reviews.
  6. Records of Monitoring and Measurement Results :Records of monitoring and measurement activities related to information security performance, including the results of internal audits and evaluations.
  7. Records of External Communications :Records of external communications related to information security, including communications with interested parties.

ISO 27001:2022 Clause 4.4 Information security management system


The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.

Establishing an Information Security Management System (ISMS) involves a systematic and structured approach to ensure the confidentiality, integrity, and availability of an organization’s information assets. Below are the key steps to guide an organization in establishing an ISMS:

1. Leadership and Commitment:

  • Appoint a Management Representative: Designate an individual or team responsible for coordinating the development and implementation of the ISMS.
  • Top Management Commitment: Gain commitment from top management to support and actively participate in the establishment of the ISMS.

2. Define the Scope:

  • Identify Organizational Boundaries: Determine the organizational units, functions, and processes that will be included within the scope of the ISMS.
  • Consider External and Internal Context: Analyze external and internal issues, interested parties, and interfaces with other organizations to define the ISMS scope comprehensively.

3. Perform a Risk Assessment:

  • Identify Information Assets: Identify and classify information assets based on their value and importance to the organization.
  • Identify Threats and Vulnerabilities: Conduct a risk assessment to identify potential threats and vulnerabilities that could impact information assets.
  • Assess Risks: Assess the likelihood and impact of identified risks to prioritize and focus on significant risks.

4. Define Information Security Objectives:

  • Align with Business Objectives: Define information security objectives that align with the organization’s overall business objectives.
  • Establish Measurable Targets: Set measurable targets for achieving information security objectives. Ensure that targets are specific, measurable, achievable, relevant, and time-bound (SMART).

5. Implement Information Security Controls:

  • Select Controls: Identify and select appropriate information security controls based on the risk assessment and organizational objectives.
  • Documentation and Procedures: Develop documentation and procedures to implement the selected controls effectively.
  • Training and Awareness: Provide training and awareness programs to ensure that employees understand their roles and responsibilities in maintaining information security.

6. Documentation and Records:

  • ISMS Documentation: Develop documented information that outlines the ISMS scope, policies, procedures, and risk assessment outcomes.
  • Records Management: Establish a system for creating, maintaining, and retaining records related to information security.

7. Monitoring and Measurement:

  • Performance Monitoring: Implement processes to monitor and measure the performance of information security controls and the effectiveness of the ISMS.
  • Incident Response: Establish an incident response plan to address and mitigate the impact of security incidents.

8. Internal Audits:

  • Conduct Internal Audits: Periodically conduct internal audits to assess the compliance and effectiveness of the ISMS.
  • Corrective Actions: Implement corrective actions to address non-conformities identified during internal audits.

9. Management Review:

  • Regular Management Reviews: Hold regular management reviews to assess the performance of the ISMS, evaluate the results of internal audits, and identify opportunities for improvement.

10. Continual Improvement:

  • Learn from Incidents: Use lessons learned from security incidents, internal audits, and management reviews to drive continual improvement.
  • Update the ISMS: Periodically review and update the ISMS documentation to ensure its ongoing relevance and effectiveness.

11. Training and Communication:

  • Educate Employees: Conduct training sessions and awareness programs to educate employees about information security policies and practices.
  • Communication: Establish effective communication channels to keep stakeholders informed about the ISMS and its objectives.

Establishing an Information Security Management System (ISMS) involves the implementation of various processes, each contributing to the overall effectiveness of information security within the organization. The processes are often organized within the framework of the Plan-Do-Check-Act (PDCA) cycle. Below are key processes and their interactions needed for the establishment and operation of an ISMS:

1. Plan:

  • Establish the ISMS: Define the scope, policy, and objectives of the ISMS.
  • Conduct Risk Assessment:Identify and assess risks to information assets.
  • Define Controls: Select and implement controls to mitigate identified risks.
  • Develop Documentation: Create documented information such as policies, procedures, and risk assessment reports.
  • Training and Awareness: Provide training to employees to ensure they are aware of information security policies and procedures.

2. Do:

  • Implement Controls: Put in place the selected information security controls.
  • Documentation Management: Establish a system for managing and maintaining documentation related to the ISMS.
  • Training Implementation: Implement training programs to enhance the skills and awareness of employees.
  • Incident Response: Develop and implement an incident response plan to address and mitigate security incidents.
  • Communication: Establish effective communication channels for disseminating information related to the ISMS.

3. Check:

  • Monitor and Measure: Monitor and measure the performance of information security controls.
  • Internal Audits: Conduct internal audits to assess compliance and effectiveness.
  • Review Documentation: Regularly review and update documented information to reflect changes in the organization’s context.
  • Performance Evaluation: Evaluate the performance of the ISMS against established objectives and targets.

4. Act:

  • Management Review: Hold regular management reviews to assess the overall performance of the ISMS.
  • Corrective Actions: Implement corrective actions to address non-conformities and improve the ISMS.
  • Continuous Improvement: Identify opportunities for continual improvement and make necessary adjustments to enhance the ISMS.

Interactions:

  • Risk Management and Controls: The risk assessment process informs the selection and implementation of controls to mitigate identified risks.
  • Documentation and Training: Documented information guides training programs, ensuring that employees are aware of and understand relevant information security policies and procedures.
  • Incident Response and Communication: Effective communication channels are critical during incident response to ensure timely and accurate information dissemination.
  • Internal Audits and Corrective Actions: Findings from internal audits may lead to corrective actions, contributing to the continual improvement of the ISMS.
  • Management Review and Continuous Improvement: The management review process identifies areas for improvement, driving ongoing enhancements to the ISMS.
  • Monitoring and Performance Evaluation: Ongoing monitoring and performance evaluation provide data for management reviews and continuous improvement initiatives.

By integrating these processes within the PDCA cycle and ensuring their effective interactions, organizations can establish a robust and continually improving ISMS that meets the requirements of ISO/IEC 27001. The key is to maintain a cycle of planning, implementing, monitoring, and improving to adapt to changes in the organization’s context and evolving information security risks. secret to the success of maintaining your information security management system to meet clause 4.4 is having the commitment to information security from senior management, whilst also having the technology to make its administration and management a lot easier for everyone involved; information security officers, senior management, staff, suppliers and the auditors themselves. External auditors will want to see the spirit of ISO 27001 being demonstrated and that starts with the senior management and their commitment to the technology being used to coordinate, control and demonstrate everything else works as expected.

Implement Information security management system

Clause 4.4, focuses on the “Information Security Management System (ISMS) and its scope.” This clause outlines the requirements related to establishing and maintaining the scope of the ISMS. The specific documents and records required for this clause include:

Documents:

  1. ISMS Scope Statement: Document that defines the boundaries, applicability, and limitations of the ISMS.
  2. Scope Exclusions (if any): If certain aspects are excluded from the scope, document the reasons and justifications for these exclusions.
  3. External and Internal Issues Documentation: Records that detail the organization’s analysis of external and internal issues relevant to the ISMS.
  4. Interested Parties and Their Requirements: Documentation listing interested parties relevant to the ISMS and their associated requirements.

Records:

  1. Scope Documentation Review Records: Records of reviews conducted to ensure the continued suitability, adequacy, and effectiveness of the ISMS scope.
  2. Scope Changes Records: Records of any changes made to the ISMS scope and the reasons for those changes.
  3. Communication Records: Records of communications related to the establishment, review, and changes to the ISMS scope.
  4. Documented Information Control Records: Records demonstrating the control of documented information, ensuring its availability and protection.
  5. Record of Scope Exclusions Authorization: If exclusions are made from the ISMS scope, document the authorization process, including the reasons and approvals.
  6. Records of Analysis of External and Internal Issues: Records detailing the analysis of external and internal issues, including how they might affect the ISMS.
  7. Interested Parties and Requirements Analysis Records: Records outlining the analysis of interested parties and their relevant requirements.
  8. Management Review Records: Records of management reviews related to the ISMS scope, including decisions and actions.
  9. Results of Risk Assessment: Records of risk assessments conducted to identify potential threats and vulnerabilities relevant to the ISMS scope.
  10. Results of Legal and Regulatory Compliance Assessments: Records of assessments verifying compliance with legal and regulatory requirements relevant to the ISMS scope.

ISO 27001:2022 Clause 4.3 Determining the scope of the information security management system


The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
a] the external and internal issues referred to in 4.1;
h] the requirements referred to in 4.2;
c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
The scope shall be available as documented information.

The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.

Determining the boundaries and applicability of the Information Security Management System (ISMS) is a crucial step in establishing its scope. The scope defines the extent and limits of the ISMS and outlines what information, assets, and processes are covered by the system. Here are key steps to determine the boundaries and applicability of the ISMS:

  1. Define Organizational Boundaries: Clearly identify and define the organizational units, departments, and locations that will be included in the scope of the ISMS. Consider the entire organization, including remote offices, subsidiaries, and third-party relationships.
  2. Identify Assets: Identify and catalog the information assets within the organizational boundaries. This includes data, systems, networks, applications, and any other assets that are critical to the organization’s information security.
  3. Consider Outsourced Processes: If the organization relies on third-party services or outsourced processes that involve information processing, include these in the scope. This could encompass cloud services, IT outsourcing, or other external providers.
  4. Define Information Security Objectives: Establish clear information security objectives and goals for the organization. These objectives will help determine what aspects of the organization’s operations need to be included in the scope of the ISMS.
  5. Consider Legal and Regulatory Requirements: Identify and understand the legal and regulatory requirements applicable to the organization. The scope of the ISMS should encompass areas that are subject to these requirements, ensuring compliance.
  6. Involve Relevant Stakeholders: Engage with key stakeholders, including management, employees, and external partners, to gather input on what areas should be covered by the ISMS. Consider their perspectives and concerns when defining the scope.
  7. Review Business Processes: Examine the organization’s business processes and workflows to determine where information is created, processed, transmitted, and stored. Include these processes in the scope of the ISMS.
  8. Assess Risk: Conduct a risk assessment to identify and analyze potential risks to the organization’s information assets. This assessment will help determine which areas are critical and should be within the scope of the ISMS.
  9. Consider Future Growth and Changes: Anticipate future changes, expansions, or contractions in the organization. Ensure that the scope of the ISMS is flexible enough to accommodate these changes and can adapt to evolving business needs.
  10. Document the Scope: Clearly document the scope of the ISMS, detailing the organizational boundaries, assets included, and the rationale for these decisions. This documentation is essential for communication and for maintaining clarity over time.
  11. Communicate the Scope: Clearly communicate the established scope to all relevant stakeholders, including employees, management, and external partners. Ensure that everyone is aware of what is covered by the ISMS and what is not.
  12. Regularly Review and Update: Establish a process for regularly reviewing and updating the scope of the ISMS. This ensures that changes in the organization’s environment are reflected in the scope, and the ISMS remains effective.

By following these steps, an organization can establish a well-defined and appropriately scoped ISMS that aligns with its business objectives, legal obligations, and information security goals. The clarity provided by a well-defined scope contributes to the effectiveness of the ISMS in protecting critical information assets.

How to set the scope of the ISMS

Setting the scope of the Information Security Management System (ISMS) is a critical step in ensuring that the organization’s information security efforts are focused and effective. The in-scope activity will be much more logical to consider once you have completed the work for 4.1 and 4.2. You’ll probably consider the organisation, subsidiaries, divisions, departments, products, services, physical locations, mobile workers, geographies, systems and processes for your scope as the information assurance and risk assessment work will be following those parts of your organisation that need to be protected. Remember to also think about what the powerful stakeholder interested parties will expect too. If you did look at leaving any part of the organisation out of scope, what would the impact be for those powerful interested parties? Would you also have to run multiple systems and end up confusing staff about what was in and out of scope in the way they worked? What parts of the business need to create, access or process the information assets you see as valuable? These would almost certainly need to be in scope if the pressures were driven externally by customers for satisfying their information assurance needs. For example, you might focus on your product development and delivery but would still have to look at the people, processes etc around it too. Also think about what you can and can’t control or influence. It could be minutes of effort to get this work done or might take considerably longer in a larger enterprise where it can be politically and practically challenging to determine a controllable scope. ISO certification bodies like UKAS are pushing more towards ‘whole organisation’ scope too and powerful customers will generally expect that as well. Here’s a step-by-step guide on how to set the scope of the ISMS:

  1. Define Organizational Boundaries: Clearly identify the organizational units, departments, and locations that will be included in the ISMS. This could include all business units, subsidiaries, remote offices, and any other entities that handle or have access to sensitive information.
  2. Identify Information Assets: Catalog and identify the information assets within the defined organizational boundaries. This includes data, systems, networks, applications, and any other assets that are critical to the organization’s operations.
  3. Consider External Relationships: Take into account external relationships and third-party connections that involve the processing or sharing of information. Include these relationships in the scope if they have a direct impact on the organization’s information security.
  4. Understand Legal and Regulatory Requirements: Identify and understand the legal and regulatory requirements applicable to the organization. Ensure that the scope of the ISMS encompasses areas subject to these requirements to achieve compliance.
  5. Define Information Security Objectives: Establish clear information security objectives for the organization. These objectives should align with the organization’s overall goals and help guide the determination of the scope.
  6. Conduct a Risk Assessment: Perform a thorough risk assessment to identify and analyze potential risks to the organization’s information assets. Assess the criticality of different assets and processes to help prioritize them in the ISMS scope.
  7. Involve Key Stakeholders: Engage with relevant stakeholders, including senior management, department heads, IT staff, legal, and compliance teams. Gather input on what aspects of the organization’s operations should be included in the ISMS scope.
  8. Review Business Processes: Examine the organization’s business processes to understand how information is created, processed, transmitted, and stored. Include these processes in the scope to ensure comprehensive coverage.
  9. Consider Scope Limitations: Clearly define any limitations or exclusions to the scope of the ISMS. This might include specifying certain business units or processes that are intentionally excluded due to unique circumstances or specific business reasons.
  10. Document the Scope Statement: Develop a comprehensive scope statement that clearly outlines the organizational boundaries, information assets included, and any limitations. The scope statement should be documented and easily accessible for reference.
  11. Communicate the Scope: Clearly communicate the established scope to all relevant stakeholders. This includes employees, management, external partners, and any other parties affected by the ISMS. Ensure everyone understands what is covered and what is not.
  12. Regularly Review and Update: Establish a process for regularly reviewing and updating the ISMS scope. Changes in the organization’s structure, business processes, or external relationships may necessitate adjustments to the scope to maintain relevance.
  13. Align with Business Objectives: Ensure that the scope aligns with the overall business objectives of the organization. The ISMS should support the organization’s mission and goals while effectively managing information security risks.
  14. Seek Management Approval: Obtain formal approval from senior management for the defined scope. This ensures that the leadership is aware of and supports the boundaries and objectives of the ISMS.

By following these steps, an organization can establish a well-defined and appropriate scope for its ISMS. A clearly defined scope is essential for focusing efforts, allocating resources effectively, and ensuring that the ISMS addresses the most critical aspects of information security within the organization. Let’s walk through an example of setting up the scope for an Information Security Management System (ISMS). In this scenario, let’s consider a fictional company, XYZ Corporation, that provides online retail services. The goal is to establish a well-defined scope for their ISMS:

  1. Define Organizational Boundaries: XYZ Corporation operates globally and has multiple departments, including IT, sales, customer service, and logistics. The ISMS will cover all departments and locations where sensitive information is processed.
  2. Identify Information Assets:
    • Customer databases
    • Financial systems
    • E-commerce platforms
    • Employee records
    • Intellectual property databases
  3. Consider External Relationships: XYZ Corporation relies on a third-party cloud service for hosting its e-commerce platform. The ISMS will cover the interactions and information flows with this external service provider
  4. Understand Legal and Regulatory Requirements: XYZ Corporation is subject to data protection laws in the countries where it operates. The ISMS will cover compliance with these laws, including GDPR for European customers and local data protection regulations.
  5. Define Information Security Objectives:
    • Protect customer data from unauthorized access.
    • Ensure the availability and integrity of the e-commerce platform.
    • Comply with relevant data protection regulations.
    • Safeguard intellectual property and trade secrets.
  6. Conduct a Risk Assessment: Identify and assess risks associated with data breaches, system downtime, and regulatory non-compliance. Prioritize risks to determine the focus areas of the ISMS.
  7. Involve Key Stakeholders: Engage with IT, legal, compliance, and department heads to gather input on critical areas for information security. Consider feedback from senior management and employees.
  8. Review Business Processes: Examine how information is handled throughout the organization, from customer order processing to shipping. Include all processes that involve the creation, processing, and storage of sensitive information.
  9. Document Limitations: Specify that personal devices used by employees for work purposes are out of scope for the ISMS. This limitation is due to challenges in controlling the security of personal devices.
  10. Include Legal or Regulatory References:Reference relevant data protection laws in the scope documentation to emphasize the commitment to compliance.
  11. Communicate with Stakeholders:Clearly communicate the ISMS scope to all employees, especially those involved in handling sensitive information. Ensure that external partners are aware of the scope’s limitations.
  12. Document in the Scope Statement:Include a dedicated section in the ISMS documentation that clearly outlines the scope. Document what is included, what is excluded, and the rationale behind these decisions.
  13. Update and Review:Establish a regular review process to ensure that the ISMS scope remains aligned with the organization’s evolving business environment and any changes in legal or regulatory requirements.
  14. Obtain Management Approval: Seek formal approval from senior management for the established ISMS scope. This ensures that leadership endorses the boundaries and objectives of the ISMS.
  15. Educate ISMS Users: Provide training to employees regarding the ISMS scope, especially those who handle sensitive information. Ensure that they understand their roles in maintaining the security of the included areas.

ISMS Scope Statement for XXX Solutions:

1. Organizational Boundaries: The ISMS covers all departments and business units within XXX Solutions, including software development, IT infrastructure, human resources, and administration.

2. Information Assets Included:

  • The following information assets are included in the scope:
    • Client data, including project details and sensitive information shared by clients.
    • Employee records, including personal information and HR-related data.
    • Intellectual property, source code, and proprietary software developed by XXX Solutions.
    • Financial data related to invoicing and transactions.

3. External Relationships: The ISMS includes interactions with external service providers and cloud platforms that are involved in software development, hosting, and other relevant processes.

4. Legal and Regulatory Requirements: The scope encompasses compliance with data protection laws, intellectual property regulations, and any other legal requirements applicable to the software development industry in the regions where XXX Solutions operates.

5. Information Security Objectives:

  • The ISMS aims to achieve the following key objectives:
    • Protect client confidentiality and ensure the secure handling of client data.
    • Safeguard intellectual property and prevent unauthorized access to source code.
    • Ensure the availability and integrity of IT systems to prevent service disruptions.
    • Comply with data protection laws and regulations.

6. Risk Assessment: The ISMS focuses on addressing risks associated with data breaches, unauthorized access, system vulnerabilities, and compliance failures. Risks are assessed regularly to inform security measures.

7. Stakeholder Involvement: Key stakeholders, including senior management, IT professionals, legal and compliance teams, and client representatives, are consulted to ensure that their concerns and requirements are considered in defining the scope.

8. Business Processes: All business processes involving the creation, processing, and storage of sensitive information are included. This covers software development, project management, client communications, and administrative processes.

9. Documented Limitations: Personal devices used by employees for work purposes are considered out of scope due to challenges in controlling the security of personal devices. This limitation is documented to provide transparency.

10. Legal and Regulatory References: References to data protection laws and industry-specific regulations are included in the scope documentation to emphasize the commitment to compliance.

11. Communication with Stakeholders: The defined scope is communicated to all employees through training sessions and documentation. Clients are informed about the security measures in place to protect their information.

12. Scope Documentation: The ISMS documentation includes a dedicated section detailing the scope, explicitly listing what is covered and providing a rationale for any exclusions.

13. Regular Review and Update: A periodic review process is established to ensure the ongoing relevance of the scope. Changes in business operations, legal requirements, or technology are considered during these reviews.

14. Management Approval: Formal approval is sought from senior management to endorse and support the defined ISMS scope.

15. Employee Education: Employees are educated about their roles and responsibilities within the ISMS scope. Training programs emphasize the importance of information security in their daily activities.

This example demonstrates a systematic approach to setting up the scope for an ISMS. By following these steps, XYZ Corporation can establish a clear and well-defined scope that aligns with its business objectives and effectively manages information security risks.

How to document ‘out-of-scope’

Documenting the ‘out-of-scope’ elements is a crucial aspect of clearly defining the boundaries of your Information Security Management System (ISMS). This documentation helps communicate what is intentionally excluded from the scope and ensures transparency about the areas or processes that are not covered by the ISMS. Establish clear criteria for determining what falls outside the scope of the ISMS. This could include specific business units, processes, information assets, or locations. Create a list of the specific items or areas that are considered ‘out-of-scope.’ Be explicit about what is excluded and provide a brief explanation for each item. Clearly articulate the rationale for excluding each item from the ISMS scope. This could be due to low risk, business-specific reasons, or the nature of certain processes that are managed separately. Specify any limitations associated with the out-of-scope items. This could include constraints on resources, technology, or other factors that influence the decision to exclude certain elements.If applicable, reference any legal or regulatory requirements that explicitly exclude certain elements from the scope. Ensure that the organization remains compliant with relevant laws and regulations. Clearly communicate the decision to exclude specific elements from the ISMS to relevant stakeholders, including management, employees, and external partners. Transparency is crucial for understanding and acceptance. Include the details of ‘out-of-scope’ items in the official scope statement of the ISMS documentation. This could be a separate section clearly indicating what is not covered. Regularly review and update the documentation on ‘out-of-scope’ items. Changes in business processes, organizational structure, or regulatory landscape may require adjustments to the scope. Ensure that the decision to exclude certain elements aligns with the results of risk assessments. If an item is excluded due to low risk, ensure that the risk assessment supports this decision. Anticipate potential changes in the organization’s environment that may impact the ‘out-of-scope’ items. Ensure that the scope remains relevant and can adapt to evolving business needs. Seek formal approval from senior management for the documented ‘out-of-scope’ items. This helps ensure that key decision-makers are aware of and endorse the limitations. Provide training and education to individuals involved in the implementation and operation of the ISMS. Ensure they understand the implications of ‘out-of-scope’ elements on their responsibilities. You should also carefully note the ‘out of scope’ areas for the ISMS too, wrapped up alongside the key interfaces and dependencies between activities performed by the organisation and those that are performed by other organisations. At a simplistic level, let’s imagine you are a software developer and rely on outsourcing of the datacentre for hosting of the service to customers. You’d probably clarify that the scope for your 4.3 is that within your organisation for the people and the software itself, but would put the boundaries and activities of the data centre out of your controlled scope – after all you would expect them to also maintain their own trusted ISMS. It is the same for physical property – if there is a reliance on a landlord for certain work (e.g. loading, barriers and reception control) that might form a boundary where the physical location security itself is out of scope for your control and you’d work your ISMS activity within that property.

When determining this scope, the organization shall consider the external and internal issues related to Information security management system

when determining the scope of an Information Security Management System (ISMS), it’s essential for the organization to consider both external and internal issues. This process is part of the broader context analysis that helps shape the boundaries of the ISMS and ensures that it aligns with the organization’s goals and context. Here’s a breakdown of how external and internal issues are considered:

External Issues:

  1. Legal and Regulatory Environment: Identify and understand the legal and regulatory requirements relevant to information security. This includes data protection laws, industry-specific regulations, and any other legal obligations related to the handling of sensitive information.
  2. Industry Standards and Best Practices: Consider industry-specific standards and best practices related to information security. This could include ISO/IEC 27001, NIST Cybersecurity Framework, or other relevant standards that provide guidance on effective security measures.
  3. Market and Customer Expectations: Analyze market trends and customer expectations regarding information security. Consider the specific security requirements outlined by clients, partners, and stakeholders to meet market demands and enhance trust.
  4. Technological Landscape: Stay informed about advancements and changes in technology that may impact information security. This includes emerging threats, new vulnerabilities, and technologies that could enhance or pose risks to the organization’s security posture.
  5. Competitive Landscape: Understand how competitors approach information security. This analysis can provide insights into industry benchmarks and help the organization set its information security practices in line with or ahead of industry standards.
  6. Global and Geopolitical Factors: Consider global and geopolitical factors that may influence information security. This could include geopolitical tensions, international cyber threats, and other factors that may have implications for the organization’s security.

Internal Issues:

  1. Organizational Objectives and Strategy: Align the scope of the ISMS with the overall objectives and strategic goals of the organization. Ensure that information security measures support and contribute to the achievement of broader organizational aims.
  2. Business Processes: Understand how information is used, processed, and shared across different business processes within the organization. Identify critical processes and ensure they are included in the scope of the ISMS.
  3. Information Assets: Catalog and assess the organization’s information assets. This includes data, systems, applications, intellectual property, and any other assets that are crucial to the organization’s operations.
  4. Organizational Structure: Consider the organizational structure, including departments, business units, and geographical locations. Determine which parts of the organization will fall within the scope of the ISMS.
  5. Risk Appetite and Tolerance: Define the organization’s risk appetite and tolerance for information security. This helps in prioritizing security measures and determining the level of risk the organization is willing to accept.
  6. Existing Controls and Security Measures: Evaluate the effectiveness of existing controls and security measures. Identify areas where improvements or additional measures are needed to strengthen the organization’s security posture.
  7. Employee Awareness and Competence: Assess the level of awareness and competence of employees regarding information security. This may influence the scope by highlighting areas that require additional training or awareness programs.
  8. Third-Party Relationships: Consider the organization’s relationships with third parties, such as suppliers and partners. Assess the impact of these relationships on information security and include relevant aspects in the ISMS scope.

Integration of External and Internal Issues:

  • Stakeholder Input: Gather input from key stakeholders, including management, employees, and external partners. Stakeholder perspectives help ensure that the ISMS scope is comprehensive and addresses the concerns of all relevant parties.
  • Context Analysis: Conduct a thorough analysis of the external and internal issues to create a context for information security. This analysis provides the foundation for determining the scope and setting objectives within the ISMS.
  • Documentation: Document the findings from the analysis of external and internal issues. This documentation will serve as a reference point for decision-making, scope definition, and ongoing management of the ISMS.

By considering both external and internal issues, organizations can establish an ISMS scope that is well-aligned with their context, strategic goals, and the expectations of stakeholders. This holistic approach helps organizations build a robust and contextually relevant information security framework.

When determining this scope, the organization shall consider the requirements of interested parties relevant to Information security management system.

Considering the requirements of interested parties is a crucial aspect when determining the scope of an Information Security Management System (ISMS). Interested parties are individuals or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity related to the ISMS. These parties may have specific requirements and expectations concerning information security. Here’s a breakdown of how to consider the requirements of interested parties in determining the ISMS scope:

Identify Interested Parties:

  1. Internal Parties:
    • Employees: Consider the expectations and requirements of employees regarding the protection of their personal information and the security of the systems they use.
    • Management: Understand the strategic objectives and expectations of the management regarding information security.
    • IT Department: Identify the technical requirements and expectations of the IT department in terms of network security, system integrity, and data protection.
  2. External Parties:
    • Customers: Identify the expectations of customers regarding the confidentiality, integrity, and availability of their data.
    • Regulatory Authorities: Consider the legal and regulatory requirements imposed by governmental or industry regulatory bodies.
    • Business Partners: Understand the contractual obligations and security expectations of business partners, suppliers, and other external stakeholders.
    • Industry Associations: If applicable, consider any standards or guidelines set by industry associations relevant to information security.

Assess Requirements of Interested Parties:

  1. Legal and Regulatory Requirements: Identify and understand the legal and regulatory requirements imposed by relevant authorities. This may include data protection laws, industry-specific regulations, and other compliance obligations.
  2. Contractual Obligations: Review contracts, agreements, and service level agreements (SLAs) with customers and business partners. Identify any specific information security requirements outlined in these agreements.
  3. Customer Expectations: Engage with customers through surveys, feedback sessions, or direct communication to understand their expectations regarding the security of their data and services.
  4. Internal Stakeholder Expectations: Interview or survey internal stakeholders, including employees and management, to gather their expectations and requirements for information security within the organization.
  5. Regulatory Bodies: Stay informed about any changes in laws and regulations related to information security. Regularly monitor updates from regulatory bodies that may impact the organization.

Integration into ISMS Scope:

  1. Prioritize Requirements: Prioritize the identified requirements based on their significance and impact on the organization. Focus on requirements that align with the organization’s strategic objectives and overall risk management approach.
  2. Risk Assessment: Incorporate the requirements into the risk assessment process. Assess the risks associated with non-compliance with the identified requirements to prioritize actions and controls within the ISMS.
  3. Document Requirements: Clearly document the requirements of interested parties in the documentation of the ISMS. This documentation serves as a reference point for decision-making and continuous improvement.
  4. Communication: Communicate the ISMS scope and the organization’s commitment to meeting the requirements of interested parties to internal and external stakeholders. Transparency builds trust and confidence.
  5. Stakeholder Engagement: Engage with interested parties throughout the process. Regularly review and update the ISMS scope to ensure that it continues to meet the expectations of stakeholders.

By systematically identifying, assessing, and integrating the requirements of interested parties into the ISMS scope, organizations can establish a comprehensive and effective information security framework. This approach helps in building trust, ensuring compliance, and aligning the ISMS with the expectations of relevant stakeholders.

When determining this scope, the organization shall consider the interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations

Considering interfaces and dependencies with other organizations is a critical aspect when determining the scope of an Information Security Management System (ISMS). This involves understanding how activities performed by the organization interact with those carried out by external entities, such as suppliers, partners, or service providers. Addressing these interfaces and dependencies ensures a comprehensive and effective approach to information security. Here are steps to consider:

Identify External Interfaces and Dependencies:

  1. Suppliers and Service Providers: Identify external entities, including suppliers and service providers, that interact with your organization’s information assets or processes. This may involve IT service providers, cloud services, and other third-party vendors.
  2. Business Partners and Customers: Consider how your organization interacts with business partners and customers. This could include data exchanges, collaborative projects, or any shared information systems.
  3. Governmental or Regulatory Bodies: Recognize any interactions and dependencies related to regulatory compliance. Understand reporting requirements, audit processes, and any external assessments that may impact information security.
  4. Industry Standards and Frameworks: Consider interfaces related to industry standards, frameworks, or certifications. This could involve alignment with ISO/IEC 27001, NIST Cybersecurity Framework, or other relevant standards.

Assess Information Security Implications:

  1. Data Flows: Map the flow of information between your organization and external entities. Understand the types of data exchanged, the frequency of exchanges, and the criticality of the information.
  2. Security Controls: Evaluate the security controls implemented by external entities. Ensure that these controls align with the security objectives of your organization and provide adequate protection for shared information.
  3. Contractual Agreements: Review contractual agreements with external entities to identify information security obligations and responsibilities. Ensure that expectations for security measures are clearly defined.
  4. Risk Assessment: Assess the risks associated with external interfaces and dependencies. Consider potential threats, vulnerabilities, and the impact on information security if these interfaces are not properly managed.

Integration into ISMS Scope:

  1. Include External Interfaces in Scope: Clearly define the external interfaces and dependencies that are considered in scope for the ISMS. This includes activities, systems, and information flows that involve external parties.
  2. Security Objectives for Interfaces: Establish security objectives specifically addressing the interfaces and dependencies with external organizations. Ensure that these objectives align with the overall goals of the ISMS.
  3. Collaborate on Security Measures: Collaborate with external entities to establish mutually agreed-upon security measures. This could involve joint risk assessments, sharing of best practices, and implementing controls that benefit both parties.
  4. Communication and Awareness: Communicate the ISMS scope and security measures to relevant external entities. Ensure that both organizations are aware of their roles and responsibilities in maintaining information security.
  5. Monitoring and Review: Implement monitoring mechanisms to continuously assess the effectiveness of security controls related to external interfaces. Regularly review the security posture of external entities to ensure ongoing compliance.
  6. Incident Response Planning: Develop incident response plans that account for potential security incidents involving external interfaces. Collaborate with external entities to establish clear communication and response procedures.

By considering interfaces and dependencies with other organizations, the ISMS can address potential risks and enhance the overall security posture. This collaborative approach helps ensure a more robust and resilient information security framework that extends beyond the boundaries of the organization.

The scope shall be available as documented information.

This documentation serves as a reference and communication tool, ensuring that stakeholders within and outside the organization are aware of the boundaries, objectives, and limitations of the ISMS. Here are key points regarding documenting the ISMS scope:

  1. Scope Statement: Develop a comprehensive scope statement that clearly outlines the organizational boundaries, information assets included, and any limitations or exclusions. The scope statement should provide a clear and concise overview of what the ISMS covers.
  2. Inclusion of Relevant Information: Ensure that the documented scope includes all relevant information necessary to understand the scope. This may encompass internal and external factors, interested parties, and any specific considerations that influenced the determination of the scope.
  3. Rationale for Exclusions: If any areas or activities are intentionally excluded from the scope, clearly document the rationale behind these exclusions. This transparency helps stakeholders understand the reasons for certain decisions.
  4. Legal and Regulatory References: Include references to legal and regulatory requirements relevant to the scope. This emphasizes the organization’s commitment to compliance and ensures that the ISMS aligns with applicable laws and regulations.
  5. Interfaces and Dependencies: Document information about external interfaces and dependencies, emphasizing how interactions with other organizations or entities are managed to maintain information security.
  6. Review Dates: Include the date of the last review of the ISMS scope. Regular reviews ensure that the scope remains aligned with the organization’s context, objectives, and any changes in the internal or external environment.
  7. Communication of Changes: Clearly communicate any changes to the ISMS scope to relevant stakeholders. This ensures that everyone is aware of modifications and can adjust their practices accordingly.
  8. Accessible and Distributed: Make the documented scope accessible to all relevant stakeholders. This may involve distributing the information through internal communication channels or making it available on a centralized platform.
  9. Controlled Document: Implement document control measures to ensure the accuracy and integrity of the ISMS scope documentation. This may include version control, access restrictions, and regular audits.
  10. Training and Awareness: Incorporate the ISMS scope into training and awareness programs for employees and other stakeholders. This helps in ensuring that everyone understands the scope and their role in supporting information security.
  11. Alignment with Policies and Procedures: Ensure that the documented ISMS scope aligns with the organization’s information security policies and procedures. Consistency across these documents enhances the effectiveness of the overall information security framework.
  12. Integration with Risk Management: Connect the ISMS scope documentation with the organization’s risk management processes. This integration helps in addressing risks associated with the defined scope.

By documenting the ISMS scope, organizations create a foundation for effective communication, transparency, and accountability in managing information security. This documentation not only facilitates compliance with ISO/IEC 27001 but also supports ongoing improvement and adaptation to changing circumstances.

Let’s create a hypothetical example of establishing the scope of an Information Security Management System (ISMS) for a technology company, TechGuard Solutions. In this example, we’ll consider external and internal issues, requirements of interested parties, and interfaces/dependencies.

1. External and Internal Issues:

External Issues:

  • Legal and Regulatory Environment:
    • Compliance with data protection laws, industry standards, and international regulations.
  • Market Trends and Customer Expectations:
    • Continuous monitoring of emerging threats and customer expectations for robust information security practices.
  • Technological Landscape:
    • Adaptation to evolving technologies, ensuring security measures keep pace.
  • Competitive Landscape:
    • Regular assessment of industry competitors and benchmarks for information security.

Internal Issues:

  • Organizational Objectives and Strategy:
    • Integration of information security with overall business objectives and strategic goals.
  • Business Processes:
    • Mapping and understanding critical business processes that involve sensitive information.
  • Information Assets:
    • Cataloging and assessing the organization’s information assets, including intellectual property, customer data, and proprietary technologies.
  • Risk Appetite and Tolerance:
    • Aligning information security measures with the organization’s risk appetite and tolerance.

2. Requirements of Interested Parties:

Identified Interested Parties and Their Requirements:

  • Customers:
    • Requirements for the protection of customer data and assurance of service availability.
  • Regulatory Authorities:
    • Compliance with data protection laws, reporting, and auditing requirements.
  • Business Partners:
    • Contractual obligations related to information security, data handling, and confidentiality.
  • Employees:
    • Expectations for the secure handling of personal information and adherence to internal security policies.

3. Interfaces and Dependencies:

Identified Interfaces and Dependencies:

  • Suppliers and Service Providers:
    • Dependence on third-party cloud services and software providers for various business functions.
  • Business Partners and Customers:
    • Collaborative projects and shared information systems with business partners and customers.
  • Regulatory Bodies:
    • Interfaces related to compliance reporting, audits, and assessments by regulatory bodies.
  • Industry Standards and Frameworks:
    • Interfaces related to the adoption of industry standards for information security.

4. Integration into ISMS Scope:

  • Scope Statement:
    • The ISMS at TechGuard Solutions encompasses all departments and business units involved in the development, delivery, and support of technology solutions. It includes the protection of customer data, intellectual property, and compliance with legal and regulatory requirements.
  • Rationale for Exclusions:
    • Personal devices used by employees for work purposes are excluded from the scope due to challenges in controlling the security of such devices.
  • Legal and Regulatory References:
    • The scope is aligned with GDPR and other relevant data protection laws, as well as industry standards for information security.
  • Interfaces and Dependencies:
    • The ISMS scope acknowledges dependencies on third-party cloud services, collaborative projects with business partners, and compliance interfaces with regulatory bodies.
  • Review and Update:
    • The ISMS scope is subject to regular reviews to ensure alignment with changing external and internal factors, stakeholder requirements, and emerging technologies.
  • Communication:
    • The ISMS scope is communicated internally to employees and externally to business partners and customers. Any changes to the scope are transparently communicated.

This example illustrates how an organization like TechGuard Solutions might establish the scope of its ISMS by systematically considering external and internal issues, the requirements of interested parties, and interfaces/dependencies. This comprehensive approach helps ensure that the ISMS is well-aligned with the organization’s context and effectively addresses information security risks.

ISO 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties

ISO 27001:2022 Requirements

The organization shall determine:

  1. interested parties that are relevant to the information security management system;
  2. the relevant requirements of these interested parties;
  3. which of these requirements will be addressed through the information security management system.

Note: The requirements of interested parties can include legal and regulatory requirements and contractual obligations.

The organization shall determine interested parties that are relevant to the information security management system.

Identifying and understanding the interested parties relevant to the Information Security Management System (ISMS) is a crucial step in establishing an effective and comprehensive security framework. Interested parties are individuals or groups that can affect, be affected by, or perceive themselves to be affected by the organization’s decisions or activities related to information security. ISO/IEC 27001, the international standard for information security management, emphasizes the importance of considering interested parties in the context of an ISMS. The standard requires organizations to establish a process for identifying these interested parties and determining their relevant requirements. Here’s a brief overview of the steps involved:

  1. Identify Interested Parties: Make a list of individuals, groups, or entities that have an interest in the information security of the organization. This can include employees, customers, suppliers, regulators, shareholders, and other stakeholders.
  2. Determine Relevant Requirements: Understand the expectations and requirements of each identified interested party concerning information security. This involves analyzing their needs, concerns, and any legal or regulatory obligations that may apply.
  3. Assess the Impact: Evaluate the potential impact of the interested parties on the organization’s information security objectives. Consider how their expectations and requirements may influence the ISMS.
  4. Prioritize and Document: Prioritize the interested parties based on the significance of their impact. Document the identified interested parties and their relevant requirements in the context of the ISMS.
  5. Incorporate into the ISMS: Integrate the identified interested parties and their requirements into the development, implementation, and maintenance of the ISMS. This ensures that the security controls and processes address the needs and expectations of these stakeholders.
  6. Monitor and Review: Regularly review and update the list of interested parties and their requirements. As the organizational context changes, new stakeholders may emerge, and their expectations may evolve.

By actively considering and addressing the concerns of interested parties, organizations can enhance the effectiveness and acceptance of their ISMS. This approach aligns with the broader principles of stakeholder engagement and demonstrates a commitment to managing information security in a holistic and inclusive manner.

 An interested party is a stakeholder – someone, a group or an entity with an interest in your ISMS (or perhaps the organisation itself). You should be able to easily identify many of your interested parties after having completed the internal and external issues that impact the intended outcomes of the information security management system. These will include staff, suppliers, customers, shareholders, directors, prospects, board members, competitors, legislators and regulators, unions etc. Interested parties are not always the obvious ones too – for example hackers and related malicious parties might need consideration, as do the media and others depending on the nature of your business and the issues facing it. However rather than creating a range of one size fits all policies and controls for all your interested parties, it is better to look at those interested parties in terms of their power, interest and support – in simple terms this is about their ability to affect your approach to the ISMS. Then you can develop suitable approaches to demonstrate you have their needs covered . As an example if you had a customer that demands you invest in ISO 27001 and build an independently certified ISO 27001 ISMS would you do that if they were a very small non-influential player? You’d probably think again if that customer was one of many you wanted to win, or a large powerful player in its own right. If a stakeholder is high power and low interest, you should be thinking of that individual or group as a ‘keep satisfied’ stakeholder. Ask yourself, what will you do in your ISMS with policies and controls to keep them satisfied? In this high power and low interest area, you might see organisations like legislators and regulators, very powerful customer groups, shareholders etc. There may also be external auditors and other industry bodies who can affect your business success. Their interest is quite low on a day to day basis, but their power to affect your business goals is high so they need to be kept satisfied – usually from a distance and having an independently certified ISO 27001 certificate goes some way to addressing their needs. The very powerful interested parties for information assurance such as regulators may also prescribe specific ways of working. If an interested party has both high interest and high power, we would call them a key player. These stakeholders should be actively involved. Your senior management team, key department heads, boutique critical suppliers etc. will likely fall into this category. You might actually have some of your intimately engaged important customers in this category. They may be very interested in how you are working day to day as it also impacts them too. It is easy to create long lists of stakeholders to consider but be wary of spending too long on the ones with lower power. Those with lower power and higher interest are in need of keeping informed but may not need to be consulted on what your ISMS covers – you may just need to tell them otherwise they could be a big suck on your time and investment budget! Also, be careful about simply dumping stakeholders you don’t like in the lower power buckets – we saw this happen in one firm. They paid for it later because the stakeholder was actually quite powerful and delayed them achieving their goals because their requirements were not prioritized. Combining this interested parties and stakeholder work with the internal and external issues you have identified in 4.1 helps lead towards a better understanding of where threats and opportunities might stem from in your information security management system.

Steps to identify interested parties relevant to the information security management system

Identifying interested parties relevant to the Information Security Management System (ISMS) involves a systematic process to recognize individuals, groups, or entities that may have an impact on or be impacted by the organization’s information security. Here’s a step-by-step guide to help you identify these stakeholders:

  1. Establish a Team: Form a cross-functional team that includes representatives from various departments within the organization. This team will bring diverse perspectives to the identification process.
  2. Review Documentation: Examine existing documentation, such as organizational charts, contracts, policies, and procedures, to identify parties that may have a stake in the information security of the organization.
  3. Conduct Stakeholder Workshops: Facilitate workshops or interviews with key stakeholders, both internal and external, to gather insights into their expectations, concerns, and requirements related to information security.
  4. Use Surveys and Questionnaires: Develop surveys or questionnaires to collect input from a broader set of stakeholders. This method can help reach individuals who may not be easily accessible for in-person interviews.
  5. Review Legal and Regulatory Requirements: Identify relevant legal and regulatory requirements pertaining to information security. This can include data protection laws, industry standards, and contractual obligations that may specify security expectations.
  6. Examine Industry Best Practices: Research industry best practices and standards related to information security. This can provide insights into common expectations from stakeholders within your specific sector.
  7. Consider Internal Departments: Look within your organization to identify internal departments and teams that may have a vested interest in information security. This includes IT, legal, compliance, human resources, and executive leadership.
  8. Review Incident History: Analyze past incidents related to information security to identify parties that may have been affected or played a role in addressing the incidents. This can provide valuable insights into areas of concern.
  9. Assess Suppliers and Partners: Consider external entities such as suppliers, partners, and contractors that may have access to your organization’s information. Assess their potential impact on your information security.
  10. Evaluate Customer Feedback: Review customer feedback, complaints, and inquiries to identify any security-related concerns or expectations. Customer perceptions can be crucial in understanding the business impact of information security.
  11. Engage with Industry Forums: Participate in industry forums, conferences, and networking events to understand the broader ecosystem and identify stakeholders with common interests in information security.
  12. Regularly Update the Stakeholder Register: Maintain a stakeholder register that includes information on identified stakeholders, their roles, interests, and requirements. Regularly update this register to reflect changes in the organization’s context.

By employing a comprehensive approach that involves multiple sources of information, you can create a thorough understanding of the interested parties relevant to your ISMS. This understanding will be valuable in shaping your information security policies, procedures, and controls to meet the expectations and requirements of these stakeholders.

Examples of Stakeholder analysis

Stakeholder: Executive Leadership Team

  • Interest:
    • High interest in the overall effectiveness of the ISMS.
    • Concerned about the protection of sensitive business information and the potential impact of security incidents on the organization’s reputation.
  • Influence:
    • High influence in setting organizational priorities and allocating resources for information security.
    • Decision-makers for strategic initiatives related to information security.
  • Expectations:
    • Regular updates on the status of the ISMS.
    • Assurance of compliance with relevant laws and regulations.
    • Demonstrable value of information security investments.

Stakeholder: IT Department

  • Interest:
    • High interest in the technical aspects of information security, including network security, system integrity, and data protection.
    • Concerned about vulnerabilities, threats, and incidents that may affect IT infrastructure.
  • Influence:
    • Directly involved in implementing and maintaining technical controls for information security.
    • Key role in incident response and recovery.
  • Expectations:
    • Collaboration with other departments for a holistic approach to information security.
    • Timely communication of security incidents and vulnerabilities.
    • Participation in the design and review of security controls.

Stakeholder: Employees

  • Interest:
    • Varied interest, ranging from concern about the security of personal information to understanding how security measures impact daily tasks.
    • Employees are often the first line of defense against social engineering and insider threats.
  • Influence:
    • Indirect influence through adherence to security policies and practices.
    • May identify security concerns and report incidents.
  • Expectations:
    • Clear and accessible information security policies.
    • Regular training on security best practices.
    • User-friendly security measures that do not overly disrupt workflow.

Stakeholder: Customers

  • Interest:
    • Concerned about the security of their personal and financial information.
    • Trust in the organization’s ability to protect sensitive data.
  • Influence:
    • Can influence the organization’s reputation and success through their perception of the security measures in place.
  • Expectations:
    • Transparent communication about data protection measures.
    • Assurance of compliance with industry standards.
    • Swift notification in the event of a data breach.

Stakeholder: Regulatory Bodies

  • Interest:
    • High interest in ensuring organizations comply with relevant laws and regulations.
    • Concerned about the protection of sensitive information, especially personal and financial data.
  • Influence:
    • Can enforce legal consequences for non-compliance.
    • May set standards and guidelines for information security.
  • Expectations:
    • Evidence of compliance with specific regulations (e.g., GDPR, HIPAA).
    • Cooperation during regulatory audits and investigations.

Stakeholder: Business Partners and Suppliers

  • Interest:
    • Concerned about the security of shared information and potential risks associated with the organization’s information security practices.
  • Influence:
    • May impose contractual obligations related to information security.
    • Could impact business relationships based on the perceived security posture.
  • Expectations:
    • Evidence of compliance with security standards.
    • Collaboration on security assessments and audits.
    • Communication about security incidents that may impact shared data.

Stakeholder: Internal Audit and Compliance Teams

  • Interest:
    • High interest in ensuring that information security controls meet internal policies and external regulatory requirements.
  • Influence:
    • Conduct audits to assess the effectiveness of information security controls.
    • Provide recommendations for improvement.
  • Expectations:
    • Regular updates on the status of information security compliance.
    • Cooperation during audits and implementation of audit recommendations.

Stakeholder: Legal Team

  • Interest:
    • Concerned about legal implications related to information security incidents and breaches.
  • Influence:
    • Involved in the review and creation of contracts with a focus on information security clauses.
    • May provide legal advice on compliance matters.
  • Expectations:
    • Clear documentation of information security measures for legal purposes.
    • Collaboration during the development of contracts with security implications.

The organization shall determine the relevant requirements of these interested parties.

Determining the relevant requirements of interested parties is a critical step in establishing an effective Information Security Management System (ISMS). Once you’ve identified the interested parties, you need to understand their expectations and requirements related to information security. Here’s a guide on how to determine and document these relevant requirements:

  1. Communicate with Stakeholders: Engage in open communication with the identified interested parties. This can be through surveys, interviews, meetings, or other forms of direct interaction. Seek to understand their concerns, expectations, and specific requirements related to information security.
  2. Review Legal and Regulatory Documentation: Examine relevant laws, regulations, and contractual agreements that apply to your organization. Identify information security requirements outlined in these documents, as non-compliance may have legal consequences.
  3. Refer to Industry Standards and Best Practices: Research industry-specific standards and best practices for information security. These may provide guidance on the expectations of stakeholders within your sector and help you establish a baseline for compliance.
  4. Evaluate Internal Policies and Procedures: Review your organization’s internal policies and procedures related to information security. Ensure that they align with the expectations of the identified stakeholders. Identify any gaps that need to be addressed.
  5. Assess Risk and Impact: Evaluate the potential risks and impacts associated with each interested party’s requirements. This assessment helps prioritize and tailor your information security controls to address the most critical concerns.
  6. Consider Customer Feedback: Analyze customer feedback and inquiries related to information security. Understand their expectations and concerns, as these are key components of meeting customer requirements.
  7. Collaborate with Internal Departments: Work closely with internal departments, such as IT, legal, compliance, and human resources, to understand their specific requirements related to information security. Ensure that these requirements are integrated into the ISMS.
  8. Assess Supplier and Partner Requirements: Evaluate the requirements of suppliers, partners, and other external entities that have access to your organization’s information. Incorporate these requirements into your ISMS to manage third-party risks.
  9. Document Requirements Clearly: Clearly document the identified requirements in a structured manner. This documentation should specify the expectations of each interested party and how the organization intends to address them.
  10. Prioritize Requirements: Prioritize the identified requirements based on their importance and impact on the organization’s information security. This prioritization will guide the allocation of resources and efforts.
  11. Update the ISMS Documentation: Ensure that the requirements of interested parties are reflected in the documentation of your ISMS. This includes policies, procedures, risk assessments, and other relevant documents.
  12. Establish a Review Mechanism: Implement a periodic review mechanism to keep the determination of relevant requirements up-to-date. Regularly revisit and reassess the needs and expectations of interested parties in the evolving business environment.

By systematically determining and documenting the relevant requirements of interested parties, your organization can tailor its information security measures to address specific concerns and expectations. This approach enhances the effectiveness of the ISMS and demonstrates a commitment to meeting the needs of stakeholders.

Some examples of requirements of interested parties relevant to ISMS

  1. Customers:
    • Confidentiality: Customers may expect that their personal and sensitive information is kept confidential and not disclosed to unauthorized parties.
    • Data Integrity: Customers may require assurance that their data is accurate, complete, and not subject to unauthorized alterations.
    • Availability: Customers may expect that the services and products they rely on are available without disruption.
  2. Regulatory Authorities:
    • Compliance: Regulatory bodies often have specific information security regulations that organizations must comply with. These may include data protection laws, industry-specific regulations, and cybersecurity standards.
    • Reporting: Regulatory authorities may require organizations to report security incidents and breaches within a specified timeframe.
  3. Employees:
    • Training: Employees may expect to receive regular training on information security awareness and best practices.
    • Access Control: Employees may have requirements related to access controls to ensure that they only have access to the information necessary for their roles.
    • Privacy: Employees may have privacy expectations related to the handling of their personal information.
  4. Business Partners and Suppliers:
    • Data Handling: Partners and suppliers may have requirements regarding how their data is handled, stored, and transmitted.
    • Compliance Verification: Business partners may request evidence of the organization’s compliance with relevant information security standards.
  5. Management and Leadership:
    • Risk Management: Leadership may expect the organization to implement effective risk management processes to identify, assess, and mitigate information security risks.
    • Performance Metrics: Leadership may require performance metrics and reporting on the effectiveness of the ISMS.
  6. IT Department:
    • Security Controls: The IT department may have specific requirements for implementing and maintaining technical security controls, such as firewalls, intrusion detection systems, and antivirus software.
    • Incident Response: Requirements related to incident response, including reporting procedures and mitigation strategies.
  7. Legal and Compliance Teams:
    • Contractual Obligations: Legal teams may have requirements related to the inclusion of specific clauses in contracts to address information security.
    • Legal Compliance: Ensure compliance with relevant laws and regulations to avoid legal consequences.
  8. Shareholders/Investors:
    • Risk Disclosure: Shareholders may require transparent disclosure of information security risks that could impact the organization’s financial performance.
    • Investment Protection: Assurance that information security measures are in place to protect the value of their investments.

The organization shall determine which of these requirements will be addressed through the information security management system

Once an organization has identified the requirements of various interested parties relevant to its Information Security Management System (ISMS), the next step is to determine how these requirements will be addressed within the ISMS. This involves a careful assessment and decision-making process to prioritize and incorporate the identified requirements into the organization’s information security framework. Here’s a guide on how to determine which requirements will be addressed through the ISMS:

  1. Prioritize Requirements: Evaluate the identified requirements based on their significance, potential impact, and criticality to the organization. Prioritize those requirements that align with the organization’s objectives and pose higher risks if not addressed.
  2. Align with ISMS Objectives: Ensure that the selected requirements align with the objectives and scope of the ISMS. The ISMS should be designed to meet the organization’s overall goals, and the selected requirements should contribute to achieving those objectives.
  3. Legal and Regulatory Compliance: Prioritize requirements that are necessary for legal and regulatory compliance. Ensure that the organization’s ISMS addresses these requirements to avoid legal consequences and regulatory non-compliance.
  4. Risk Assessment: Conduct a risk assessment to identify and prioritize requirements based on potential risks to information security. Addressing high-risk requirements is crucial to mitigating significant security threats.
  5. Resource Availability: Consider the resources available to the organization, including budget, personnel, and technology. Select requirements that can be feasibly addressed within the available resources.
  6. Stakeholder Impact: Assess the impact on key stakeholders and prioritize requirements that have a direct impact on customer satisfaction, employee well-being, and other critical stakeholders.
  7. Integration with Existing Processes: Ensure that the selected requirements can be seamlessly integrated into existing processes and procedures. Integration facilitates a smoother implementation of information security controls.
  8. Continuous Improvement: Consider the organization’s commitment to continuous improvement. Select requirements that can be monitored, measured, and improved over time to enhance the effectiveness of the ISMS.
  9. Documentation and Communication: Clearly document the selected requirements and the rationale for their inclusion in the ISMS. Communicate these decisions to relevant stakeholders, including employees, customers, and partners.
  10. Review and Update: Establish a regular review process to reassess the relevance and effectiveness of the selected requirements. Information security threats and organizational contexts evolve, so periodic reviews are essential for maintaining alignment.
  11. Alignment with Industry Standards: Ensure that the selected requirements align with industry standards and best practices for information security. This alignment can provide a solid foundation for the organization’s security measures.
  12. Demonstrate Compliance: Select requirements that can be effectively demonstrated and audited to showcase the organization’s compliance with information security standards and regulations.

By carefully considering these factors, an organization can make informed decisions on which requirements to prioritize and address through its ISMS. This ensures that the information security controls are tailored to meet the specific needs of the organization and its stakeholders.

Let’s take an example to illustrate how an organization might address specific requirements through its Information Security Management System (ISMS). Suppose one of the identified requirements is related to the confidentiality of customer data. Here’s how the organization could address this requirement through its ISMS:

  1. Requirement: Confidentiality of Customer DataSteps to Address through ISMS:
  2. a. Risk Assessment:
    • Conduct a risk assessment to identify potential threats and vulnerabilities to the confidentiality of customer data.
    b. Policy Development:
    • Develop an Information Security Policy that explicitly addresses the confidentiality of customer data. The policy should define the scope, responsibilities, and principles for safeguarding this information.
    c. Access Controls:
    • Implement access controls within the ISMS to restrict access to customer data only to authorized personnel. This may include role-based access, strong authentication, and encryption.
    d. Employee Training:
    • Integrate employee training programs within the ISMS to raise awareness about the importance of maintaining the confidentiality of customer data. This training could be part of the overall security awareness program.
    e. Data Classification:
    • Implement a data classification system within the ISMS to categorize information, including customer data, based on its sensitivity. Apply appropriate security controls based on the classification.
    f. Encryption:
    • Incorporate encryption mechanisms within the ISMS to protect customer data during storage, transmission, and processing. This could involve the use of encryption algorithms and protocols.
    g. Incident Response Plan:
    • Develop an incident response plan within the ISMS to address potential breaches of confidentiality. Define procedures for reporting and responding to incidents that may compromise customer data.
    h. Monitoring and Auditing:
    • Implement monitoring and auditing mechanisms within the ISMS to track access to customer data, detect anomalies, and ensure compliance with established security controls.
    i. Compliance Documentation:
    • Document the measures taken to ensure the confidentiality of customer data within the ISMS. This documentation may include policies, procedures, risk assessments, and audit reports.
    j. Regular Review and Improvement:
    • Establish a process for regularly reviewing the effectiveness of the measures implemented. Use feedback, audit results, and incident reports to continuously improve the ISMS and its ability to maintain the confidentiality of customer data.

This example illustrates how specific requirements, in this case, the confidentiality of customer data, can be systematically addressed through various components of an ISMS. The organization, in alignment with its overall information security objectives, implements a range of measures that are documented, monitored, and subject to continuous improvement. This approach helps the organization meet stakeholder expectations and regulatory requirements while fostering a robust security posture.

The requirements of interested parties can include legal and regulatory requirements and contractual obligations

legal and regulatory requirements, as well as contractual obligations, are often critical components of the requirements identified by interested parties in the context of an Information Security Management System (ISMS). Addressing these requirements is crucial for ensuring compliance, managing risks, and meeting the expectations of relevant stakeholders. Let’s delve into each of these:

  1. Legal and Regulatory Requirements:
    • Example: Suppose the organization operates in the European Union. In this case, compliance with the General Data Protection Regulation (GDPR) would be a legal requirement. The organization needs to ensure that its ISMS addresses GDPR principles related to the processing and protection of personal data.
    • Addressing through ISMS:
      • Implement controls and processes within the ISMS to ensure compliance with specific legal requirements.
      • Regularly monitor changes in relevant laws and regulations and update the ISMS accordingly.
      • Document compliance measures and maintain records for audit purposes.
  2. Contractual Obligations:
    • Example: The organization has contractual agreements with clients that specify certain security measures, such as encryption of sensitive data. These contractual obligations must be met to maintain trust and legal standing.
    • Addressing through ISMS:
      • Include a review of contractual obligations in the risk assessment process of the ISMS.
      • Develop specific policies and procedures within the ISMS to address contractual security requirements.
      • Establish a mechanism to communicate and coordinate with relevant departments to ensure adherence to contractual obligations.
  3. Compliance Verification:
    • Example: A business partner may require evidence of compliance with a specific security standard, such as ISO/IEC 27001. Providing this evidence is essential for maintaining a trusted relationship.
    • Addressing through ISMS:
      • Incorporate processes for verifying and documenting compliance with relevant standards within the ISMS.
      • Establish a communication mechanism to provide evidence of compliance to partners as needed.
  4. Data Protection Laws:
    • Example: A new data protection law is enacted in the region where the organization operates, imposing additional requirements on the handling of personal data.
    • Addressing through ISMS:
      • Regularly update policies and procedures within the ISMS to align with changes in data protection laws.
      • Conduct training sessions for employees to ensure awareness of new legal requirements.
  5. Industry-Specific Regulations:
    • Example: Organizations in the healthcare sector may be subject to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
    • Addressing through ISMS:
      • Develop and maintain controls within the ISMS that specifically address industry-specific regulations.
      • Conduct regular assessments to ensure ongoing compliance with industry regulations.
  6. Audit and Reporting Requirements:
    • Example: Regulatory bodies may require regular audits and reports on the organization’s information security practices.
    • Addressing through ISMS:
      • Establish processes within the ISMS to facilitate internal and external audits.
      • Develop reporting mechanisms to provide required information to regulatory bodies.

Addressing legal, regulatory, and contractual requirements within the ISMS ensures that the organization not only complies with applicable laws and agreements but also builds a robust and resilient information security framework that can adapt to changing requirements over time. This integration contributes to the overall effectiveness of the ISMS in managing information security risks and meeting the expectations of interested parties.

ISO 27001:2022 Clause 4.1 Understanding the organization and its context

ISO 27001:2022 Requirements
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management system.
NOTE Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000: 2018.

Clause 4.1 of ISO 27001 focuses on understanding the organization and its context. This clause is an essential part of the standard because it sets the foundation for developing an effective information security management system. The purpose of this clause is to ensure that the organization establishes and maintains an understanding of its internal and external context relevant to the information security management system (ISMS).

  1. Understanding the Organization: Identify the internal and external issues that can impact the organization’s ability to achieve its intended outcomes. Consider factors such as the organization’s mission, vision, values, culture, structure, and activities.
  2. Understanding the External Context: Identify external parties (interested parties) and the relevant requirements that can affect the ISMS. Examples of external parties include customers, suppliers, regulatory bodies, and other stakeholders.
  3. Understanding the Internal Context: Identify the internal factors that can influence the organization’s ability to achieve its information security objectives. This includes the organization’s structure, roles, responsibilities, policies, processes, and resources.
  4. Documented Information: Maintain documented information on the organization’s context.

Implementation Steps:

  1. Define the Scope: Clearly define the scope of the ISMS, outlining the boundaries and applicability of the system within the organization.
  2. Conduct a Context Analysis: Conduct an analysis to identify internal and external factors that may impact information security. This may involve SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis.
  3. Identify Interested Parties: Identify and understand the needs and expectations of interested parties relevant to information security. Consider customers, suppliers, employees, regulatory bodies, and other stakeholders.
  4. Maintain Documented Information: Document the information related to the organization’s context. This documentation could include policies, procedures, or other relevant records.

Benefits:

  1. Informed Decision-Making: A thorough understanding of the organization’s context helps in making informed decisions regarding information security.
  2. Risk Assessment: It provides a foundation for conducting a risk assessment by identifying internal and external factors that may pose risks.
  3. Alignment with Objectives: Ensures that the ISMS is aligned with the organization’s overall objectives and strategic direction.
  4. Compliance: Helps in identifying and addressing legal, regulatory, and contractual requirements related to information security.

By addressing Clause 4.1, organizations can establish a solid foundation for developing and implementing an effective ISMS that aligns with their business objectives and the needs of relevant stakeholders.

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management system. Organizations are expected to systematically determine both external and internal issues that are relevant to their purpose and that can impact their ability to achieve the intended outcomes of their information security management system (ISMS). Let’s break down this requirement:

  1. External Issues:
    • External issues refer to factors outside the organization’s boundaries that can affect its information security management system. This may include:
      • Regulatory changes and compliance requirements.
      • Technological advancements.
      • Economic conditions.
      • Market competition.
      • Stakeholder expectations.
      • Emerging security threats and vulnerabilities.
  2. Internal Issues:
    • Internal issues pertain to factors within the organization that can influence its information security management. This may include:
      • Organizational structure.
      • Corporate culture.
      • Resources (human, financial, technological).
      • Processes and procedures.
      • Previous incidents or security breaches.
      • Management commitment to security.
  3. Relevance to Purpose: The organization needs to assess the relevance of these issues to its purpose. This involves understanding how these issues may impact the achievement of the intended outcomes of the ISMS.
  4. Documentation:The organization is required to document this understanding. This documentation serves as evidence of the organization’s awareness and consideration of the external and internal issues.
  5. Strategic Alignment:The identification of these issues helps ensure that the ISMS is aligned with the organization’s strategic direction and business objectives.

By systematically determining and assessing these issues, organizations are better equipped to make informed decisions regarding the design, implementation, and improvement of their information security management systems. This process also lays the groundwork for subsequent activities in the ISMS, such as risk assessment and treatment, which are critical components of managing information security effectively.

Examples of internal issues affecting the intended outcome of an information security management system

Internal issues that can affect the intended outcome of an Information Security Management System (ISMS) are diverse and may vary depending on the nature, size, and structure of the organization. Here are some examples of internal issues that could impact the effectiveness of an ISMS:

  1. Organizational Culture: The prevailing culture within the organization, such as the attitude towards security, awareness among employees, and the importance placed on information security, can significantly influence the success of the ISMS.
  2. Resource Availability: Inadequate resources, including financial, human, and technological resources, can impact the organization’s ability to implement and maintain effective security measures.
  3. Employee Training and Awareness: Lack of training and awareness among employees about information security policies and procedures may lead to unintentional security breaches.
  4. Information Security Policies: If information security policies are not clearly defined, communicated, or enforced, employees may not adhere to security practices, increasing the risk of incidents.
  5. Technology Infrastructure: Outdated or insufficient technology infrastructure may expose vulnerabilities and make it challenging to implement robust security controls.
  6. Access Controls and Permissions: Inadequate management of user access controls, permissions, and authentication mechanisms can lead to unauthorized access to sensitive information.
  7. Incident Response Capability: The organization’s ability to effectively detect, respond to, and recover from security incidents can impact the outcome of the ISMS.
  8. Vendor and Supply Chain Security: Weaknesses in the security practices of vendors or partners in the supply chain can introduce risks to the organization’s information security.
  9. Change Management Processes: Inadequate change management processes can lead to unauthorized changes in the information systems, potentially introducing security vulnerabilities.
  10. Communication and Collaboration: Poor communication and collaboration between different departments or teams within the organization may hinder the implementation of a cohesive and effective ISMS.
  11. Management Commitment: Lack of commitment and support from top management may result in insufficient resources and attention allocated to information security initiatives.
  12. Monitoring and Review Processes: Ineffective monitoring and review processes may prevent the organization from identifying and addressing security weaknesses or evolving threats.
  13. Documented Information Management: Poor management of documented information, including policies, procedures, and records, can hinder the organization’s ability to maintain a structured ISMS.
  14. Insufficient Training and Skillsets: If staff lacks the necessary training and skills in information security, they may struggle to implement and maintain security measures effectively.
  15. Information as assets that are internal issues affecting ISMS outcomes:What information is created, handled, stored, managed and of real value for the organisation and its interested parties such as Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc.This is right at the heart of the ISMS where the information assets are the foundation for everything else – identifying these assets early on also makes the information asset inventory management easy .Then consider potential issues around the information itself – in particular confidentiality, integrity and availability, taking into account the other areas below as you go for triggering ideas of where the issues might be found.
  16. People related internal issues that might affect the intended outcome of the ISMS: Human resource security is an important part of the ISMS, Therefore consider any existing issues of:
    • recruitment e.g. challenges in hiring competent people, high/low staff turnover
    • Induction – e.g. do they get training on information security right now, is it working in life management e.g. keeping them engaged and showing their compliance to the policies and controls, – do staff actually find information security sexy and exciting or is it a cultural challenge to get someone to lock their laptop when going to the toilet
    • change of roles and exit e.g. is access to and removal of information assets and services carried out
  17. Organisational internal issues affecting ISMS outcomes:What are the issues facing the organisation that might affect the outcome of the ISMS? As an example, fast growth brings issues of staff and structure that might affect understanding and knowledge of the policies, or that things change so quickly you can’t easily bottom out detailed and consistent processes. Are there organisation leadership and board or shareholder pressures that will cause issues (these can be positive as well as negative)? International operations will have different cultural norms for the people involved. Another internal issue associated to people and the organisation might be about the fact you don’t want many of them employed or struggle to find good ones so rely instead on outsourcing. That brings a need for suppliers (and staff in the suppliers) so that’s an issue to tie in with the interested parties analysis you’ll do in 4.2 next.
  18. Products & Services internal issues that might impact the ISMS outcomes:What are the products and services delivered by the organisation and what sort of issues emerge around that which might cause information risk? For example, if the organisation is an innovator and IPR protection is important for product leadership, it’s an issue that needs consideration in the ISMS. If the organisation relies on large physical property e.g. as a manufacturer that will probably bring more physical security issues, whereas a small cloud software provider might be much more focused on issues like IPR protection from digital hackers and the issues surrounding dependency of their product success and assurance on hosting suppliers etc.
  19. Systems and Processes as internal issues that affect the intended outcome of the ISMS: People often think about computers and digital technology when the ‘system’ word is used. However manual and paper-based systems are also key areas for issues to emerge so remember to consider those for issues too. Each of the areas bucketed above will have systems and processes involved in it – that might be implicit (we have always done it that way and never documented it) or could be wrapped up in a mass of documentation that no one could ever follow. An issue is that you might be hiring people that are going to become the enemy within….either through ignorance of information security or because they are a saboteur and you never considered that…….Its the same with all the systems and processes across the organisation that are in scope for information assurance – what sort of issues emerge where confidentiality, integrity or availability of the information might be at threat? It’s crucial for organizations to assess their unique internal issues and tailor their ISMS to address these challenges effectively. Regular reviews and updates to the ISMS help ensure that it remains aligned with the organization’s internal context and continues to effectively manage information security risks.

Examples of external issues affecting the intended outcome of an information security management system

External issues can have a significant impact on the effectiveness of an Information Security Management System (ISMS). Organizations need to consider factors beyond their immediate control that may influence the security of their information assets. Here are examples of external issues that can affect the intended outcome of an ISMS:

  1. Regulatory Changes: Changes in laws and regulations related to information security, data protection, and privacy can create new compliance requirements that organizations need to address.
  2. Industry Standards and Best Practices: Evolving industry standards and best practices may necessitate updates to the organization’s security controls to remain in line with current benchmarks.
  3. Technological Advances: Rapid technological advancements can introduce new security threats and vulnerabilities, requiring the organization to adapt its security measures accordingly.
  4. Cybersecurity Threat Landscape: The constantly changing landscape of cybersecurity threats, including new types of malware, hacking techniques, and social engineering tactics, can impact the organization’s risk profile.
  5. Global Events and Geopolitical Risks: Geopolitical events, natural disasters, or global incidents can disrupt operations and introduce new risks that organizations need to consider in their ISMS.
  6. Supplier and Third-Party Risks: Security vulnerabilities within the supply chain or third-party services can pose a risk to the organization’s information security.
  7. Economic Conditions: Economic factors such as recessions or financial instability may impact the organization’s ability to allocate resources to information security initiatives.
  8. Public Perception and Reputation: Security incidents affecting similar organizations can impact public perception and the reputation of the organization, influencing customer trust and confidence.
  9. Emerging Technologies: The adoption of new technologies, such as cloud computing or Internet of Things (IoT), introduces new security considerations that need to be addressed in the ISMS.
  10. Legal and Contractual Requirements: Changes in legal or contractual requirements, including the introduction of new data protection obligations, can affect the organization’s information security practices.
  11. Social and Cultural Factors: Social and cultural shifts, including changes in user behavior and expectations, can influence the way organizations need to approach information security.
  12. Competitive Landscape: Actions taken by competitors or industry peers to enhance or neglect their information security may impact the organization’s competitive position.
  13. Availability of Security Solutions: The availability and effectiveness of security solutions, such as antivirus software or intrusion detection systems, may influence the organization’s ability to implement effective controls.
  14. Globalization: Operating in a global market introduces additional challenges related to different legal frameworks, cultural norms, and geopolitical considerations.
  15. Media and Public Relations: Media coverage of security incidents or breaches, even if unrelated to the organization, can shape public perception and impact the organization’s operations.
  16. Political external issues affecting the outcomes from an ISMS: What political issues might affect the organisation and affect outcomes? Examples could include specific policy changes in a sector that impact investment or growth that might lead to different ways of working, and different approaches to information management.
  17. Economic external issues affecting the outcomes from an ISMS:How does the economics of your market and the supply chain impact the organisation? Does that lead to more or less issues with suppliers, customers, what information security corners might get cut in a cost reduction arena and lead to increased risk or threat (and of course opportunity too)?Examples might be cheaper labour, less training and less time for doing the work, or inability to afford decent technological systems that would help improve operations because funds need to be prioritised elsewhere
  18. Sociological external issues affecting the outcomes from an ISMS: How is society or your audience demographic changing and affecting your business – for example always on connected citizens offer opportunity and threat, and a generation of staff that sometimes have more/less regard for data brings positives and negatives too.
  19. Technological external issues affecting the outcomes from an ISMS: How does the increasing pace of technological change create issues for the ISMS outcomes? Daily changes in operating systems being patched versus (say) once a year in the past? That leads to a need for much more dynamic management that many organisations struggle to maintain which, if left unmanaged, increases the threat of a cyber breach and loss becomes more likely.Where does artificial intelligence, machine learning, cloud, and every other technological buzzword create issues for your organisation externally?
  20. Legislative external issues affecting the outcomes from an ISMS:One of the most common areas of failure in ISO 27001 is the inability to effectively highlight awareness of and then manage application legislation and regulation issues.  It goes way beyond data protection, legal requirement, computer monitoring, human rights and intellectual property law, so do give this area serious consideration for any information in your scope. You won’t necessarily need a lawyer but showing you have considered the applicable legislation affecting the organisation will make risk treatment, policy & control creation more focused and relevant as well.It might be that your risk appetite for something is quite high but if an applicable legislation or regulation sets the bar, then you’ll need to develop policies and controls for complying with that rather than just what you might think is okay!

Conduct a Context Analysis

Conducting a context analysis is a critical step in understanding the internal and external factors that can impact the effectiveness of an Information Security Management System (ISMS). Here’s a general guide on how to conduct a context analysis:

  1. Define the Scope: Clearly define the scope of your ISMS. Identify the boundaries and context within which your organization’s information security is intended to operate. Consider the locations, assets, processes, and systems included in the scope.
  2. Identify Interested Parties: Identify and list the interested parties or stakeholders relevant to your ISMS. This can include employees, customers, suppliers, regulatory bodies, and others with an interest in your information security practices.
  3. External Analysis: Identify external factors that can affect your ISMS. This may involve a review of:
    • Legal and Regulatory Environment: Assess the legal and regulatory requirements related to information security in the regions where you operate.
    • Industry Standards and Best Practices: Consider relevant industry standards and best practices that may impact your security controls.
    • Economic Conditions: Evaluate economic factors that may affect resource allocation for information security.
    • Technological Trends: Stay informed about technological advancements and emerging threats.
  4. Internal Analysis: Identify internal factors that may influence your ISMS. This includes:
    • Organizational Structure: Understand how the organizational structure may impact information security responsibilities and communication.
    • Corporate Culture: Assess the organization’s culture and its attitude towards information security.
    • Resources: Evaluate the availability of resources, including human, financial, and technological resources.
    • Processes and Procedures: Review existing processes and procedures related to information security.
    • Previous Incidents: Learn from past incidents or security breaches to identify areas for improvement.
  5. SWOT Analysis: Conduct a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis based on the information gathered. This can help you identify internal and external factors that may positively or negatively impact your ISMS.
  6. Risk Assessment: Use the information gathered to perform a preliminary risk assessment. Identify potential risks and their likelihood and impact on the organization’s information security objectives.
  7. Document the Analysis: Document the findings of your context analysis. Create a document that summarizes the identified internal and external issues, interested parties, and the results of your SWOT analysis.
  8. Review and Update:Periodically review and update your context analysis. The business environment and threat landscape are dynamic, so it’s important to revisit your analysis to ensure it remains relevant.
  9. Integration with ISMS:Ensure that the insights gained from the context analysis are integrated into the development and implementation of your ISMS. Use this information to inform the setting of information security objectives, controls, and risk management strategies.
  10. Management Review:Present the results of the context analysis during management review meetings. Seek management input and validation to ensure alignment with organizational goals.

By systematically conducting a context analysis, organizations can gain valuable insights into the factors that shape their information security landscape. This, in turn, allows for the development of a more effective and tailored ISMS that aligns with the organization’s strategic objectives.

Example of Context analysis

Let’s consider a hypothetical organization, XYZ Corporation, and walk through an example of a context analysis for their Information Security Management System (ISMS):

1. Define the Scope:

  • Scope of ISMS: XYZ Corporation operates globally and manages sensitive customer information, financial data, and proprietary business processes. The ISMS scope includes all departments, systems, and processes that handle or support the handling of sensitive information.

2. Identify Interested Parties:

  • Stakeholders:
    • Employees
    • Customers
    • Shareholders
    • Regulatory Authorities
    • Third-party vendors

3. External Analysis:

  • Legal and Regulatory Environment:
    • Compliance with GDPR, HIPAA, and industry-specific regulations.
    • Changes in data protection laws globally.
  • Industry Standards and Best Practices:
    • Adherence to ISO 27001 standards.
    • Following NIST Cybersecurity Framework.
  • Economic Conditions:
    • Budget constraints affecting resource allocation for information security initiatives.
  • Technological Trends:
    • Increasing reliance on cloud services.
    • Growing use of Internet of Things (IoT) devices.

4. Internal Analysis:

  • Organizational Structure:
    • Decentralized structure with regional offices.
    • Dedicated information security team reporting to the CISO.
  • Corporate Culture:
    • Emphasis on innovation and collaboration.
    • High awareness of cybersecurity among employees.
  • Resources:
    • Sufficient budget allocated to information security.
    • Adequate staffing for the information security team.
  • Processes and Procedures:
    • Documented incident response and business continuity plans.
    • Periodic security training for employees.
  • Previous Incidents:
    • Analysis of past incidents led to the improvement of access controls.
    • Lessons learned from a data breach incident resulted in enhancing encryption practices.

5. SWOT Analysis:

  • Strengths:
    • Strong commitment to information security.
    • Experienced information security team.
  • Weaknesses:
    • Reliance on a single cloud service provider.
    • Limited integration between IT and physical security systems.
  • Opportunities:
    • Embracing emerging technologies for improved security.
    • Collaborating with industry peers for threat intelligence sharing.
  • Threats:
    • Increasing sophistication of cyber threats.
    • Potential legal and financial consequences of non-compliance.

6. Risk Assessment:

  • Identified high-risk areas:
    • Dependence on a single cloud service provider.
    • Rapid adoption of emerging technologies without thorough security assessment.

7. Document the Analysis:

  • Create a document summarizing the context analysis, including an overview of external and internal factors, interested parties, and the results of the SWOT analysis.

8. Review and Update:

  • Periodically review and update the context analysis, especially when there are significant changes in the organization’s environment or the information security landscape.

9. Integration with ISMS:

  • Use the insights gained from the context analysis to inform the development of information security objectives, controls, and risk management strategies within the ISMS.

10. Management Review:

  • Present the results of the context analysis during management review meetings to ensure alignment with organizational goals and gain management input and support.

This example illustrates how a context analysis provides a comprehensive understanding of the internal and external factors that can influence the effectiveness of an organization’s ISMS. It forms the foundation for making informed decisions and developing a robust and tailored information security program.

Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000:2018

ISO 31000 indeed emphasizes the importance of determining the internal and external context as part of the risk management process. This aligns with the broader understanding of organizational context in management system standards, including ISO 27001. The following methodology of ISO 31000:2018 can be used to establish the context for ISO 27001

ISO 31000:2018 Clause 5.4.1 – Establishing the Context:

  1. Scope and Objectives: Clearly define the scope of the risk management process and establish the context by stating the objectives that the organization wants to achieve through risk management.
  2. Internal Context: Identify the internal factors that can influence the achievement of objectives. This includes factors such as the governance structure, policies, culture, capabilities, and resources of the organization.
  3. External Context: Identify the external factors that can impact the achievement of objectives. External context includes legal, regulatory, technological, market, and environmental factors, among others.
  4. Stakeholders: Identify and consider the needs and expectations of stakeholders. Understanding the perspectives of stakeholders is crucial in assessing and managing risks effectively.
  5. Risk Criteria: Establish the criteria against which risks will be evaluated. This includes considering factors such as the organization’s risk appetite, tolerance, and criteria for assessing the significance of risks.
  6. Assumptions and Constraints: Identify any assumptions made and constraints that may impact the risk management process. Assumptions and constraints should be considered in the context to ensure a realistic and practical approach to risk management.
  7. Information Sources: Determine the sources of information that will be used to identify and assess risks. This may include internal reports, external data, industry benchmarks, and expert opinions.
  8. Documentation: Document the established context. Documentation ensures that there is a clear and shared understanding of the context within the organization and provides a basis for consistent risk management decisions.

ISO 19011:2018 Clause 7 Competence and evaluation of auditors

7.1 General

Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in performing audits, including auditors and audit team leaders.
Competence should be evaluated regularly through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience. This process should take into consideration the needs of the audit programme and its objectives. Some of the knowledge and skills are common to auditors of any management system discipline; others are specific to individual management system disciplines. It is not necessary for each auditor in the audit team to have the same competence. However, the overall competence of the audit team needs to be sufficient to achieve the audit objectives. The evaluation of auditor competence should be planned, implemented and documented to provide an outcome that is objective, consistent, fair and reliable. The evaluation process should include four main steps, as follows:

  1. determine the required competence to fulfil the needs of the audit programme;
  2. establish the evaluation criteria;
  3. select the appropriate evaluation method;
  4. conduct the evaluation.

The outcome of the evaluation process should provide a basis for the following:
— selection of audit team members
— determining the need for improved competence (e.g. additional training);
— ongoing performance evaluation of auditors.
Auditors should develop, maintain and improve their competence through continual professional
development and regular participation in audits

Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in performing audits, including auditors and audit team leaders. The competence of individuals involved in performing audits, including auditors and audit team leaders, is fundamental to the success and credibility of the audit process. Competence ensures that audits are conducted effectively, findings are reliable, and the overall objectives of the audit are achieved. Here are key aspects of competence in the context of auditing:

  1. Technical Knowledge and Skills:
    • Auditors: Possessing technical knowledge relevant to the industry, sector, or system being audited is essential. Auditors should have the necessary skills to understand complex processes, systems, and standards.
    • Audit Team Leaders: In addition to the technical expertise required of auditors, team leaders should also demonstrate leadership and coordination skills. This includes the ability to plan, organize, and manage the audit process efficiently.
  2. Understanding of Audit Principles and Standards:
    • Auditors: Competent auditors are well-versed in audit principles, standards, and methodologies. This includes a thorough understanding of ISO standards or other relevant frameworks.
    • Audit Team Leaders: Team leaders need a deeper understanding of audit principles to guide the team effectively. They should be familiar with audit planning, execution, and reporting, as well as applicable regulations and standards.
  3. Analytical and Critical Thinking:
    • Auditors: Competent auditors possess strong analytical and critical thinking skills. They can evaluate information, identify trends, and assess the significance of audit findings.
    • Audit Team Leaders: Leaders must have advanced analytical skills to interpret complex data and guide the team in drawing meaningful conclusions. Critical thinking is crucial for addressing unexpected challenges during the audit.
  4. Communication Skills:
    • Auditors: Effective communication is vital for auditors to convey audit objectives, findings, and recommendations clearly. This includes both written and verbal communication skills.
    • Audit Team Leaders: Leaders must excel in communication to articulate the audit plan, delegate tasks, provide guidance, and present findings to auditees and stakeholders.
  5. Ethical Conduct and Professionalism:
    • Auditors: Adhering to ethical principles is a cornerstone of auditing. Competent auditors maintain objectivity, integrity, and confidentiality throughout the audit process.
    • Audit Team Leaders: Leaders set an example for the team by demonstrating the highest standards of professionalism and ethical conduct. They foster a culture of integrity and fairness.
  6. Adaptability and Continuous Learning:
    • Auditors: Competent auditors are adaptable and open to continuous learning. They stay abreast of industry changes, new regulations, and advancements in audit methodologies.
    • Audit Team Leaders: Leaders should encourage a culture of continuous improvement within the team. They lead by example in embracing new information and adapting audit processes to evolving circumstances.
  7. Interpersonal and Teamwork Skills:
    • Auditors: Effective auditors collaborate seamlessly with colleagues, auditees, and other stakeholders. Interpersonal skills are crucial for building positive relationships.
    • Audit Team Leaders: Team leaders must excel in interpersonal skills to foster teamwork, resolve conflicts, and ensure a cohesive and productive audit team.
  8. Audit Process Management:
    • Auditors: Competent auditors should understand the entire audit process, from planning to reporting. They contribute actively to each phase of the audit.
    • Audit Team Leaders: Leaders are responsible for overseeing the entire audit process, ensuring that it is executed according to plan and objectives are met. This requires strong project management skills.
  9. Industry and Context Awareness:
    • Auditors: Understanding the specific industry or context being audited is essential for contextualizing findings. Competent auditors consider the unique aspects and challenges of the auditee’s environment.
    • Audit Team Leaders: Leaders should have a broad understanding of various industries and contexts to guide the team effectively in different audit scenarios.

Investing in the competence of individuals involved in the audit process is an investment in the quality and effectiveness of the audit function. Regular training, professional development, and adherence to best practices contribute to building and maintaining a skilled and competent audit team.

Competence should be evaluated regularly through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience. Regular evaluation of competence is a critical aspect of ensuring that individuals involved in the audit process, including auditors and audit team leaders, continue to meet the necessary standards and requirements. This ongoing assessment should encompass various elements, including personal behavior, application of knowledge and skills, and the integration of education, work experience, auditor training, and audit experience. Here are key considerations for evaluating competence:

  1. Behavioral Competence:
    • Professional Conduct: Assess individuals for adherence to ethical principles, integrity, and professional conduct. Evaluate their ability to maintain objectivity and confidentiality throughout the audit process.
    • Communication Skills: Evaluate how effectively individuals communicate with auditees, team members, and stakeholders. Consider both written and verbal communication skills.
    • Teamwork and Collaboration: Assess their ability to work collaboratively within the audit team and establish positive relationships with auditees.
  2. Application of Knowledge and Skills:
    • Technical Competence: Evaluate the application of technical knowledge relevant to the audit scope. This includes assessing their understanding of industry standards, regulations, and the auditee’s processes.
    • Analytical Skills: Assess the ability to analyze data, identify patterns, and draw meaningful conclusions. Evaluate how well individuals interpret complex information.
    • Problem-Solving: Evaluate their capability to address unexpected challenges during the audit and propose effective solutions.
  3. Integration of Education and Work Experience:
    • Relevance of Education: Assess whether the education background of individuals is aligned with the requirements of the audit. Consider whether their academic qualifications contribute to their effectiveness as auditors.
    • Application of Work Experience: Evaluate how individuals leverage their work experience in the audit process. Consider whether past experiences enhance their ability to understand and assess the auditee’s operations.
  4. Auditor Training:
    • Completion of Training Programs: Confirm that individuals have completed relevant auditor training programs. This includes training on audit methodologies, standards, and any specific skills needed for the audit process.
    • Up-to-Date Knowledge: Assess whether individuals stay updated on new developments in auditing through continuous education and training.
  5. Audit Experience:
    • Diversity of Audit Experience: Evaluate the breadth and depth of individuals’ audit experience. Consider exposure to various industries, contexts, and types of audits.
    • Learning from Previous Audits: Assess whether individuals apply lessons learned from previous audits to improve their performance in subsequent audits.
    • Handling Challenging Situations: Evaluate their ability to handle challenging situations that may arise during audits based on their experience.
  6. Self-Assessment and Professional Development:
    • Self-Reflection: Encourage individuals to engage in self-assessment, reflecting on their strengths and areas for improvement.
    • Professional Development Plans: Assess whether individuals have personalized professional development plans to address any identified gaps in competence.
  7. Feedback and Continuous Improvement:
    • Feedback Mechanism: Establish a feedback mechanism for individuals to receive constructive feedback from peers, team members, and audit clients.
    • Continuous Improvement: Assess whether individuals actively seek opportunities for continuous improvement and incorporate feedback into their professional development.
  8. Adherence to Standards and Requirements:
    • Compliance with Audit Standards: Verify that individuals consistently adhere to audit standards, methodologies, and any specific requirements set by the organization or relevant industry bodies.

Regular competence evaluations contribute to maintaining a high standard of performance within the audit team. This process ensures that individuals remain effective, up-to-date, and capable of addressing the evolving challenges within their roles. Additionally, it provides a foundation for professional growth and continuous improvement.

This process should take into consideration the needs of the audit programme and its objectives. When evaluating competence, it’s crucial to align the process with the needs of the audit program and its objectives. This ensures that the skills and capabilities of individuals within the audit team are directly relevant to the goals and requirements of the auditing activities. Here are some key considerations for incorporating the needs of the audit program into the competence evaluation process:

  1. Alignment with Audit Objectives: Ensure that the competence evaluation process directly supports the objectives of the audit program. Consider the specific skills and knowledge required to achieve the desired outcomes of the audits.
  2. Tailored Competence Criteria: Develop competence criteria that are tailored to the unique requirements of the audit program. Consider the industry, sector, or system being audited, as well as any specific standards or regulations relevant to the audits.
  3. Audit Scope Consideration: Take into account the scope of the audits planned within the program. Different audits may require different sets of skills and expertise. Evaluate whether individuals possess the necessary competencies for the specific types of audits planned.
  4. Risk-Based Approach: Apply a risk-based approach to competence evaluation. Identify key risks and challenges within the audit program and assess whether the competencies of the audit team are sufficient to address these risks effectively.
  5. Professional Development Focus: Direct the competence evaluation process toward identifying areas for professional development that align with the needs of the audit program. This may include targeted training programs or skill-building initiatives.
  6. Audit Team Composition:
  7. Evaluate the composition of the audit team in relation to the audit program’s requirements. Ensure that the team has a balanced mix of skills and expertise to cover all aspects of the audits planned.
  8. Flexibility for Evolving Needs:Design the competence evaluation process to be flexible and adaptable to the evolving needs of the audit program. As the program progresses, the required competencies may change, and the evaluation process should reflect these shifts.
  9. Strategic Alignment: Align the competence evaluation with the overall strategic goals of the organization and how the audit program contributes to these goals. Ensure that the competencies of the audit team support the organization’s broader objectives.
  10. Feedback from Audit Clients: Solicit feedback from audit clients regarding their expectations and requirements. Consider incorporating client perspectives into the competence evaluation process to enhance client satisfaction.
  11. Continuous Improvement Emphasis: Emphasize a culture of continuous improvement within the audit program. Use competence evaluations as a tool for identifying opportunities to enhance the capabilities of the audit team over time.
  12. Resource Allocation: Evaluate the allocation of resources within the audit program, including the human resources. Ensure that the competencies of team members align with the resource needs of the program.
  13. Clear Communication of Expectations: Clearly communicate the expectations for competence to individuals within the audit team. Ensure that they understand how their skills contribute to the success of the audit program.

By integrating the needs of the audit program into the competence evaluation process, organizations can optimize the performance of the audit team, enhance the effectiveness of audits, and contribute to the overall success of the audit program. This alignment ensures that the skills and knowledge of audit team members directly support the program’s goals and objectives.

Some of the knowledge and skills are common to auditors of any management system discipline; others are specific to individual management system disciplines. When it comes to the competence of auditors in the context of management systems, there are both general knowledge and skills that are common across various disciplines, as well as specialized knowledge and skills that are specific to individual management system disciplines. Here’s an overview of each:

Common Knowledge and Skills for Auditors:

  1. Audit Principles and Methodologies: Understanding fundamental audit principles, methodologies, and best practices applicable to auditing in general.
  2. Communication Skills: Effective written and verbal communication skills for conveying audit objectives, findings, and recommendations.
  3. Analytical Thinking: Strong analytical skills to assess information, identify patterns, and draw meaningful conclusions.
  4. Ethical Conduct: Adherence to ethical principles, including objectivity, integrity, and confidentiality, throughout the audit process.
  5. Interpersonal Skills: Ability to interact positively with auditees, team members, and stakeholders. This includes teamwork, collaboration, and conflict resolution.
  6. Documentation and Reporting: Proficient documentation skills for recording audit evidence, findings, and preparing clear and concise audit reports.
  7. Understanding of Management Systems: General knowledge of management systems principles, regardless of the specific discipline.

Specific Knowledge and Skills for Individual Management System Disciplines:

  1. ISO Standards or Industry-Specific Standards: In-depth knowledge of the relevant ISO standards or industry-specific standards applicable to the management system discipline being audited.
  2. Industry and Sector Understanding: Specific knowledge of the industry or sector where the management system is implemented, including industry-specific regulations and requirements.
  3. Regulatory Compliance: Understanding and awareness of regulatory requirements that may impact the management system within the specific discipline.
  4. System Processes and Requirements: Detailed knowledge of the processes and requirements outlined in the management system standard relevant to the specific discipline (e.g., ISO 9001, ISO 14001, ISO 45001).
  5. Risk Management: Expertise in risk management principles as they pertain to the specific discipline and the associated management system.
  6. Audit Criteria and Objectives: Understanding the specific audit criteria and objectives related to the management system standard for the given discipline.
  7. Industry-Specific Challenges: Knowledge of unique challenges and considerations within the industry or sector that may impact the effectiveness of the management system.
  8. Technological and Process Expertise: Technical knowledge and expertise related to the processes and technologies commonly employed within the specific management system discipline.
  9. Health and Safety Practices (for OHSAS/ISO 45001): Specialized knowledge of occupational health and safety practices, regulations, and risk mitigation strategies.
  10. Environmental Practices (for ISO 14001): Specialized knowledge of environmental practices, regulations, and sustainability principles relevant to the specific industry.
  11. Quality Management (for ISO 9001): In-depth understanding of quality management principles, customer satisfaction metrics, and continuous improvement strategies.
  12. Energy Management (for ISO 50001): Specialized knowledge of energy management practices, energy efficiency, and compliance with relevant standards.
  13. Information Security (for ISO 27001): Specialized knowledge of information security principles, data protection, and risk management in the context of information security.
  14. Food Safety Management (for ISO 22000): Specific knowledge of food safety principles, HACCP (Hazard Analysis and Critical Control Points), and industry-specific requirements.
  15. Social Responsibility (for ISO 26000): Understanding of social responsibility principles and sustainability practices applicable to the specific industry.
  16. Auditing Techniques for the Specific Discipline: Specialized auditing techniques and considerations tailored to the unique aspects of the management system discipline being audited.

In summary, auditors of management systems need a combination of general audit skills and discipline-specific knowledge to effectively assess and provide insights into the implementation and effectiveness of various management systems. This combination ensures that audits are comprehensive, aligned with relevant standards, and contribute to the improvement of organizational processes.

It is not necessary for each auditor in the audit team to have the same competence. However, the overall competence of the audit team needs to be sufficient to achieve the audit objectives. While it’s not necessary for every auditor in the team to possess identical competence, it is imperative that the collective competence of the audit team is comprehensive and adequate to achieve the audit objectives. This approach recognizes that individuals may bring different strengths, skills, and expertise to the team, contributing to a well-rounded and effective audit. Here are some key considerations related to the competence of audit teams:

  1. Diversity of Skills: Encourage a diversity of skills within the audit team. This includes a mix of general audit skills and discipline-specific expertise.
  2. Complementary Competence: Ensure that the competence of individual team members complements each other. For example, one team member may excel in communication skills, while another may have deep technical knowledge.
  3. Discipline-Specific Specialists: If the audit involves a specific management system discipline, consider including individuals with specialized knowledge in that discipline to address unique challenges and requirements.
  4. Role-Based Competence: Assign roles within the audit team based on individual competencies. For instance, one team member may be particularly skilled in data analysis, while another excels in interpersonal communication.
  5. Training and Development Opportunities: Provide opportunities for continuous training and development to enhance the competence of individual team members. This ensures that the team stays up-to-date with evolving standards and methodologies.
  6. Risk-Based Approach: Apply a risk-based approach to assess the potential risks and challenges associated with the audit. Ensure that the team has the necessary competencies to address identified risks effectively.
  7. Effective Team Communication: Foster an environment of effective communication within the audit team. This includes clear articulation of roles, responsibilities, and expectations.
  8. Flexibility and Adaptability: Recognize that audit situations may vary, and the team needs to be adaptable. Having a mix of competencies allows the team to navigate different scenarios effectively.
  9. Problem-Solving Skills: Emphasize problem-solving skills within the team. This is crucial for addressing unexpected challenges or deviations from the planned audit process.
  10. Team Leadership: If applicable, ensure that the audit team leader possesses strong leadership skills to guide and coordinate the team effectively.
  11. Client and Stakeholder Engagement: Consider competencies related to client and stakeholder engagement. This includes the ability to communicate effectively with auditees and other relevant parties.
  12. Continuous Improvement Culture: Foster a culture of continuous improvement within the team. Encourage feedback and learning from each audit experience to enhance future performance.
  13. Knowledge Sharing: Facilitate knowledge sharing within the team. This could involve debriefing sessions after audits to discuss lessons learned and areas for improvement.
  14. Client and Industry Understanding: If the audit involves specific industries or sectors, having team members with an understanding of those industries can provide valuable insights.

In summary, the overall competence of the audit team is the sum of the individual competencies of its members. By strategically assembling a team with diverse but complementary skills, organizations can enhance the effectiveness of audits, address a broad spectrum of challenges, and contribute to the continuous improvement of audit practices.

The evaluation of auditor competence should be planned, implemented and documented to provide an outcome that is objective, consistent, fair and reliable. The evaluation of auditor competence is a critical process that should be carefully planned, implemented, and documented to ensure objectivity, consistency, fairness, and reliability. Here are key considerations for each stage of the competence evaluation process:

1. Planning:

  1. Define Competence Criteria: Clearly define the criteria against which auditor competence will be assessed. This may include a combination of general audit skills and discipline-specific knowledge.
  2. Align with Audit Objectives: Ensure that the competence evaluation criteria align with the objectives of the audits to be conducted. The evaluation should support the successful achievement of audit goals.
  3. Consider Industry and Sector Requirements: Take into account any industry-specific or sector-specific requirements that may impact the competence needed for effective audits.
  4. Establish Evaluation Methods: Determine the methods and tools that will be used to assess competence. This may include self-assessment, peer review, performance evaluations, and feedback from audit clients.
  5. Training and Development Plan: Develop a plan for ongoing training and development based on identified competence gaps. This plan should support the continuous improvement of auditors.

2. Implementation:

  1. Competence Assessment: Conduct the competence assessment based on the defined criteria. This may involve a combination of written tests, practical exercises, and evaluations of actual audit performance.
  2. Objective Evaluation: Ensure that the evaluation process is objective and unbiased. Use standardized assessment tools and methods to minimize subjectivity.
  3. Consistency Across Auditors: Promote consistency in the evaluation process across different auditors. Provide clear guidelines and training to those involved in the assessment to enhance uniformity.
  4. Fairness and Equity: Ensure that the competence evaluation is fair and equitable for all auditors. Avoid any biases and treat each auditor with impartiality.
  5. Feedback Mechanism: Establish a feedback mechanism to provide auditors with constructive feedback on their performance. This encourages a culture of continuous improvement.

3. Documentation:

  1. Record Keeping: Maintain detailed records of the competence evaluation process. Document the criteria used, methods applied, and outcomes for each auditor.
  2. Individual Development Plans: Document individual development plans based on the competence evaluation. Outline specific areas for improvement and the corresponding actions to be taken.
  3. Training Records: Keep records of all training and development activities undertaken by auditors. This includes formal training programs, workshops, and on-the-job learning experiences.
  4. Audit Performance History: Document the historical performance of auditors in actual audit situations. This information can be valuable for assessing progress over time.
  5. Confidentiality and Data Security: Ensure that all documentation related to competence evaluation is handled with confidentiality and complies with data security and privacy regulations.

4. Review and Improvement:

  1. Periodic Review: Conduct periodic reviews of the competence evaluation process to identify areas for improvement. This may involve gathering feedback from auditors, audit clients, and other stakeholders.
  2. Adjustment of Criteria: Adjust competence criteria as needed to align with changes in audit standards, industry requirements, or organizational goals.
  3. Continuous Improvement Culture: Foster a culture of continuous improvement within the audit team. Encourage auditors to actively participate in their own professional development.
  4. Feedback Loop: Establish a feedback loop where auditors can provide input on the effectiveness and fairness of the competence evaluation process.

By carefully planning, implementing, and documenting the competence evaluation process, organizations can ensure that their audit teams remain highly competent, adaptable, and capable of delivering high-quality audits. This approach contributes to the overall effectiveness and reliability of the audit function within an organization.

1. Determine the Required Competence:

  • Audit Program Needs:Identify and understand the specific needs and objectives of the audit program. This includes the types of audits planned, the industries or sectors involved, and any unique challenges or requirements.
  • Skills and Knowledge Mapping: Map out the skills and knowledge areas that are essential for fulfilling the audit program needs. Consider both general audit skills and any discipline-specific expertise required.
  • Team Composition Considerations: Evaluate the composition of the audit team and identify any gaps in competence. Determine the ideal mix of skills and expertise within the team to achieve the program’s objectives.

2. Establish the Evaluation Criteria:

  • Clear and Measurable Criteria: Define clear and measurable criteria against which auditor competence will be assessed. This may include criteria related to general audit skills, industry-specific knowledge, communication abilities, etc.
  • Alignment with Program Objectives: Ensure that the evaluation criteria align with the overall objectives of the audit program. The criteria should directly contribute to the success of planned audits and the improvement of the audit function.
  • Discipline-Specific Criteria: If applicable, include discipline-specific criteria based on the nature of the audits to be conducted (e.g., criteria specific to quality management, environmental management, health and safety, etc.).

3. Select the Appropriate Evaluation Method:

  • Assessment Tools: Choose suitable assessment tools and methods for evaluating competence. This may include self-assessment, peer review, interviews, written tests, practical exercises, and evaluations of actual audit performance.
  • Feedback Mechanism: Establish a feedback mechanism to provide auditors with constructive feedback on their performance. This can help auditors understand their strengths and areas for improvement.
  • Consistency and Objectivity: Select methods that promote consistency and objectivity in the evaluation process. This ensures that the assessment is fair and reliable across all auditors.

4. Conduct the Evaluation:

  • Timely and Periodic Evaluation: Implement the evaluation process in a timely manner and periodically as needed. Regular evaluations help auditors stay current with evolving standards and continuously improve their skills.
  • Individual and Team Assessment: Conduct both individual and team assessments to ensure that the overall competence of the audit team is sufficient to meet program needs.
  • Feedback and Development Plans: Provide feedback to auditors based on the evaluation results. Develop individualized development plans to address any identified competence gaps.
  • Documentation: Document the evaluation process thoroughly, including the criteria used, methods applied, and outcomes. This documentation serves as a record for future reference and continuous improvement.

The outcome of the evaluation process should provide a basis for the selection of audit team members; determining the need for improved competence (e.g. additional training); ongoing performance evaluation of auditors. The outcome of the evaluation process plays a crucial role in various aspects related to the audit team. Here’s how the evaluation outcomes contribute to different areas:

1. Selection of Audit Team Members:

  • Competence Matching: The evaluation outcomes help in identifying individuals with the required competence and skills needed for specific audit assignments. This ensures that the selected team members are well-suited to meet the objectives of the audit.
  • Optimal Team Composition: By considering the competence of individual auditors, the audit team leader can strategically compose a team that brings together diverse skills and expertise. This is particularly important for addressing the unique challenges and requirements of different audits.
  • Aligning Competence with Audit Program Needs: The evaluation outcomes assist in aligning the overall competence of the audit team with the needs and objectives of the audit program. This ensures that the team is well-equipped to handle a range of audit scenarios.

2. Determining the Need for Improved Competence:

  • Identifying Competence Gaps: The evaluation process highlights areas where individual auditors may have competence gaps. This information is valuable for determining the need for additional training or development initiatives.
  • Individual Development Plans: Based on the evaluation outcomes, individualized development plans can be created to address specific competence gaps. This might involve targeted training programs, workshops, or mentorship opportunities.
  • Continuous Improvement: The identification of areas for improvement contributes to a culture of continuous learning and improvement within the audit team. It ensures that auditors stay current with industry standards and enhance their skills over time.

3. Ongoing Performance Evaluation of Auditors:

  • Feedback and Improvement Cycles: The evaluation outcomes serve as a foundation for providing constructive feedback to auditors. Ongoing performance evaluations can then be conducted to track improvements, address challenges, and support the professional development of auditors.
  • Adaptation to Changing Needs: As audit programs and organizational contexts evolve, ongoing performance evaluations help ensure that auditors’ competence remains aligned with changing needs. This adaptability is crucial for the long-term effectiveness of the audit function.
  • Recognition of Achievements: Positive evaluation outcomes can also be used to recognize and celebrate the achievements of auditors. This positive reinforcement contributes to job satisfaction and motivates auditors to continue performing at a high level.

Overall Considerations:

  • Balancing Team Competence: The evaluation outcomes contribute to maintaining a balanced and complementary mix of competencies within the audit team. This balance is essential for addressing the multifaceted aspects of audit assignments.
  • Strategic Human Resource Management: By considering the evaluation results, organizations can strategically manage their human resources, ensuring that auditors are assigned roles that align with their strengths and contribute to the success of the audit program.
  • Risk Mitigation: Ensuring that auditors have the necessary competence helps mitigate risks associated with audit activities. Competent auditors are better equipped to identify issues, provide accurate assessments, and contribute to the overall success of audits.

In summary, the outcomes of the auditor competence evaluation process have far-reaching implications, influencing team composition, training needs, ongoing performance evaluations, and the overall effectiveness of the audit function. This holistic approach supports the development of a high-performing and adaptable audit team.

Auditors should develop, maintain and improve their competence through continual professional development and regular participation in audits. The development, maintenance, and improvement of auditor competence are crucial aspects of ensuring the effectiveness and reliability of audit processes. Here’s why continual professional development and regular participation in audits are essential for auditors:

  • Professional development activities help auditors stay informed about changes in industry standards, regulations, and best practices. This is essential for conducting audits that remain relevant and compliant with the latest requirements.
  • Regular participation in audits and professional development programs provides opportunities for auditors to enhance their technical knowledge. This includes gaining in-depth insights into specific management system disciplines and industry sectors.
  • Professional development encourages auditors to adopt and implement best practices in audit methodologies. This contributes to the continual improvement of audit processes and ensures the use of effective and efficient techniques.
  • Auditors often interact with various stakeholders during audits. Continued professional development can include training in communication and interpersonal skills, enabling auditors to effectively engage with auditees and other relevant parties.
  • The audit landscape is evolving with advancements in technology. Continuous professional development allows auditors to learn and integrate new technologies into their audit processes, improving efficiency and data analysis.
  • As risks in business environments change, auditors need to be equipped to identify and address emerging risks. Professional development activities related to risk management contribute to auditor competence in this critical area.
  • Professional development fosters an environment of innovation and creative problem-solving. This is particularly important when auditors encounter unique challenges or situations during audits.
  • Developing competencies beyond technical skills, such as understanding client needs and building positive stakeholder relations, is essential for meeting and exceeding stakeholder expectations.
  • Regular participation in audits, coupled with a commitment to professional development, contributes to a culture of continuous improvement. Auditors can learn from each audit experience, share insights, and collectively enhance their capabilities.
  • Professional development often includes training on ethical considerations and integrity in auditing. This is critical for maintaining the trust and confidence of audit clients and stakeholders.
  • Continuous professional development helps auditors adapt to organizational changes, whether they are related to structural changes, new leadership, or shifts in organizational priorities.
  • Auditors who actively engage in professional development are better positioned for career advancement. Continuous learning and competence development contribute to personal and professional growth within the audit field.

In summary, auditors should view professional development and regular participation in audits as integral components of their career journey. This commitment not only benefits individual auditors but also contributes to the overall effectiveness and credibility of the audit function within an organization.

Example of ISO 27001:2022 ISMS Manual

The ISO 27001 Manual is a document that explains how an organization will comply with the ISO 27001 requirements and which procedures will be used in the ISMS, and it could be a bundle of all the documents that are produced for the ISMS – basically, the idea here would be to place all the policies, procedures, work instructions, forms, etc. into a single book so that they would be easier to read.

Introduction

This section presents the Scope of the Information Security Management System (ISMS). This includes the purpose and the application of ISMS.

1.0 Scope

The Scope of the ISMS covers, XXX, its Server room, and its management related to business applications, to implement the IT services provided to internal and external customers from its office location at XXXXXXX.

(Note: refer to Latest version of ISO 27001-2022-SOA .xlsxfor exclusions)

1.1 General

This ISMS manual specifies the requirements for establishing, implementing, monitoring, reviewing, maintaining, and improving documented ISMS within the context of the .’ overall Business requirements. It specifies the implementation of security controls customized to the needs of XXX.

The ISMS is designed to ensure adequate and appropriate security controls that maintain Confidentiality, Integrity, and Availability (CIA) of information assets.

For applicability (with rationale) and exclusion (with justification) of controls refer to Statement of Applicability (SOA). The SOA as applicable to XXX is enclosed. Ascertain controls are not applicable at project sites, project site-specific SOA is also made.

1.2 References

The following document were referred for the creation of this document. These include:

  • ISO/IEC 27001:2022,Information security, cyber security and privacy protection — Information security management systems — Requirements
  • ISO/IEC 27002:2022, Information security, cyber security and privacy protection — Information security controls

1.3 Terms and Definitions

  • Asset – Anything that has value to the organization.
  • Availability – The property of being accessible and useable upon demand by an authorized entity.
  • Business Continuity Plan (BCP) – A plan to build-in proper redundancies and avoid contingencies to ensure continuity of Business.
  • Computer Media – Includes all devices that can electronically store information. This includes but not limited to diskettes, CDs, tapes, cartridges, and portable hard disks.
  • Confidentiality – Ensuring that information is accessible only to those authorized to have access.
  • Continual Improvement – Continual Improvement refers to stage improvement programs that facilitate rapid improvement phases with intermediate stabilized phases.
  • Control – A mechanism or procedure implemented to satisfy a control objective
  • Control Objective – A statement of intent with respect to a domain over some aspects of an organization’s resources or processes. In terms of a management system, control objectives provide a framework for developing a strategy for fulfilling a set of security requirements.
  • Disaster Recovery (DR) – A plan for the early recovery of Business operations in the event of an incident that prevents normal operation.
  • Fallback – Provisions to provide service in the event of failure of computing or communications facilities.
  • Information Security – Security preservation of Confidentiality, Integrity, and Availability of Information.
  • Information Security Event – An identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be involved.
  • Information Security Incident – A single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
  • Information Security Management System (ISMS) – That part of the overall management system based on a business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.
  • Integrity – Safeguarding the accuracy and completeness of information and processing methods.
  • Organization – Refers to XXX unless specified otherwise.
  • Risk – The combination of the probability of an event and its consequence.
  • Residual Risk – The risk remaining after risk treatment.
  • Risk Acceptance – Decision to accept risk.
  • Risk Analysis – Systematic use of information to identify sources and to estimate the risk.
  • Risk Assessment – Overall process of risk analysis and risk evaluation.
  • Risk Evaluation – Process of comparing the estimated risk against given risk criteria to determine the significance of the risk.
  • Risk Management – Coordinated activities to direct and control an organization with regard to risk.
  • Risk Treatment – Process of selection and implementation of measures to modify risk.
  • Statement of Applicability – Document describing the control objectives and controls that are relevant and applicable to XXX’s ISMS, based on the results and conclusions of the Risk Assessment and Risk Treatment Processes. It should clearly indicate exclusions with appropriate reasons.

2 About the Manual

This section presents a brief overview of the Information Security Management System (ISMS) manual of XXX.

2.1 Organization of the Manual

The ISMS manual is intended as a reference document describing the security framework adopted by XXX. It is organized as per the Table of Contents.

2.2 Document Availability

This document is available to all employees of the XXX in the form of web page on the intranet. This is a read-only copy and the relevant part of the documentation is available to only authorized users based on their business requirements.

2.3 Document Control Information

It is the responsibility of the XXX to release an approved document for the XXX.

3 Organization Overview

This section presents an overview of XXX and its operations. XXX’s mission is to fulfill the promise of applying technology to enable the success of customer business by performing at a level of trust, partnership, and innovation that far exceeds what you have come to expect from technology services providers. In the same way, we know that to achieve that aspiration, we must exceed what our professionals have come to expect from technology services employers.

4  Context of the Organization

4.1 Understanding the Organization and it’s Context

XXX shall determine external and internal issues that are relevant for delivering the services from Server Room and Business Operation that affect its ability to achieve the intended results of ISMS. The issues which are considered necessary for delivering the services to internal and external stakeholders are given in the table after section 4.2.

4.2 Understanding the Needs and Expectation from Interested Parties

XXX shall determine the following:

  1. Interested parties that are relevant to ISMS – All customers (Internal and External), Vendors, Supporting the Infrastructure in Server Room & other Business operation, All employees providing & getting services to Server Room & other Business operation.
  2. The requirement of these interested parties relevant to Information Security The needs and expectations from external as well as internal customers are considered as under, and will be reviewed and updated over a period of time as part of continual improvement.
  3. which of these requirements will be addressed through the information security management system.
InternalStake holdersIssues
 ManagementGovernance, Resource availability,  organization structure, roles and accountabilities,  Policies, objectives, and the strategies
 EmployeesFulfillment of commitments, adherence to organization policies, processes and guidelines and to ensure seamless / uninterrupted operations. Expectation of employees in terms of commitment made by the organization need to be fulfilled.
 ShareholdersRelationship with, and perceptions and values of, internal stakeholder’s
 Board of Directors Maintaining commitment to customers, goodwill and repute of the organization, and maintaining return on investment committed on the business, in totality
 Corporate requirementsStandards, guidelines and models adopted by the organization
 Users / Other departmentsInformation technology related requirements to the organization such as access right, IT infra availability to internal users and other departments.
 HRResource availability, resource competence, training, background verification etc.,
 FinanceApproval of financial commitments
 LegalVetting of Legal contracts and protecting the organization from non-compliance of legal, regulatory and contractual requirements
   
ExternalCustomersService delivery
 CustomersSupply of goods and services to enable the organization to meet the requirement of the customer
 CustomerRisk Assessment & Risk Treatment Procedure for assessment the risk for internal as well as external customer
 CustomerFor managing the customer related security aspects, the organization has deployed few policies, process and procedure such as Password Policy, IT Access control Policy, VPN-Virtual Private Network Policy, IEM-Internet & Electronic Messaging Usage Policy, Antivirus Policy, Information Classification, Labeling and Handling Policy, Asset Handling Process, Business Continuity Plan Process, Physical Security Management Procedure and many more.
 Users / PublicInformation technology related requirements to the organization such as access right, IT infra availability to internal users and other departments.
 GovernmentSubmission of desired reports and statements and approvals to carry out the business.  Fulfilling the legal, and regulatory requirement.
 Society and environment Natural and competitive environment, Key drives and trends having impact on the objectives of the organization, Political, financial status of the country.

4.3 Determining the scope of the Information security management System

The Scope of the ISMS covers,

  • The XXX Server Room, Business Operation and its management
  • To implement the IT services provided to internal and external customers

Server room is located at XXX
(Note: refer to SOA for exclusions)

4.4 Information Security Management System

 XXX shall establish, implement, Maintained and continually improve an information security management system including the processes needed and their interactions, in accordance with the requirements of ISO 27001:2022.

5 Leadership

This section presents XXX’s initiative and commitment to the effective implementation and operation of ISMS. In addition, this section highlights the roles and responsibilities associated with ISMS operation.

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the information security management system by:

  1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
  2. Ensuring the integration of the information security management system requirements into the organization’s processes;
  3. Ensuring that the resources needed for the information security management system are available;
  4. Communicating the importance of effective information security management and of conforming to the information security management system requirements;
  5. Ensuring that the information security management system achieves its intended outcomes;
  6. Directing and supporting persons to contribute to the effectiveness of the information security management system;
  7. Promoting continual improvement; and supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

5.2 ISMS Policy

XXX is committed to maintaining high-quality standards in delivering timely and cost-effective solutions to our customers by continual improvement of our processes, instilling quality consciousness amongst all employees, and recognizing the confidentiality, integrity, and availability of information assets to relevant stakeholders including our customers. Risk management will be done as per ‘CP-05-ISMS-Risk Assessment & Risk Treatment Procedure’ and the risk will be evaluated based on asset value, threat, and vulnerabilities. If the risk value is high, adequate controls will be implemented.

Action Guideline:

  1. XXX prevents leakage, destruction, and illegal use of all information relating to the customers, vendors, management etc. and builds the system to secure the confidentiality, integrity and availability of the information for daily operations.
  2. Company recognizes the value of the private information of all staff and secures it.
  3. XXX establishes a contingency plan to secure continuation of the business, assuming occurrences of a natural disaster, terrorism, a large scale infection disease etc.
  4. Company provides all staff with proper education and training to maintain and improve the effectiveness of the information security management system
  5. Company builds and manages an organization which grasps incidents, audits its operations and effectiveness of the information security management system, and attempts its continuous improvement.

To secure its information assets and its customer, XXX shall deploy procedures to maintain confidentiality, integrity, and availability of all information assets.

Business objectives and goals of  XXX  are

  1. Key Objective 1: Provide high quality services to our clients.
  • Goal 1 – Client Satisfaction Score of more than 90 %
  • Goal 2 – On time Delivery >80%
  • Goal 3 – No defects of showstopper/critical type in first release to the client. 
  1. Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and stabilize employee attrition.
  • Goal 1 – A minimum of 3 man-days training in a year per employee.
  • Goal 2 – Overall attrition rate <15% in the year
  • Goal 3 – Employee satisfaction survey score of greater than 75%
  1. Key Objective 3: Continual improvement of services to our internal & external customers.
  • Goal 1 – Key process performance improvement of at least 10% per annum in all departments   
  1. Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain confidentiality, integrity and availability of all information assets.
  • Goal 1 – Number of security incidents of high severity to be less than 5% of total security incidents.
  1. Key Objective 5: To have year on year revenue increase while maintaining profitability
  • Goal 1 – Revenue growth of >=40% with respect to the previous financial year
  • Goal 2 – Profit before Tax to be >=20%

To meet these business goals, ISMS objective are defined. Which are given in section 6.2

5.3 Organizational Roles, Responsibilities & Authority for Information Security

XXX is committed to security. The management has constituted Information System Security Committee, which is responsible for defining and improving the ISMS. Management provides evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS as defined in ISMS documentation, by

  1. Establishing an information security policy;
  2. Ensuring that information security objectives and plans are established;
  3. Establishing roles and responsibilities for information security;
  4. Communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement;
  5. Providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS;
  6. Deciding the criteria for accepting risks and the acceptable level of risk;
  7. Ensuring that internal ISMS audits are conducted;
  8. Conducting management reviews of the ISMS.

1.SPONSOR 

  • Establishing an ISMS policy & integrated quality policy
  • Ensuring that ISMS objectives and plans are established.
  • Establishing roles and responsibilities for information security.
  • Communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement:
  • Providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS.
  • Deciding the criteria for accepting risks and the acceptable levels of risk.
  • Ensuring that internal ISMS audits are conducted
  • Conducting security Committee meetings of the ISMS

2. CHIEF INFORMATION SECURITY OFFICER 

  • Responsible for defining ISMS Framework.
  • Responsible for implementing ISMS Framework
  • Responsible for Publishing ISMS Manual
  • Responsible for ensuring that security incidents are handled and resolved in efficient manner.
  • Define specific roles and responsibilities of information security across the XXX.

3. INFORMATION SYSTEM SECURITY COMMITTEE

  • Develop, maintain, and implement ISMS policies and procedures
  • Develop and maintain Business Continuity Management Plan for the region.
  • Approve and review the risk treatment plan, and accept residual risk
  • Design and deliver awareness program
  • Evaluate, implement and ensure utilization of up-to-date security technology and techniques
  • Review and monitor information security incidents
  • Ensure ISMS is in line with new legal, administrative, and business requirements
  • Ensures that security is part of the information planning process
  • Decide specific methodologies and processes for information security. For e.g. risk assessment, security classification system etc.
  • Drive XXX wide information security initiative
  • Assess new system and services for security before absorbing them into the system and identify and implement appropriate security controls 

4. MANAGEMENT REPRESENTATIVE

  • Responsible for defining policies and processes
  • Responsible for owning the security policy and reviewing and evaluating the same at least once in a year.
  • Responsible for reviewing current implementation of policies and processes and improving them if required
  • Responsible for reviewing security incidents and vulnerabilities and decide action to be taken on them
  • Responsible for reviewing any kind of hacking attacks and action taken to control them
  • Reviewing security audit reports and action taken to resolve NCs
  • Reviewing disciplinary action taken against employee (if there is any such case)
  • Review Backup audit reports and action taken on them.
  • Member of Information system Security Committee.
  • Co-ordinates with Information System Security Committee.
  • Organize security reviews and audits, with internal and external resources
  • Ensure implementation and tracking of ISMS plan
  • Organize management reviews of ISMS
  • To promote awareness amongst employees on ISMS.

5. MANAGER IT

  • Heading IT
  • Heading IT processes
  • Follow up daily tasks and tickets
  • Handling system security incidents and vulnerabilities
  • Handling virus attacks and hacking attacks and reporting them to Security Committee
  • Responsible for reviewing current implementation of policies and processes and improving them if required
  • Responsible for reviewing any kind of hacking attacks and action taken to control them
  • Reviewing security audit reports and action taken to resolve NCs
  • Reviewing disciplinary action taken against employee (if there is any such case)
  • Review Backup audit reports and take action on it
  • Member of Security Committee
  • Managing IT resources
  • To review and prioritize significant information Assets and security threats
  • Incidents Reporting

6. Sr.executive- HR

  • Heading HR Processes
  • Follow up daily tasks and HR Issues
  • Handling employee related incidents (misconducts, policy violations and other offences) and taking appropriate action against employees if required and reporting them to security Committee.
  • Take care of Human resource security clauses prior to employment, during employment and Termination or change of employment.

7. Admin Assistant

  • Heading Admin Processes
  • Follow up daily tasks and Admin Issues
  • Handling employee related admin issue (misconducts, policy violations and other offences) and taking appropriate action against employees if required and reporting them to security Committee
  • Managing Admin resources
  • Physical Security and Physical Access Control

8. MANAGER IT NETWORKS

  • Planning and monitoring networks
  • Handling network issues
  • Network setup and management
  • Reviewing server logs (which includes operator and administrator logs)
  • Client servers Monitoring support
  • Antivirus support
  • Handling network security incidents
  • Handling virus attacks and hacking attacks and reporting them to Information System Security Committee
  • Managing Network resources

9. System administrator

  • Ticket assignment
  • Ticket escalations from engineers
  • IMS Management
  • Data Backups
  • Server usage tracking
  • Helpdesk
  • Reports Management

10. Network Engineer

  • Ticket assignment, Ticket Handling
  • Desktop Issues
  • Maintaining Spare Parts details
  • Maintaining Software upgrade
  • Operating System patch management 

11. Vendors   

  • Provide services as per defined SLA
  • Provide Technical Support
  • Provide resources for upkeep of Data Center

11. Users   

  • Will follow the ISMS Policies
  • Will not share passwords
  • Will use application as per the scopes and access provided
  • Will maintain assets in good condition

The Security Committee will meet once every month, support and supervise the activities of the NST (P) LTD., making informed decisions. It will be held responsible for achieving measurable progress. Process measurement metrics will be monitored to achieve continuous improvement.

12. Risk Assessment and BCP CORE TEAM

Review, test and reassess the strategic plan to determine the overall approach to business continuity. Responsible for reviewing security incidents and vulnerabilities and decisive action to be taken on them

  • Identify and define plans to protect critical business process from the major failure of information system or disasters and to ensure timely resumptions of business activity
  • Review, test and reassess the strategy plan to determine the overall approach to business continuity.
  • Responsible for reviewing security incidents and vulnerabilities and decide action to be taken on them
  • Carry out RA and prepare RTP

Note: – Any two of the four members are mandatory to carry out this activity.

In addition, the group helps reduce the risk of disruption of business operation by providing advice on all aspects of security including:

  • Security Awareness
  • Data Confidentiality and Privacy
  • Logical Access
  • Data Communications
  • Systems and Data Integrity
  • Physical Security
  • Personal and Procedural Controls
  • Contingency and Disaster Recovery Planning

 13. EMPLOYEES

 Expected to follow security policy, processes, and procedures as documented in ISMS.

6 Planning

 6.1 Actions to address risks and opportunities

6.1.1 General

When planning for the information security management system, XXX shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

  1. Ensure the information security management system can achieve its intended outcome(s);
  2. relent, or reduce, undesired effects; and
  3. Achieve continual improvement.

XXX shall plan:

  1. Actions to address these risks and opportunities; and
  2. How to
    1. Integrate and implement the actions into its information security management system processes; and
    2. Evaluate the effectiveness of these actions.

6.1.2 Information security risk assessment

XXX shall define and apply an information security risk assessment process that:

  1. establishes and maintains information security risk criteria that include:
    1. the risk acceptance criteria; and
    2. criteria for performing information security risk assessments;
  2. ensures that repeated information security risk assessments produce consistent, valid and comparable results;
  3. identifies the information security risks:
    1. apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
    2. identify the risk owners;
  4. analyses the information security risks:
    1. assess the potential consequences that would result if the risks identified  were to materialize;
    2. assess the realistic likelihood of the occurrence of the risks identified; and
    3. determine the levels of risk;
  5. evaluates the information security risks:
    1. compare the results of risk analysis with the risk criteria established and
    2. Prioritize the analyzed risks for risk treatment.

XXX shall retain documented information about the information security risk assessment process.

6.1.3 Information security risk treatment

XXX shall define and apply an information security risk treatment process to:

  1. select appropriate information security risk treatment options, taking account of the risk assessment results;
  2. determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
    XXX can design controls as required, or identify them from any source.
  3. compare the controls determined in 6.1.3 b) above with those in Annex A of the standard ISO 27001:2022 and verify that no necessary controls have been omitted;

NOTE 1 Annex A of the standard ISO 27001:2022 contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A of the standard ISO 27001:2022 to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A of the standard ISO 27001:2022 are not exhaustive and additional control objectives and controls may be needed.

  1. Produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;
  2. Formulate an information security risk treatment plan; and
  3. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process.

The details of the RA process can be referred from ‘PROCEDURE FOR RISK ASSESSMENT AND TREATMENT’
The outputs of the RA process include:

  • Risk Assessment Report
  • Risk Treatment Plan
  • Statement of Applicability (inclusion with rationale /exclusion with justification)

Based on the RA report, Information System Security Council prepares the RTP, which includes the selection of controls. The XXX then obtains management approval for RTP implementation and acceptance of residual risk.

6.2 Information security objectives and planning to achieve them

 XXX Shall establish information security objectives at relevant functions and levels. The information security objectives shall:

  • be consistent with the information security policy;
  • be measurable (if practicable);
  • be monitored;
  • take into account applicable information security requirements, and results from risk assessment and risk treatment;
  • be communicated; and
  • Be updated as appropriate.

XXX shall retain documented information on the information security objectives. Following are the ISMS objectives established by senior management:

ISMS Objectives

  1. Protect information from deliberate or unintentional unauthorized acquisition or unauthorized access
  2. Maintain confidentiality of information.
  3. Maintain integrity of information by protecting it from unauthorized modification.
  4. Availability of information to authorized users when needed
  5. Meet regulatory and legislative requirements
  6. Produce, maintain and test Business Continuity plans as far as practicable.
  7. Train all staff on information security
  8. Report and investigate all breaches of information security and suspected weaknesses
  9. Monitor Risk Treatment Plan and measure effectiveness of selected controls.

When planning how to achieve its information security objectives, the organization shall monitor

  • Uptime of servers and Networks
  • Achievement of preventive maintenance planned schedule
  • Closure of Non conformities in defined time frame
  • Conducting of defined no of awareness program as per the process
  • Monitoring of security incidents as per process of incident Management
  • Mock drills of BCP as per process and achievement of targets :
  • Review of risks as per defined process and closure of actions as per last review.

The templates for each one of them is defined and frequency and thresholds for each of them is defined in the template.  For monitoring and analysis following

  1. Monitoring and measurement of the controls shall be done as per process mentioned in the template..
  2. System Administrator either himself or shall make one of the data center employee responsible for monitor and measurement of controls.
  3. The results from monitoring and measurement shall be analyzed and evaluated at least on monthly basis. However this analysis can be made early depending on the exigencies and system administrator shall decide the same.; and
  4. System Administrator shall analyses and evaluate these results.

6.3 Planning of Changes

When XXX determines the need for changing the integrated management system, the changes shall be carried out in a planned manner. When there are changes required in the existing ISMS requirements, management ensures through management review that the suitability & integrity of the management system is maintained during the planning and the implementation to the smooth transition of the system. When changes are required in existing objectives, the management representative shall ensure through review the purpose and potential consequences of the change and its suitability and integrity with the existing management system. In case of need for availability of resources or need for the allocation or reallocation of responsibilities and authorities for the changes in the objectives, it shall be duly addressed prior to formalizing the objectives.
Management programs, identified risk control measures and action plans are amended, if required. If necessary, planning is also carried out through review meetings. Regarding management of change (MOC), XXX shall identify the Information risks associated with changes in the organization, Information security management system, or its activities, prior to the introduction of the changes. XXX also ensures that the results of these assessments are considered for determining the appropriate controls. In case of the changes in the organization (including changes in the established processes), the process owners shall review the resources requirements, financial burden, timeline, affects to the customer resulting from the change and consult with the Top Management prior to initiating the change process in the organization

7.Support

7.1 Resources

The management provides resources for the implementation, maintenance, and review of the ISMS. The resources include funds, tools, human resources, and any other resources that may be required for the efficient performance of the ISMS. Periodically the XXX. evaluates resource requirements for improvements in security infrastructure based on RA, review /audit records. Based on resource requirements, the Management approves/ allocates the required resources.

7.2 Competence

Personnel who have experience and expertise in the application domain and in information security concepts are assigned to manage ISMS. Whenever feasible, experienced individuals are available and allocated appropriate responsibilities. When the required levels of skill and expertise are not available, training is provided to ensure skill/knowledge enhancement as per the XXX training process. The ISMS training should form an integral part of the training curriculum of the HR Dept. in association with the Co-ordination Team. Refer PR-10–Training Process’

  • Identifying what training is needed, and how frequently, for specific positions.
  • Identifying qualified individuals/agency to conduct the training program.
  • Organizing the training program.
  • Maintaining attendance records, course outlines and course feedback of all trainings conducted.

The XXX maintains records of all training programs as mentioned in the training process.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

  • the information security policy;
  • their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
  • The implications of not conforming to the information security management system requirements.
  • All updates in organization policies & procedure, which are relevant to their job function

7.4 Communication

Users shall be made aware about the risk of Information Security while exchanging information through Voice, Email, Fax, and Video Communication facility. XXX has established process for the need for internal and external communications relevant to the information security management system as show in below which includes:
a] on what to communicate;
b) when to communicate;
c) with whom to communicate;
d] how to communicate.

What to communicateWhen to communicateWith whom to communicateWho shall communicateProcesses by which communication shall be effected.
Technical MattersTo seek clarification, communicate execution and discussing options of deliveryCustomerDelivery Manager / Technical LeadEmail / Video Call/Phone
Non-Technical Business Developmentwhen communicating upgrades / updates and offers of XXXCustomerAccount ManagerEmail / Video Call/Phone
Financial Information such as Invoices, Payment reminder, Proposal, upgrade offer etc.As and when the event takes placeCustomerAccounts ManagerEmail / Video Call/Phone
Technical MattersTo get the action initiated on completion of deliveryAccounts Manager / Business HeadDelivery Manager / Technical LeadEmail / Video Call/Phone
Performance ReportMonthly / quarterlyBusiness HeadAccount Manager and Delivery ManagerPPT / Word / Excel  – Email/Phone
Technical MattersAs and when the event takes placeProject ManagerDeveloper/TesterPPT / Word / Excel  – Email/Phone
Network Security MattersAs and when the event takes placeIT TeamEmployeesEmail/ Phone/ Face to Face
Server Security MattersAs and when the event takes placeIT TeamEmployeesEmail/ Phone/ Face to Face
Application Security MattersAs and when the event takes placeIT Team or PMEmployeesEmail/ Phone/ Face to Face
Physical Security MattersAs and when the event takes placeAdminEmployeesEmail/ Phone/ Face to Face

7.5 Documented information

7.5.1 General

The organization’s information security management system shall include:

  1. Documented information required by this International Standard; and
  2. Documented information determined by the organization as being necessary for the effectiveness of the information security management system.

NOTE: The extent of documented information for an information security management system can differ from one organization to another due to:

  1. The size of organization and its type of activities, processes, products and services;
  2. The complexity of processes and their interactions; and
  3. The competence of persons.

 7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:

  1. Identification and description (e.g. a title, date, author, or reference number);
  2. Format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
  3. Review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the information security management system and by this International Standard shall be controlled to ensure:

  1. it is available and suitable for use, where and when it is needed; and
  2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as applicable:

  1. distribution, access, retrieval and use;
  2. storage and preservation, including the preservation of legibility;
  3. control of changes (e.g. version control); and
  4. Retention and disposition.

Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate and controlled. Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc. To meet the requirement of 7.5, the documentation structure of the Information security management system is as detailed below:

The components of ISMS Documentation are:
Level – 0 Corporate Information System Security Policy): It is the Top-level security policy of the XXX.
Level – 1 ISMS Manual): This document includes requirements of the ISO/IEC 27001:2013 standard and describes how the defined ISMS meet the requirements. The document details XXX. the approach towards management and implementation of ISMS.
Level – 2 Supporting Policies & Guidelines A complete set of supporting technical policies and guidelines as identified and defined by the XXX. within the scope of ISMS.
Level – 3 Procedures and Processes – Contains processes and procedures required for implementing and supporting the defined policies & guidelines.
Level – 4 Templates and Forms –XXX standard templates/forms used in the processes/procedures. These are used to streamline the operation of ISMS and form a basis for records.

Control of Documents

All documents related to ISMS requirements are controlled as per ISMS-Document & Record Management Procedure. This includes:

  • Review and approval of documents for adequacy prior to issue / use
  • Updating, review and approval of necessary changes in controlled documents
  • Availability of current revisions of necessary documents
  • Withdrawal of obsolete documents from all points of issue or use to ensure guarding against unintended use.
  • All security documents are available on the Intranet for reference and use based on need-to-know requirements.
  • Any document if printed is considered obsolete. However, this excludes all the documents related to ‘Business Continuity Plan

Control of Records

Records are identified within each procedure in the ISMS to provide evidence of conformance to requirements and effective functioning of the ISSC. Master list of records is maintained. Refer ‘List of Format-Content Master’. Other attributes shall be as per ISMS Information Classification, Labeling and Handling Policy.docx

8 Operation

8.1 Operational planning and control

8.1.1 Implement and Operate the ISMS

Selected control objectives and controls that are a part of RTP are implemented effectively in XXX and they are also capable of enabling prompt detection of and response to security incidents. XXX has established criteria for the processes and implemented control of the processes in accordance with the criteria. XXX ensures that proper training and awareness on ISMS are conducted, and appropriate resources are assigned to manage ISMS. XXX maintains a suitable matrix of risk/incidence reduction against its major controls identified every year for monitoring purposes to ensure the effectiveness of selected controls. Logs of risk reduction and/or incidence reduction are maintained for results comparison and reproduction.

8.1.2 Monitor and Review the ISMS

XXX. ensures that ISMS is properly monitored and reviewed periodically.

  1. For monitoring incidents, the XXX. has a well-defined Incident Management Procedure, which ensures that all problems, errors identified during processing of any information are handled promptly and effectively, and breach of security is appropriately addressed. Refer to ‘ISMS-IMP-Incident Management Process’.
  2. A process for conducting Management Reviews and audit procedures of ISMS exists. The focus of the review is to ensure that ISMS is effective, and all policies, controls, and security objectives are in line with business requirements. The audit focuses on the compliance of XXX’s practices as defined in ISMS. Refer ‘ ISMS Plan’
  3. Information System Security Committee reviews the level of residual and acceptable risks based on the changes in the deployed technology, new threats, and vulnerabilities, and business objectives. Refer ISMS-RART-Risk Assessment & Risk Treatment Procedure
  4. The controls at appropriate intervals are monitored against the logs generated to arrive at the current risk exposure. This is compared with the previous risk level to verify the effectiveness of controls. Refer ‘CEM-Control Effectiveness Measurement Process’
  5. All outsourced activities and externally provided processes, product and services are controlled and the requirements (as applicable to them) of the Information security management system are clearly communicated to them and further verified by the respective teams dealing with the external providers.

8.1.3 Maintain and Improve the ISMS

Based on the review reports and audit findings, appropriate corrective and preventive actions, as approved by the Information System Security Committee are implemented and incorporated into the ISMS. Inputs for improvement can be from:

  • Audit Reports
  • Management Review Reports
  • Incident Reports
  • RA report
  • Business Changes (Objectives, process, industry practices, legal/regulatory, etc)
  • Environmental Change (New threats and vulnerabilities, technology Changes, etc.)
  • Externally provided process, product or services relevant to ISMS

XXX. maintains all inputs in an improvement database available for internal use’s XXX. consolidates the inputs, and reviews the ISMS for applicable improvements. For changes to be made, XXX prepares an action plan and communicates the results to all interested /affected parties. All improvements should be directed towards predefined organizational Business objectives.

8.2 Information security risk assessment

 The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established.  The organization shall retain documented information on the results of the information security risk assessments.

8.3 Information security risk treatment

 The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment.

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

XXX shall evaluate the information security performance and the effectiveness of the information security management system. XXX shall determine:

  1. what needs to be monitored and measured, including information security processes and controls;
  2. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
  3. The details of what needs to be measured is given in. The methods selected should produce comparable and reproducible results to be considered valid.
  4. Monitoring and measurement of the controls shall be done on daily basis.
  5. System Administrator either himself or shall make one of the data center employee responsible for monitor and measurement of controls.
  6. The results from monitoring and measurement shall be analyzed and evaluated at least on monthly basis. However this analysis can be made early depending on the exigencies and system administrator shall decide the same.; and
  7. System Administrator shall analyze and evaluate these results.

 XXX shall retain appropriate documented information as evidence of the monitoring and measurement results. The templates where these pieces of evidence are maintained are defined in ‘ISMS-Control Effectiveness Measurement Process.docx’

9.2 Internal Audits

MR conducts internal ISMS audits quarterly to verify the adherence to ISMS. The audits are conducted to ensure that ISMS:

  • Conforms to the requirements of the ISO/IEC 27001:2022 standard
  • Ensure compliance with relevant legal, statutory, and contractual requirements
  • Conform to the identified information security requirements
  • ISMS is effectively implemented and maintained
  • Performs as expected

Security Audits are conducted in accordance with the audit procedure defined in 06-ISMS-IAP-Internal Audit Procedure’. Trained personnel, not having direct responsibility for the activity being audited, shall conduct audits. MR with the help of HODs will ensure that any non-conformance found is closed. MR is responsible for planning, scheduling, organizing, and maintaining records of these audits.

9.3 Management Review

Top management shall review the information security management system once every three months, or on an event-driven basis, to ensure its continuing suitability, adequacy, and effectiveness. The management review shall include consideration of:

  1. The status of actions from previous management reviews;
  2. Changes in external and internal issues that are relevant to the information security management system;
  3. changes in needs and expectations of interested parties that are relevant to the information security management system
  4. Feedback on the information security performance, including trends in:
  5. nonconformities and corrective actions;
  6. monitoring and measurement results;
  7. audit results; and
  8. Fulfilment of information security objectives;
  9. feedback from interested parties;
  10. Results of risk assessment and status of risk treatment plan; and
  11. Opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. XXX shall retain documented information as evidence of the results of management reviews.

10 Improvement

10.1 Continual Improvement

XXX is responsible for the continual improvement of the ISMS for suitability and effectiveness. Inputs to continual improvement can be:

  • Change in security policies and objectives
  • Audit results and Management Review Reports
  • Incident Reports
  • Analysis of monitored events
  • Corrective and Preventive Actions
  • Business Changes
  • Environmental Change (New threats and vulnerabilities)
  • Best practices of industry

10.2 Non conformity and Corrective Action

 When a nonconformity occurs, XXX shall:

  1. react to the nonconformity, and as applicable:
    1. take action to control and correct it; and
    2. deal with the consequences;
  2. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
    1. reviewing the nonconformity;
    2. determining the causes of the nonconformity; and
    3. determining if similar nonconformities exist, or could potentially occur;
  3. implement any action needed;
  4. Review the effectiveness of any corrective action taken; and
  5. Make changes to the information security management system, if necessary.

Corrective actions shall be appropriate to the effects of the non conformities encountered. The organization shall retain documented information as evidence of:

  1. The nature of the nonconformities and any subsequent actions taken, and
  2. The results of any corrective action.

The procedure is created, for implementing and tracking the correcting action. Refer to ‘CAPA-Corrective & Preventive Action Procedure’.

 11 ISMS Controls

This section describes the selection and implementation of controls by xxx. Controls applicable to XXX. have been mentioned and addressed in this section. Controls not applicable to XX. are mentioned in this section and exclusion with justification given in SOA. Refer ISO27001-2022-SOA-V2.0

A.5 Organizational controls

A.5.1 Policies for information security

The Information Security Policy establishes requirements to ensure that information security controls remain current as business needs evolve and technology changes. This policy is published and communicated to all employees and relevant external parties. The Chief Information Officer is responsible for establishing, issuing and monitoring information security policies.

Control Objective: Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

A Corporate Information System Security Policy document approved by the management exists. Information security policy has been published and communicated to all employees of XXX through the Intranet and mails, training, and induction programs. The Information Security Policy contains operational policies, standards, guidelines, and metrics intended to establish minimum requirements for the secure delivery of our Products/ services. Secure service delivery requires the assurance of confidentiality, integrity, availability, and privacy of  information assets through:

  • Management and business processes that include and enable security processes;
  • Ongoing employee awareness of security issues;
  • Physical security requirements for information systems;
  • Governance processes for information technology;
  • Defining security responsibilities;
  • Identifying, classifying, and labeling assets;
  • Ensuring operational security, protection of networks, and the transfer of information;
  • Safeguarding assets utilized by third parties;
  • Reporting information security incidents and weaknesses;
  • Creating and maintaining business continuity plans; and,
  • Monitoring for compliance.

The Chief Information Officer recognizes that information security is a process, which to be effective, requires executive and management commitment, the active participation of all employees, and ongoing awareness programs. The Information Security Policy must be reviewed on an annual basis and updated when required. The purpose is to ensure information security policies remain current with evolving business needs, emerging risks, and technological changes.

XXX. is responsible for the creation, maintenance, and updating of the policy.  Information System Security Committee approves the policy prior to release. The review and evaluation of ISMS policy are conducted at least once a year. The review guidelines state that the policy is to be reviewed against its effectiveness, compliance to business process, and compliance to technology changes. The Chief Information Officer is responsible for reviewing information security policies, standards, and guidelines on an annual basis. Policies and standards reviews must be initiated:

  • In conjunction with legislative, regulatory, or policy changes which have information security implications;
  • During planning and implementation of new or significantly changed technology;
  • Following a Security Threat and Risk Assessment of major initiatives (e.g., new information systems or contracting arrangements);
  • When audit reports or security risk and controls reviews identify high-risk exposures involving information systems;
  • If threat or vulnerability trends produced from automated monitoring processes indicate the probability of significantly increased risk;
  • After receiving the final report of the investigation into information security incidents;
  • Prior to renewing third party access agreements which involve major programs or services;
  • When industry, national or international standards for information security are introduced or significantly revised to address emerging business and technology issues; and,
  • When associated external agencies (e.g., Information and Privacy Commissioner, Ministry on Information Technology) issue reports or identify emerging trends related to information security.

A. 5.2 – Information Security Roles and responsibilities

Control Objective: Information security roles and responsibilities should be defined and allocated according to the organization needs.

The purpose is to ensure employees are informed of their information security roles and responsibilities. Security roles and responsibilities of employees, contractors, and third-party users are defined and documented in accordance with the organization’s information security policy. Security roles and responsibilities for employees must be documented.
a) Security roles and responsibilities
b) Communication of security roles and responsibilities

a) Security roles and responsibilities
Employees must be aware of their information security roles and responsibilities. Information Owners and Information Custodians must:

  • Document information security roles and responsibilities for employees in job descriptions, standing offers, contracts, and information use agreements where relevant; and,
  • Review and update information security roles and responsibilities when conducting staffing or contracting activities.

b) Communication of security roles and responsibilities
Supervisors must ensure employees are informed of their security roles and responsibilities by establishing processes for communicating security roles and responsibilities to protect information assets

A. 5.3 – Segregation of duties

Control Objective: Conflicting duties and conflicting areas of responsibility should be segregated.

The purpose is to reduce the risk of loss, fraud, error, and unauthorized changes to information.  In XXX duties have been segregated in order to reduce the risk of accidental or deliberate system misuse. Different individuals are responsible for their respective areas, and proper controls exist that take care of the possibility of fraud in areas of single responsibility without being detected. Different areas and associated responsibilities are defined as per Roles and Responsibilities. Day-to-day administration & maintenance of IT Infrastructure is done by IT Department & HOF/IT review different logs & conduct periodic VA. Duties and areas of responsibility must be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of information systems.
a) Segregation of duties
b) Critical or sensitive information systems.

a) Segregation of duties
Information Owners must reduce the risk of disruption of information systems by:

  • Requiring complete and accurate documentation for every information system;
  • Requiring that no single individual has access to all operational functions of an information system (e.g., operating system administrators must not also have application administrator privileges);
  • Rotating job duties periodically to reduce the opportunity for single individuals to have sole control and oversight on key systems;
  • Automating functions to reduce the reliance on human intervention for information systems;
  • Requiring that individuals authorized to conduct sensitive operations do not audit the same operations;
  • Requiring that individuals responsible for initiating an action are not also responsible for authorizing that action; and,
  • Implementing security controls to minimize opportunities for collusion.

b) Critical or sensitive information systems
Where supported by a Security Threat and Risk Assessment or other formal assessment, Information Owners must employ two-person access control to preserve the integrity of the information system.

A.5.4 – Management responsibilities

Control Objective: Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

The Purpose is to establish Supervisor responsibilities for ongoing support and implementation of information security. Management shall require employees, contractors, and third-party users to apply security in accordance with established policies and procedures of the organization. Management must ensure employees comply with information security policies and procedures.
a) Management responsibilities
b) Review of security roles and responsibilities

To ensure that all employees, contractors, and third-party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

a) Management responsibilities
Management must support the implementation of information security policies and practices by:

  • Ensuring employees are informed of information security roles and responsibilities prior to being granted access to information or information systems;
  • Supporting and encouraging employees to adhere to information security policies; and,
  • Requiring that employees conform to the terms and conditions of employment, including information security policies.

b) Review of security roles and responsibilities
Information security roles and responsibilities must be reviewed when staffing or restructuring public service or contract positions, or when implementing new, or significant changes to, information systems.

Guidelines:
Management should annually review and validate information security roles and responsibilities in job descriptions, standing offers, contracts and information usage agreements.

A.5.5 – Contact with authorities

Control Objective: The organization should establish and maintain contact with relevant authorities.

The purpose is to facilitate a timely response from and co-ordination with outside authorities during information security incidents or investigations. Appropriate contacts shall be maintained with local law enforcement authorities, emergency support employees. Appropriate contacts/ agreements are maintained with the following but not limited to:

Services                                                                      Responsibility 

  • Internet Service Provider (ISP)                                Head/IT
  • Hardware Maintenance contracts Head/IT
  • Telecom services department Head/IT
  • Electricity services department Admin/HR
  • Local Enforcement Agencies like Police, Fire Admin/HR

Responsibility for any other services which fall under Information Security preview, but not mentioned above, is assigned to Head/IT. This is necessary to ensure that appropriate actions can be promptly taken, and advice obtained in the event of any security incident. The organization’s legal department is consulted for all third-party contracts and agreements. The Chief Information Security Officer must ensure that outside authorities, emergency support employees can be contacted by:

  • Maintaining and distributing as appropriate, a list of internal and external organizations and service providers.
  • Documenting emergency and non-emergency procedures for contacting authorities as required during information security incidents or investigations.

A.5.6 – Contact with special interest groups

Control Objective: The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

The purpose is to promote and further employee knowledge of information security industry trends, best practices, new technologies, and threats or vulnerabilities. Appropriate contacts shall be maintained with specialist security forums and professional associations. Information security advice is obtained from vendors, legal advisors, and technical experts on security matters to maximize the effectiveness of the ISMS. Internally MR shall act as Security Advisor. External advice shall only be sought by MR if required. All security incidents and breaches are reported to MR for necessary corrective and preventive actions. Information security specialists must maintain their knowledge of information security industry trends, best practices, new technologies, and threats or vulnerabilities by:

  • Participating in information exchange forums regarding best practices, industry standards development, new technologies, threats, vulnerabilities, early notice of potential attacks, and advisories;
  • Maintaining and improving knowledge regarding information security best practices; and
  • Creating a support network of other security specialists.

The Chief Information Security Officer must promote professional certification and membership in professional associations for information security specialists throughout the organization.

A. 5.7 Threat intelligence

Control Objective: Information relating to information security threats should be collected and analysed to produce threat intelligence.

To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken. Threat intelligence is the discipline of obtaining and analyzing information about those who would do us harm in cyber space in order to understand how to make our defenses as effective as possible. The collection, processing and reporting of threat intelligence is vital to XXX’s ability to assess risk and react to the threats it faces to its information security, for example from external parties who may be on the other side of the world. XXX is committed to ensuring that effective methods are employed to ensure the accuracy, completeness and timeliness of the threat intelligence it uses. This process sets out the major steps involved in collecting and processing intelligence about threats at the strategic, tactical and operational levels. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to XXX systems.
The following policies and procedures are relevant to this document:

  • Threat Intelligence Policy
  • Specialist Interest Group Contacts
  • Authorities Contacts
  • Information Security Incident Response Procedure
  • Technical Vulnerability Management Policy

In accordance with our policy, threat intelligence is gathered and reported at three levels; strategic, tactical and operational. These levels are described in Table

LEVELDESCRIPTION
StrategicFocused on the collection and analysis of high-level information regarding groups of attackers, their motivation, typical targets, types of attack and current levels of activity.
TacticalConcerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization.
OperationalRelating to specific and potentially ongoing attacks, including indicators of compromise (IOCs) which may allow us to identify cases where we have suffered a breach.
Table : Threat intelligence levels

This process is intended to be used in its basic form to produce threat intelligence at all three levels as the overall approach in each case is similar. The process of threat intelligence is shown in Figure below and each step is described as follows.

Direction/Planning
It is important that clear objectives are defined for threat intelligence in general and for the specific topics for which information is to be collected and analysed. These objectives should consider the context of the organization, in terms of our industry, locations, technology and interested parties. The information sources that will be used both for a specific topic and on an ongoing basis must be identified and due diligence carried out on each one to ensure their validity and accuracy. Sources that will provide information on a long-term basis must be added to the list of Authorities Contacts and Specialist Interest Group Contacts. Those sources that are used for a single purpose will be identified in the resulting report.

Collection
Relevant information will then be collected from the identified sources by whatever method is appropriate (for example download of a report, request for information, subscription to a news feed). Any necessary preparation of the information (such as translation, summarisation, or comparison with other sources) must also be carried out to make its analysis more effective. The information must be stored appropriately (for example in a filing system) and its source clearly recorded for future reference.

Analysis
The collected information must be analysed to define its relevance to, and implications for, the organization. At the tactical and operational levels, this may include comparing information received from external sources (for example indicators of compromise (IOCs) with information available from internal systems, such as security information and event management (SIEM) and event logs to investigate any existing impact to the organization, such as a breach. Factors such as the types of technology and software versions affected may also be relevant to determine whether a threat needs to be analysed further.

Production
Once sufficient analysis of threat intelligence has been carried out, the resulting information must be presented in an actionable form, usually as a report or briefing paper. Where appropriate, reports from third parties may be distributed in their published form, particularly at the strategic level. However, analysis should reflect clear guidance about the relevance of such reports to XXX where required.
Reports should be distributed to all areas of the business that may be affected by their contents. This will usually include:

  • Top management (mainly for strategic level reports)
  • Risk management
    Business areas responsible for the application of controls (such as ICT and HR)
  • Business areas responsible for security testing, for example of application code

Where reports refer to a potentially urgent threat, additional methods of communication such as face to face or virtual briefings should also be used. Feedback should be requested on each report in order to improve aspects such as format, language used, timeliness and content.

A. 5.8 Information security in project management

Control Objective:Information security should be integrated into project management.

The purpose is to ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle. Where projects involve information or information technology assets the information security is addressed in project management. Information Owners and Information Custodians must integrate information security into every phase of the organization’s project management method(s) to ensure that information security risks are identified early and addressed as part of the entire project. The project management methods in use should require that:

  • Information security objectives are included in project objectives;
  • An information Security Threat and Risk Assessment is conducted at an early stage of the project to identify necessary controls;
  • Information security is part of all phases of the applied project methodology.

Information security implications should be reviewed regularly in all projects. Responsibilities for information security should be defined and allocated to specified roles defined in project management methods.

a) Security requirements for information systems

Information Owners must conduct a Security Threat and Risk Assessment and a Privacy Impact Assessment during the requirements phase when developing, implementing major changes to, or acquiring an information system, to:

  • Identify the security requirements necessary to protect the information system; and,
  • Assign a security classification to the information and the information system.

The Information Owner must ensure that information system development or acquisition activities are done in accordance with documented requirements, standards and procedures which include:

  • Testing the information system to verify that it functions as intended;
  • Enforcing change control processes to identify and document modifications or changes which may compromise security controls or introduce security weaknesses; and,
  • Using common processes and services (e.g., authentication, access control, financial management).

b) Security requirements at implementation
Information Owners must ensure that sufficient controls are in place to mitigate the risk of information loss, error or misuse from information systems. Prior to implementation, information systems must be assessed to verify the adequacy of, and document the details of, the security controls used, by completing a security certification. Different tiers of applications need to be separated across different platforms or servers (e.g., web interface must be on a different server from the data base).Information systems should have a documented and maintained System Security Plan. The Plan should include:

  • A summary of risks identified in the Security Threat and Risk Assessment;
  • Results of the system certification;
  • Roles and responsibilities for information system security management;
  • Specific procedures and standards used to mitigate risks and protect the information system;
  • Communication procedures for security-relevant events and incidents; and,
  • Monitoring procedures.

While Security Threat and Risk Assessments are not required for all apps on mobile devices, where the app is used for processing the information, a Security Threat and Risk Assessment and Privacy Impact Assessment must be completed before the use of the app. Apps should be downloaded only from official vendor provided app stores. Mobile devices attached to the network must be used according to vendor specifications (e.g., not removing vendor built-in restrictions). Employees should always consider potential risks before downloading apps on their mobile devices. Some apps have been found to have harmful effects and may inadvertently release information from the mobile device to third parties.

5.9 Inventory of information and other associated assets

Control objective: An inventory of information and other associated assets, including owners, should be developed and maintained.

The Purpose is to identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. Information and information systems services constitute valuable organizational resources. Asset management establishes the blueprint to identify the rules of acceptable use and the rules for protection: what assets to protect, who protects them, and how much protection is adequate. To account for the assets that require protection, it specifies the requirement to designate who owns assets. Designated owners become responsible for protecting information and technology assets and maintaining the way assets are protected. It sets the foundation for a system that classifies information to identify different security levels, to specify how much protection is expected and how information should be handled at each level. Not all information requires the same level of protection because only some information is sensitive or confidential.

Inventory of assets

XXX.’s Assets have been classified as:

  • Hardware – Includes computer equipment (CPU, Peripherals, etc.), communication equipment (routers, switches, etc.), magnetic media (CDs, Tapes, Disks), UPS/Inverters/power backup devices/Battery Bank, Air conditioner, Fire extinguisher, etc.
  • Software – Includes various applications programs, system software, development tools, and utilities.
  • Information –Databases, data files, archived information, documentation.
  • Services – Include communication services, general utilities like power, AC, Buildings (Rent Agreement- Renewal) Services (provided by org external/internal the group), etc.
  • Management System- Includes Borrowed Information, Copyright/IPR, The whole Organization
  • Human Resource- That includes Technical Manpower & Administrative manpower

An inventory of all assets is maintained by the IT department in the form of. maintains appropriate protection of the organizational assets. It aims at confidentiality, integrity, and availability. An inventory of all important assets associated with information systems must be documented and maintained.
a) Identification of assets
b) Documenting and maintaining asset inventories
c) Loss, theft, or misappropriation of assets

a) Identification of assets
Information Owners must identify assets under their control including:

  • Software;
  • Hardware including mobile devices and tablets;
  • Services including computer and communications services and general utilities;
  • Information assets required to be inventoried in the personal information directory (required under the Freedom of Information and Protection of Privacy Act);
  • All other information assets including: database and data files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, and archived information.

b) Documenting and maintaining asset inventories
Information Owners must document, maintain and verify asset inventories on a regular basis, depending on the criticality and value of the assets, and validate the measures taken to protect the assets as part of an enterprise risk management strategy. Information Owners must document, maintain and verify the personal information directory including the personal information bank and privacy impact assessment sections. The following information should be recorded to facilitate system planning and asset recovery in the case of interruption, corruption, loss, disposal, or destruction:

  • Type of asset;
  • Ownership;
  • Format;
  • Location;
  • Back-up information and location;
  • License information;
  • Sensitivity and safeguards requirements;
  • Criticality for service delivery and maintaining business functions; and,
  • Consequences of loss.

Information Owners and Information Custodians are accountable for asset identification and inventory maintenance.

c) Loss, theft, or misappropriation of assets
The loss, theft, or misappropriation of assets must be reported immediately using the General Incident or Loss Report. Where the loss, theft, or misappropriation involves information, the Information Incident Management Process must be followed.

Ownership of assets

All information and assets associated with information processing facilities shall be owned by a designated part of the organization. The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use, and security of the assets. The term ‘owner’ does not mean that the person actually has property rights to the asset. Information Owners and Information Custodians must be designated for all assets associated with information systems.
a) Responsibilities for asset ownership
b) Designating Information Custodians

a) Responsibilities for asset ownership
All information assets must have a designated owner. An Information Owner is responsible for controlling the production, development, maintenance, use, and security of information and technology assets within their jurisdiction. Information Owners are responsible for:

  • Ensuring the appropriate classification and safeguarding of information and technology systems or services;
  • Defining and regularly reviewing access restrictions, classifications and safeguards in accordance with applicable policies; and,
  • Designating Information Custodians and ensuring that they have the correct tools for protecting designated assets.

b) Designating Information Custodians
Information Owners may delegate responsibility for the custody of information and technology systems or services to Information Custodians. Information Custodians will be responsible for:

  • Overseeing the functioning of information and technology assets;
  • Delivery of services in accordance with defined service requirements;
  • Regular reporting on designated information and technology assets.

Guidelines:
Ownership and custodianship responsibilities should be defined and monitored within the employee’s Performance Management tool “MyPerformance Profile”

A. 5.10 Acceptable use of information and other associated assets

Control Objective: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

The purpose is to ensure information and other associated assets are appropriately protected, used and handled.. All users of information systems must take responsibility for, and accept the duty to actively protect, information and technology assets. Rules for the acceptable use of information and assets associated with information processing facilities are identified, documented, and implemented. Ref to ISMS-AUA-Acceptable Use of Assets Guidelines. Rules for the acceptable use of information systems are identified, documented, and implemented. XXX. has well-defined guidelines for information labeling, handling, and storage in order to protect information from unauthorized disclosure or misuse. Refer to ‘PO-12-ISMS-CLH-Information Classification, Labeling, and Handling Policy.docx’. Information assets must be handled and stored so as to prevent unauthorized information disclosure or misuse, in accordance with the information security classification system.
a) Asset handling procedures
b) Media handling procedures

a) Asset handling procedures
Information Owners must follow the procedures for information security classification when handling information assets. The following items must be considered when dealing with information assets:

  • Access restrictions supporting the protection requirements for each level of classification;
  • Protection of temporary or permanent copies of information to a level consistent with the protection of the original information;
  • Storage of IT assets in accordance with manufacturers’ specifications;
  • Clear marking of all copies of media for the attention of the authorized recipient.

Information sharing agreements must include:

  • Procedures to identify the classification of that information;
  • Interpretation of the classification labels from other organizations; and,
  • Level of protection required.

b) Media handling procedures
Information Owners must document media handling procedures that are compliant with the information security classification and handling requirements for information stored on the media. If information of various security classifications is stored on media, the media must be handled according to the highest classification of the information stored. Media handling documentation must include procedures for:

  • Marking of media to its highest information classification level label, in order to indicate the sensitivity of the information contained on the media;
  • Access control restrictions and authorization;
  • Correct use of technology (e.g., encryption) to enforce access control;
  • Copying and distribution of media, including minimization of multiple copies, marking of originals, and distribution of copies;
  • Operating the media storage environment and managing media lifespan according to manufacturer specifications;
  • Regular status accounting of media;
  • Maintenance of media transfer and storage records;
  • Media destruction and disposal; and,
  • Employee training.

A 5.11 Return of assets

Control Objectives: Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
The purpose is to protect the organization’s assets as part of the process of changing or terminating employment, contract or agreement.

The purpose is to ensure employees return physical and information assets at termination or change of employment. All employees, contractors, and third-party users are required to return all of the organization’s assets in their possession upon termination of their employment, contract, or agreement. HOD’s must document the return of assets in the possession of employees upon termination of their employment using standard processes. These processes must ensure the return of documents, files, data, books and manuals in physical or other media formats including other information assets developed or prepared by an employee or contractor in the course of their duties, computer hardware, software and equipment (e.g., mobile devices, portable media), and, access devices, cards, vouchers and keys (e.g., credit cards, taxi cards, travel vouchers);

The HOD must ensure that

  •  Returned items are verified against established asset inventories;
  • Recovery of compensation for assets not returned, based on established criteria regarding depreciation and replacement value for classes of items; and,
  • Identification of unreturned access devices, cards, and keys that could permit unauthorized access or alteration, disposal, or destruction of assets, so that information and security systems can be protected.

A.5.12 – Classification of information

Control Objective: Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

The purpose is to ensure identification and understanding of protection needs of information in accordance with its importance to the organization. There are four levels of information classification. Refer ‘PO-12-ISMS-CLH-Information Classification, Labeling and Handling Policy.docx’ The information security classification system must take into account the value, sensitivity, and intended use of the information.
a) Information and information system security classification
b) Mandatory features of information security classification
c) Mandatory features of information system security classification

a) Information and information system security classification
Information Owners must use the Information Security Classification system to categorize information and information systems. The Chief Information Officer is responsible for the definition, application, and enforcement of the Information Security Classification system. The risk manager is responsible for the definition of Security Categories.
b) Mandatory features of information security classification
The Information Security Classification system must:

  1. Apply to information types rather than discrete data elements;
  2. Determine the relative value of information including factors such as:
    • Statutory or regulatory requirements,
    • Impact to health, life or personal safety,
    • Effects of data aggregation,
    • Impact to the Ministry service plan from loss of information confidentiality, integrity and availability, and,
    • Changes to information sensitivity over time;
  3. Maintain compatibility with the Administrative Records Classification System (ARCS) and Operational Records Classification System (ORCS).

The Information Security Classification system must include processes for:

  • Defining information types for categorization;
  • Making decisions on categorization of information; and,
  • Periodic reassessment of the information security categorization processes.

c) Mandatory features of information system security classification

The Information Security Classification system must include processes for:

  • Categorization of information systems based on the security classification of information stored, handled or processed by the information system; and,
  • Inclusion of information and system security classification documentation in the System Security Plan.

Guidelines:
The Information Security Classification system is a cornerstone of security and risk assessment activities. The security categories communicate the value and classification of information in a way that allows for decisions to be made about risk management and information handling. Information Security Classifications assist in:

  • Consistent, comparable Statement of Sensitivity descriptions of the Security Threat and Risk Assessment describing the confidentiality, integrity, and availability requirements of the assessed system.
  • The selection of system security controls – service providers can bundle system security controls into packages or service offerings based on the consistently defined protection requirements of the information.
  • The selection of, and consistent application of, information handling and labeling rules.
  • Information sharing agreements by indicating the relative value of information being exchanged in a consistent and comparable manner across the organization.

A.5.13–Labeling of information

Control Objective: An appropriate set of procedures for information labeling should be developed and implemented in
accordance with the information classification scheme adopted by the organization.

The purpose is to facilitate the communication of classification of information and support automation of information processing and management. The guidelines for labeling and handling of Information. are documented and available in ISMS-CLH-Information Classification, Labeling and Handling Policy.docx. The information must be identified, labeled when appropriate, and handled in accordance with the assigned information security classification.
a) Information labeling procedures
b) Information handling procedures

a) Information labeling procedures
Information Owners and Information Custodians must document procedures to label information with its information security classification as required by the Information Security Classification system. Information labeling communicates the security classification and protection requirements to employees. Information types that must be considered for labeling include printed or electronic records, reports, files, on-screen displays or messages. Information Owners must select and document the appropriate label type for each information type. Automatic information labeling must be used where possible (e.g., by use of document templates, standard report footers, printer watermarks, on-screen displays, or system-applied text). Where direct information labeling is not possible, alternate methods must be used to communicate the information security classification, such as marking storage media, description in information-sharing agreements or system interface specifications, or use of metadata.

b) Information handling procedures
Information Owners and Information Custodians must document information handling procedures for secure processing, storage, transmission, declassification, and disposal of information assets. Information protection procedures must take into account the information security classification, labeling, and handling processes, and access control policies. Procedures must be defined for interpreting information security classification labels from, and handling information exchanged with, other jurisdictions.

Guidelines:
During systems development, specify the information security labeling requirements when defining business requirements for reports, screens, and data storage

A.5.14 Information transfer

Control Objective: Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

The purpose is to maintain the security of information transferred within an organization and with any external interested party. . Electronic Office Systems like Telephone, Fax, etc. are maintained by a 3rd Party. Security of Information available through such a system is ensured through suitable clauses in the contract. Users shall be made aware of the risk of Information Security while exchanging information through Voice, Fax, and Video Communication facility. The Information exchange policies, procedures, and controls must be documented and implemented to protect the exchange of information through all types of electronic communication services. The Chief Information Security Officer must document and implement procedures to protect information from interception, copying, misrouting, and disposal when being transmitted electronically. Transmission methods include but are not limited to:

  • E-mail, including attachments;
  • Electronic file transfer (e.g., File Transfer Protocol (FTP), Electronic Data Interchange (EDI));
  • Use of mobile devices;
  • Telephone, cell, and other voice messaging;
  • Faxes; and,
  • Instant messaging.

Agreements shall be established for the exchange of information and software between XXX and external parties like Oracle, MS, and IBM, etc. Information and software exchange agreements between XXX and other organizations must address the secure transfer of information between parties.
a) Exchange agreements
b) Information and software exchange requirements

a) Exchange agreements
Information Owners must ensure the terms and conditions for the secure exchange of information assets with external parties is documented in an agreement. The agreement must define:

  • Custody and control accountability;
  • Authority of a custodian to publish, grant access to or redistribute the information;
  • Purpose and authorized uses of the information or software;
  • Limitations on data linkage;
  • Duration, renewal and termination provisions;
  • Primary contacts for agreement, governance and management;
  • Requirements for:
    • Protecting information according to its security classification,
    • Handling information (e.g., recording authorized recipients, confirming receipt of transmitted data, periodically reviewing records of authorized recipients),
    • Labeling information (e.g., methods to be used to apply and recognize labeling),
    • Maintaining integrity and non-repudiation of information, and,
    • Media management and disposal;
  • Technical standards for transmission, recording or reading information or software;
  • Responsibilities for reporting privacy and security incidents and breaches;
  • Liability, accountability and mitigation strategies, for attempted, suspected or actual privacy and security incidents and breaches; and,
  • Problem resolution and escalation processes.

b) Information and software exchange requirements
Information Owners must ensure an approved Privacy Impact Assessment and a Security Threat and Risk Assessment are completed for the information or software covered by the exchange agreement. Exchange agreements must be reviewed by legal counsel for the Province prior to being signed.

The electronic mail systems are properly secured from unauthorized access by using Spam protection software & Anti-Virus firewall, and from viruses by deploying antivirus software. XXX. has a well-defined policy and guidelines on the use of electronic mail. Information transmitted by electronic messaging must be appropriately protected.
a) General requirements
b) Custody of electronic messages

a) General requirements
Electronic messaging services must be managed to protect the integrity of messages by:

  • Protecting messages from unauthorized access, modification or denial of service;
  • Ensuring correct addressing and transportation of messages;
  • Providing reliable and available messaging infrastructure; and,
  • Conforming to legislative, regulatory and policy requirements.

The Chief Information Officer must approve implementation of, and significant modification to, electronic messaging systems. Employees must support the responsible use of electronic messaging services by:

  • Using only electronic messaging systems for conducting business, including systems for remote access to  messaging systems from publicly available networks;
  • Using only authorized encryption for e-mail or attachments;
  • Not automatically forwarding  e-mail to external e-mail addresses; and,
  • Maintaining the confidentiality and privacy of information being communicated in electronic messages as appropriate to the sensitivity and classification of the information.

Information Owners must authorize and approve the use of social media services and other electronic messaging services for conducting official business.

b) Custody of electronic messages
Electronic messages created, compiled, sent or received on information systems are records of the organization. These records:

  • Are the property of XXX;
  • Must be managed in accordance with the Information Management Act and related regulations, policies, standards and procedures; and,
  • Are subject to the access and the protection of privacy provisions of the Freedom of Information and Protection of Privacy Act.

A.5.15 Access Control

Control objective: Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
The purpose is to ensure authorized access and to prevent unauthorized access to information and other associated assets. This identifies the controls that restrict access to the information and information assets. Access control protects organizations from security threats such as internal and external intrusions. The controls are guided by legislation that protects particular types of information (e.g., personal and other types of confidential information) and by business requirements. Access control policies provide the blueprint for the management of employee access, authorizations, and control requirements for computer networks, operating systems, applications, and information. This identifies security best practices and responsibilities for administrators and employees.

Access control policy

XXX. has implemented access control to information based on the business requirements and security requirements on a ‘need-to-know’ basis. Well-documented access control policies and procedures are in place. Refer PO-07-ISMS-ACP-IT Access control Policy.docx’. Access to information systems and services must be consistent with business needs and be based on security requirements.
a) Access control policy
b) Access control policy management
c) Review of access control policy

a) Access control policy
Information Owners are responsible for establishing, documenting and approving access control policies which must:

  • Support and enable business requirements;
  • Be based on requirements identified in Privacy Impact Assessments and Security Threat and Risk Assessments; and,
  • Include classification of assets.

Access control policies must additionally:

  • Consider both physical and logical access to assets;
  • Apply the need-to-know and least privilege principles;
  • Set default access privileges to deny-all prior to granting access;
  • Require access by unique user identifiers or system process identifiers to ensure that all access actions are auditable;
  • Have permissions assigned to roles rather than individual user identifiers;
  • Access requirements should be determined at a functional, work unit level.

The access control policy must be communicated to employees as part of awareness training.

b) Access control policy management
Information Owners and Information Custodians are responsible for establishing processes to manage the access control policies, including:

  • Ensuring the process is communicated to all employees;
  • Documenting processes for employee registration and deregistration;
  • Segregating roles and functions (i.e. access requests, access authorization, access administration);
  • Defining rules for controlling access to privileged system functions;
  • Identifying roles and/or functions which require multi-factor authentication;
  • Identifying and justifying exceptional cases where there is a need for enhanced employee security screening for sensitive assets.

c) Review of access control policy
Information Owners must conduct periodic reviews of the access control policies as part of an ongoing process for risk management, security, and privacy. Annual reviews are recommended. Reviews must be conducted:

  • Prior to the introduction of new or significantly changed systems, applications or other services or major technology changes;
  • When the threat environment changes or new vulnerabilities arise;
  • Following significant organization re-organization as appropriate;
  • For sensitive and business critical assets, reviews should be conducted more frequently than annually, based on the Security Threat and Risk Assessment.

Access to network and network services

The purpose is to support the information system access control policy by limiting network access to authorized users of specific information systems. The access to the internal and external network of XXX. is controlled. This includes any direct access to services that are business-critical to users within the domain and direct access to the network from users in a high-risk location like users through the Internet. Users shall only have direct access to the services that they have been specifically authorized to use. A defined and documented policy for use of network services exists. Employees must only be provided access to the network services they have been specifically authorized to use.
a) Access to network services
b) Management controls and processes
c) Means for accessing networks and network services

a) Access to network services
Information Owners must enable network services needed to support business requirements (e.g., by explicitly enabling needed services and disabling unneeded services). Access to network services will be controlled at network perimeters, routers, gateways, workstations, and servers. Information system network access must be restricted to the authorized users and systems, using the principle of least privilege, as defined in the access control policies for the information system.
b) Management controls and processes
Information Owners must document processes for management of network access, including:

  • Documentation and review of implemented network access controls;
  • Identification of threats, risks and mitigation factors associated with network services;
  • Testing of network access controls to verify correct implementation; and,
  • Assisting Information Owners to verify the principle of least privilege is used to minimize access, as specified in the access control policy.

c) Means for accessing networks and network services
Information Owners must define and implement:

  • Permitted network access methods for each network zone (e.g., direct connection, Virtual Private Network, Wi-Fi, remote desktop connection, desktop terminal services); and,
  • Minimum security controls required for connection to networks (e.g., patch levels, anti-virus software, firewalls, user and system authentication requirements).

A 5.16 Identity management

Control Objective: The full life cycle of identities should be managed.

The purpose is to allow for the unique identification of individuals and systems accessing the organization’s information and other associated assets and to enable appropriate assignment of access rights. It applies to those responsible for the management of user account or access to shared information or network devices. Such information can be held within a database, application or shared file space. This policy covers departmental accounts as well as those managed centrally.

  • All personnel must sign the XXX’s Information Security Policy Acknowledgement before access is granted to an account or XXX’s Information Resources.
  • All accounts created must have an associated, and documented, request and approval.
  • Segregation of duties must exist between access request, access authorization, and access administration.
  • Information Resource owners are responsible for the approval of all access requests.
  • User accounts and access rights for all  Information Resources must be reviewed and reconciled at least annually, and actions must be documented.
  • All accounts must be uniquely identifiable using the user name assigned by XXX’s IT and include verification that redundant user IDs are not used.
  • All accounts, including default accounts, must have a password expiration that complies with the XXX’s Authentication Standard.
  • Only the level of access required to perform authorized tasks may be approved, following the concept of “least privilege”.
  • Whenever possible, access to Information Resources should be granted to user groups, not granted directly to individual accounts.
  • Shared accounts must not be used.  Where shared accounts are required, their use must be documented and approved by the Information Resource owner.
  • User account set up for third-party cloud computing applications used for sharing, storing and/or transferring XXX’s confidential or internal information must be approved by the resource owner and documented.
  • Upon user role changes, access rights must be modified in a timely manner to reflect the new role.
  • Creation of user accounts and access right modifications must be documented and/or logged.
  • Any accounts that have not been accessed within a defined period of time will be disabled.
  • Accounts must be disabled and/or deleted in a timely manner following employment termination, according to a documented employee termination process.
  • System Administrators or other designated personnel:
    • Are responsible for modifying and/or removing the accounts of individuals that change roles with XXX or are separated from their relationship with XXX.
    • Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes, and permission changes.
    • Must have a documented process for periodically reviewing existing accounts for validity.
    • Are subject to independent audit review.
    • Must provide a list of accounts for the systems they administer when requested by authorized XXX’s IT management personnel.
    • Must cooperate with authorized XXX’s Information Security personnel investigating security incidents at the direction of XXX’s executive management.

Administrator/Special Access

  • Administrative/Special access accounts must have account management instructions, documentation, and authorization.
  • Personnel with Administrative/Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete their job function.
  • Personnel with Administrative/Special access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. administrator account).
  • In the case where a system has only one administrator, there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
  • Special access accounts for internal or external audit, software development, software installation, or other defined need, must be administered according the XXX’s Authentication Standard.

The purpose is to ensure that all access actions are traceable to an identifiable individual or process. There must be a formal employee registration and de-registration process for granting access to all information systems.
a) Registration
b) De-registration

a) Registration

Information Owners are responsible for managing access to the assets under their control and must implement registration processes which:

  • Require approval for all access rights;
  • Ensure access requests are approved by the Supervisor of the employee requesting access;
  • Ensure the reasons for requesting access are consistent with job responsibilities;
  • Maintain records of access right approvals;
  • Ensure employees understand the conditions of access and, when appropriate, have signed confidentiality agreements;
  • Ensure access rights are consistent with the data uses documented in the approved Privacy Impact Assessment;
  • Ensure accesses are traceable to an identifiable individual or process;
  • Ensure each employee is assigned a single unique identifier for accessing information systems;
  • Ensure the responsibilities for authorizing access are segregated from the responsibilities for granting access;
  • Restrict access by using predefined role permissions;
  • Provide secure and separate transmission of the user identifier and password to the employee; and,
  • In exceptional cases, where warranted by the classification of the asset and supported by a Security Threat and Risk Assessment, ensure enhanced employee security screening or background checks are completed prior to authorizing access.

b) De-registration
Information Owners must formally assign responsibilities and implement processes to:

  • Remove access privileges for employees no longer with the organization within 5 working days;
  • Promptly review access rights whenever an employee changes duties and responsibilities;
  • Promptly review access rights whenever the employee’s branch or department is involved in significant reorganization;
  • Review access privileges for employees on extended absence or temporary assignments within 10 working days of the change of status;
  • Remove access privileges for employees terminated for cause concurrent with notification to the individual; and,
  • Quarterly check for and remove inactive or redundant user identifiers.

Authority and Exceptions:

Individual employees may have multiple identifiers when:

  • Required to meet limitations of technology (e.g., IDIR, MVS).
  • Required to meet unique business requirements provided the rationale is documented and approved by the Information Owner.

A. 5.17 Authentication information

Control Objective: Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

The purpose is to ensure proper entity authentication and prevent failures of authentication processes. XXX has a well-defined password policy and guidelines. The issuance and revocation of authentication credentials must be controlled through a formal management process. Ministries must formally designate individuals who have the authority to issue and reset passwords. The following applies:

  • Passwords must only be issued to employees whose identity is confirmed prior to issuance;
  • Individuals with the authority to reset passwords must transmit new or reset passwords to the employee in a secure manner (e.g., using encryption, using a secondary channel);
  • Whenever technically possible, temporary passwords must be unique to each individual and must not be easily guessable;
  • Passwords must never be stored in an unprotected form;
  • Default passwords provided by technology vendors must be changed to a password compliant with the standards during the installation of the technology (hardware or software); and,
  • The revocation of authentication credentials must follow a formal process.

Use of Secret Authentication Information

The purpose is to maintain the integrity of the unique identifier (user-id) by ensuring employees follow security best practices. XXX has a well-defined password usage guideline for users to follow. Employees must follow security best practices in the selection and use of passwords.
a) Selection of passwords
b) Password change
c) Privileged accounts
d) Protection and use of passwords

a) Selection of passwords

When selecting passwords employees must:

  • Select complex passwords, i.e., a mixture of characters as specified in the Standard;
  • Keep authentication information confidential;
  • Avoid recording authentication information; and,
  • Avoid using the same password for multiple accounts.

The effectiveness of access control measures is strengthened when employees adopt security best practices for selecting passwords.

b) Password change
Passwords must be changed:

  • During installation of hardware or software which is delivered with a default password;
  • Immediately if a password is compromised or if compromise is suspected. If compromise has taken place or is suspected the incident must be reported in accordance with the Information Incident Management Process; and,
  • In compliance with password change instructions issued by an automated process (e.g., password life-cycle replacement) or an appropriate authority.

c) Privileged accounts
Privileged accounts have wider and more powerful access rights to information assets. Employees authorized to create or who hold privileged accounts must use passwords that are at least 15 characters where technically feasible.

d) Protection and use of passwords
Passwords are highly sensitive and must be protected by not:

  1. Sharing or disclosing passwords;
  2. Permitting anyone to view the password as it is being entered;
  3. Writing down a password;
  4. Storing other personal identifiers, access codes, tokens or passwords in the same container;
  5. Keeping a file of passwords on any computer system, including mobile devices, unless that file is encrypted according to the Cryptographic Standards for Information Protection;
  6. Employing any automatic or scripted logon processes for personal identifiers; and,

Where a business need is defined to keep written records of passwords, a request for a policy exemption must be submitted to the Chief Information Security Officer.

Standards:
The Complex Password Standard for organization systems requires that passwords must:

Not contain the username or any proper names of the employee.

  1. Contain a minimum of 8 characters;
  2. Contain characters from three of the following categories:
    • English upper case characters (A to Z),
    • English lower case characters (a to z),
    • numerals (0 to 9), and,
    • non-alphanumeric keyboard symbols (e.g., ! $ # %); and,

For example, the complex password “T#ocitpi7” is derived from the phrase “The number of clowns in the parade is seven”. Complexity can be further increased by substituting numbers for vowels. For mobile devices connecting to the messaging server, the following password rules apply:

  • Passwords must contain a minimum of 6 characters;
  • Controls should be in place to prevent the use of overly simple passwords; and,
  • The use of a combination of numbers, symbols, upper and lower case characters is recommended to increase the password strength.

Password management system

The purpose is to support the operating system access control policy through the use of password management systems to enforce the password standard. .XXX has a well-defined password policy and access management process. A password management system must be in place to provide an effective, interactive facility that ensures quality passwords.

  1. Enforcing quality password rules
  2. Allocation of unique identifier
  3. Authentication of identity
  4. Shared user identifiers

1) Enforcing quality password rules
Information Owners  must ensure password management systems:

  • Enforce the use of individual user identifiers and passwords;
  • Support selection and change of passwords using the Complex Password Standard;
  • Enforce change of temporary passwords at first login and after password reset by an Administrator;
  • Enforce regular user password change, including advance warning of impending expiry;
  • Prevent re-use of passwords for a specified number of times;
  • Prevent passwords from being viewed on-screen;
  • Store password files separately from application system data;
  • Ensure password management systems are protected from unauthorized access and manipulation; and,
  • Store and transmit passwords in protected (e.g., encrypted) form.

The password management system standard for Organization systems requires that users must be:

  • Prevented from re-using the same password within 12 months; and,
  • Provided with notification at least 10 days before their password will need to be changed.

2) Allocation of a unique identifier
Information Owners must ensure employees are issued unique user identifiers (user ids) for their use only. The documented and approved process for allocating and managing unique identifiers must include:

  • A single point of contact to:
    • manage the assignment and issuance of user identifiers,
    • ensure that users, except for privileged users, are not issued multiple identifiers for any one information system or platform, and,
    • record user status (e.g., employee, contractor);
  • Identification of those individuals or positions authorized to request new user identifiers;
  • Confirmation that the user has been informed of appropriate use policies;
  • Automated linkages with the employees management system (i.e., CHIPS) to identify transfers, terminations and extended leave actions to initiate the suspension or cancellation of user identifiers;
  • Linkages with contract management offices and/or contract managers to identify and maintain the status of identifiers issued to contractors; and,
  • Conducting annual reviews to confirm the continued requirement for the user identifier.

To segregate roles or functions, privileged users may be issued multiple identifiers for an information system or platform.

2) Authentication of identity
Information Owners must ensure that user identifiers are authenticated by an approved authentication mechanism. User identifiers authenticated by means other than a password must use a mechanism approved by the Chief Information Officer.

3) Shared user identifiers
In exceptional circumstances, where there is a clear business benefit identified by the Information Owner, the use of a positional user identifier for a group of users or a specific job can be used, provided:

  • Positional user identifiers are not used for privileged users; and,
  • The Supervisor responsible for the position using the positional user identifier:
    • Maintains a record of the name of the individual, the user identifier, and the start and end date of use, and,
    • Deactivates the user identifier when not in use by requesting a password reset.

Guidelines:
Never divulge your password to anyone. Legitimate IT technical support employees such as systems administrators, helpdesk, and security will not ask employees for their passwords. Processes for issuing and managing information system user identifiers should be coordinated with those for issuing and managing other identification credentials (e.g., building passes, user identifiers for telecommunications services provided to an individual).

A 5.18 Access rights

Control: Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

The purpose is to ensure access to information and other associated assets is defined and authorized according to the business requirements. A unique login id and password have been assigned to all users, with varying privileges, depending on roles, and requirements. User identification and authentication are implemented in accordance with privileges granted to the respective user. A formal employee access provisioning process must be implemented to assign or revoke access rights for all user types to all systems and services. Information Owners and Information Custodians must implement a formal employee access provisioning process. The provisioning process for assigning or revoking access rights granted to user IDs must include:

  • Obtaining authorization from the owner of the information system or service for the use of the information system or service. Separate approval for access rights from management may also be appropriate;
  • Verifying that the level of access granted is appropriate to the access policies and is consistent with other requirements such as segregation of duties;
  • Ensuring that access rights are not activated (e.g., by service providers) before authorization procedures are completed;
  • Maintaining a central record of access rights granted to a user ID to access information systems and services;
  • Adapting access rights of employees who have changed roles or jobs and immediately removing or blocking access rights of employees who have left the organization; and,
  • Periodically reviewing access rights with owners of the information systems or services.

Review of user access rights

User privileges for XXX will be reviewed every three months and for global users, it will be reviewed once every year. The System Administrator shall review the access rights & the respective Business Owner shall ratify the review report. Information Owners must formally review employee access rights at regular intervals.
a) Circumstances and criteria for formal access right review
b) Procedure for formal access right review

a) Circumstances and criteria for formal access right review
Information Owners must implement formal processes for the regular review of access rights. Access rights must be reviewed:

  • Annually;
  • More frequently for high-value information assets and privileged users;
  • When an employee’s status changes as the result of a promotion, demotion, removal from a user group, re-assignment, transfer, or other change that may affect an employee’s need to access information assets;
  • As part of a major re-organization or the introduction of new technology or applications; and,
  • When Information Owners change the access control policy.

b) Procedure for formal access right review
Review of access rights must include the following:

  • Confirmation that access rights are based on the need-to-know and least privilege principles;
  • Confirmation that all members of the group/role have a need-to-know;
  • Reviews and verification of access control lists dated and signed by the reviewer and kept for audit purposes; and,
  • Confirmation that changes to access rights is logged and auditable.

Access control logs and reports are organization records and must be retained and disposed of in accordance with approved record management schedules.

Removal or adjustment of access rights

The access rights of all employees, contractors, and third-party users to information and information processing facilities are removed upon termination of their employment, contract, or agreement, or adjusted upon change. The access rights of employees to information systems must be removed upon termination of employment and reviewed upon change of employment.
a) Change of employment status
b) Action upon termination or change of employment
c) Reduction of access rights

a) Change of employment status
Dept HOD must review access to information systems and information processing facilities when employees change employment, including:

  • When employees assume new roles and responsibilities;
  • During restructuring of positional or organizational roles and responsibilities;
  • When employees commence long-term leave; and,
  • Updating directories, documentation and systems.

b) Action upon termination or change of employment
Dept HOD must ensure access to information systems and information processing facilities is removed upon termination of employment or reviewed upon change of employment by:

  • Removing or modifying physical and logical access;
  • Recovering or revoking access devices, cards and keys; and,
  • Updating directories, documentation and systems.

c) Reduction of access rights
Dept HOD must ensure access to information systems and information processing facilities is reduced or removed before the employment terminates or changes, based upon the evaluation of risk factors such as:

  • Whether the termination or change is initiated by the employee/contactor or by the HOD;
  • The reason for termination;
  • The current responsibilities of the employee/contractor; and,
  • The value of the assets currently accessible.

Guidelines:
Employee access roles should be established based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews are more easily managed at the level of such roles than at the level of particular rights. Consideration should be given to including clauses in employee contracts and service contracts that specify sanctions if unauthorized access is attempted by employees.

A.5.19 – Information security in supplier relationships

Control Objective: Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

The purpose is to maintain an agreed level of information security in supplier relationships. .XXX has identified risks from third-party access mainly in two categories viz., Physical and Network. Risk areas have been identified and appropriate measures shall be taken to mitigate them. They have been addressed adequately in the following sections

  1. A.7. 2 – Physical entry
  2. A.5.15 – Access Control

 All contract personnel are given restricted access as per the requirement of the service they are providing and as per the contractual obligations. All third parties working at the premises have signed Non-Disclosure Agreement (NDA) at the time of contracts. Identified security requirements must be addressed, agreed upon and documented prior to granting external parties access to information, information systems or information processing facilities.
a) Security requirements
b) Cloud Computing Policy
c) Awareness requirements

a) Security requirements
Prior to granting access to non-public information and information systems for external parties Information Owners  must:

  • Determine that mitigation strategies have been implemented to address security requirements;
  • Review the Security Threat and Risk Assessment for asset protection requirements including:
    • Asset classification,
    • Legislative, regulatory and policy considerations, and,
    • Intellectual property rights obligations;
  • Complete a Privacy Impact Assessment;
  • Determine that security controls will not adversely affect target service levels; and,
  • Document the roles and responsibilities of the Information Owner and the external party in a formal agreement.

b) Cloud Computing Policy
Cloud computing relies on sharing resources rather than having local servers handle applications and storage. Cloud computing is a term used to describe on-demand resource pooling, rapid elasticity and measured services with broad network access (e.g., Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)). The Cloud Computing Policy is a documented corporate policy for the purchase and use of cloud services, which is:

  • Based on the  Chief Information Officer’s strategy;
  • Approved by executive  Director;
  • Distributed to all relevant individuals throughout the organization; and,
  • Applied throughout the organization

Information Owners are responsible for determining the information security classification of the data to be moved to a cloud service and the security requirements in using cloud computing services. Information Owners must include the Chief Information Security Officer, or a designate, as part of the business functions (e.g., procurement and legal) for all cloud initiatives, and in the definition of standard and contractual requirements for the procurement and use of cloud services, to ensure that all controls and protection levels for cloud services have security by design.

c) Awareness requirements
Specific awareness activities must be performed to help ensure all employees:

  • Are aware of the corporate policy on the use of cloud services; and,
  • Are educated about the risks of using unapproved cloud services.

5.20 Addressing information security within supplier agreements

Control Objectives: Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

The purpose is to maintain an agreed level of information security in supplier relationships. All agreements with the supplier who provides any type of services to XXX & have access to the premises of XXX shall have a clause related to security and Access Control as under

“The vendor will adhere to security guidelines of XXX while delivering the services and follow access privileges & rights provided with precaution and safety measures indicated for each of them.  Non-adherence of these guidelines may result in termination of the agreement and/ or claiming of liability/ damages caused due to non-adherence of these instruction.”

External party access to information, information systems or information processing facilities must be based on a formal contract containing necessary information security requirements.
a) External party access agreements
b) Security requirements
c) Service level continuity

a) External party access agreements

Information Owners and Information Custodians must ensure access to information assets and information processing facilities by external parties is only provided after an access agreement has been completed and signed. Access agreements must include:

  • Roles and responsibilities of the Information Owner and the external party;
  • Non-disclosure agreements;
  • Sub-contracting requirements;
  • Specialized security controls (i.e., meet particular business and security arrangements, legal or regulatory requirements);
  • Conditions for contract termination;
  • Audit and compliance monitoring rights, responsibilities and processes;
  • Reporting obligations for suspected or actual security and privacy incidents;
  • Renewal and extension conditions; and,
  • Requirements for regular compliance reviews.

Approved forms of agreement include:

  • General Service Agreement for purchase of goods or services;
  • Agreements for Alternate Service Delivery;
  • Information Sharing Agreement; or,
  • Other forms of agreement as approved by Legal Services.

b) Security requirements

Information Owners must ensure the security requirements of external party access agreements include:

  • Notification of obligations of the parties to adhere to legislation and regulation;
  • Requirements to adhere to agreed information security policies and procedures;
  • Processes for amending the agreement;
  • Acknowledgement by the external party that ownership of information is retained by the Province;
  • Confidentiality obligations of the external party and their employees or agents;
  • Requirements for use of unique user identifiers;
  • Processes for conducting audits and compliance monitoring activities;
  • Responsibilities and processes for reporting security and privacy incidents; and,
  • Assurances that disciplinary action will be applied to employees or contractors who fail to comply with the terms of the agreement.

c) Service level continuity
Information Owners must ensure supplier service agreements document service level continuity requirements and include processes for:

  • Ongoing review of service level needs with business process owners;
  • Audit and compliance monitoring rights and responsibilities;
  • Communicating requirements to service providers;
  • Obtaining periodic confirmation from service providers that adequate capacity is maintained;
  • Reviewing the adequacy of the service provider’s contingency plans for responding to disasters or major service failures; and,
  • Establishing the metrics for service delivery levels (including risk profiles and audit trigger levels).

A. 5.21 Managing information security in the ICT supply chain

Control Objective: Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

The purpose is to maintain an agreed level of information security in supplier relationships..All agreements with the Information & Communication Technology service provider, who provides any such type of services to XXX, shall have the requirements to address information security risk in the agreement.Agreements with suppliers must include requirements to address the information security risks involving or associated with information and communications technology components, services and product supply chain. Information Owners must identify the security risks concerning the supplier chain relationships and specify the necessary controls in the agreements. Supply chain risk management practices should be built on top of general information security, quality, project management and system engineering practices but do not replace them. Information Owners must work with suppliers to understand their supply chain and any matters that have an impact on the products and services being provided. Agreements with suppliers must address the security requirements that involve other suppliers in the supply chain. Supply chain as addressed here includes cloud computing services. The following security controls must be considered for inclusion in supplier agreements concerning supply chain security:

  • Defining information security requirements that apply to information systems and information technology product or service acquisitions;
  • Requiring that suppliers apply security requirements throughout their supply chain if the services are further subcontracted as a whole or in part;
  • Requiring that suppliers apply appropriate security practices throughout the supply chain for products that include components purchased from other suppliers;
  • Implementing a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
  • Implementing a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
  • Obtaining assurance that critical components and their origin can be traced throughout the supply chain;
  • Obtaining assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
  • Defining the rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers; and,
  • Implementing specific processes for managing information and communication technology component life-cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements.

A.5.22 Monitoring, review and change management of supplier services

Control Objective:The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

The purpose is maintain an agreed level of information security and service delivery in line with supplier agreements.

Monitoring and review of supplier services

The services, reports and records provided by the third party are regularly monitored and reviewed regularly. Services provided by external parties must be regularly monitored and the reports and records reviewed. Information Owners must establish processes to manage and review the information security of external party delivered services by:

  • Assigning responsibility for monitoring to a designated employee;
  • Maintaining an inventory of agreements and associated access rights;
  • Monitoring for compliance through processes such as:
    • Conducting internal self-assessments of control processes,
    • Requiring external parties conduct and submit self-assessments,
    • Using embedded audit tools,
    • Requiring external parties to submit annual management assertions that controls are being adhered to,
    • Conducting independent security reviews, audits and updates to risk and controls reviews, and,
    • Analysis of audit logs;
  • Establishing a process, jointly with the service provider, to monitor, evaluate, investigate and remediate incidents; and,
  • Establishing performance measures within service plans to ensure adequate service levels are maintained and measured.

Managing changes to supplier services

Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks. Changes to the provision of services by suppliers for information system services must take into account the criticality of the information systems, processes involved and reassessment of risks. Information Owners must ensure agreements with external party service providers include provisions for:

  • Amending agreements when required by changes to legislation, regulations, business requirements, policy or service delivery; and,
  • Requiring the service provider to obtain pre-approval for significant changes involving:
    • Network services,
    • New technologies,
    • Use of new or enhanced system components (e.g., software or hardware),
    • System development, test tools and facilities,
    • Modification or relocation of the physical facilities, and,
    • Sub-contracted services.

Information Owners must ensure the change management process for information systems services delivered by external parties includes, as required:

  • Reviewing and updating the Security Threat and Risk Assessment to determine impacts on security controls;
  • Implementing new or enhanced security controls where identified by the risk assessment;
  • Reviewing and updating the Privacy Impact Assessment;
  • Initiating and implementing revisions to policies and procedures; and,
  • Revising employee awareness and training resources.

5.23 Information security for use of cloud services

Control Objective: Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

The purpose is to specify and manage information security for the use of cloud services.Cloud technology has expanded and allows almost any IT related resource to be offered as a service. Taking advantage of these benefits requires that appropriate controls and risks are managed related to the XXX’s assets, data, and property. The Cloud Security Administrator in coordination with the Chief Information security Officer, shall ensure that all cloud service offerings use a consistent and repeatable process for evaluation and selection. The following procedures and processes shall, at a minimum, be followed:

  • Risk Assessment – An internal risk assessment and analysis shall be performed on all services to be housed by cloud providers. The analysis shall identify any risks to the business unit, organization, process, security, and/or data stored.  As part of this work, mitigation strategies shall be prepared that identify remedies and corrective controls to address concerns.
  • Procurement and Contract – The Cloud Security Administrator or their designee shall ensure all standard XXX procurement policies and practices are in effect and followed regarding general procurement.  The standard Cloud Security Administrator contract template shall be used as the basis for all service provider relationships.  All specialized terms related to student data privacy, cloud based computing, and third party providers shall be enforced.  This includes but is not limited to:
    • Due diligence activities including personnel background checks, length of time in business, insurance compliance and experience with similar engagements.
    • Assurance that vendor personnel do not violate Cloud Security Administrator policies, procedures, agreements, or related documents.  XXX’s Purchase department shall provide a primary point of contact for the vendor responsible for managing the relationship, Service Level Agreement (SLA), and ensuring the vendor is compliance with all contract terms.
    • Periodic review of authorized cloud service providers’ personnel working on the contract and the services performed by each.  These records shall be available on-demand by the vendor. 
    • XXX’s management shall maintain copies of all agreements and required documentation for each cloud provider engagement.
  • All contracts with cloud service providers shall specify:
    • Explicit language related to relevant security requirements including controls over the processing, accessing, communicating, hosting, and management of XXX’s data. This includes encryption, access controls, leakage prevention, and integrity controls for data exchanged to prevent improper disclosure, use, alteration or destruction of data.
    • Confidentiality and privacy clauses protecting student and employee data.
    • Physical and role based security access to data and applications.
    • Data security and protection methods used by the service provider.
    • Acceptable methods for the return, destruction, or disposal of XXX’s information stored on vendor resources at the end of the agreement.
    • Acknowledgement that the service provider must only use XXX,s data for the explicit purposes defined in contract.
    • Agreement that any information acquired by the service provider during the course of the contract cannot be used for any other purpose than that specified in the contract or divulged to others without formal written exception/condition agreed to by data owner, XXX and the vendor.

The Cloud Security Administrator or their designee shall ensure each service provider complies with the following processes and procedures:

  • Access to PII – Vendor staff with access to confidential, student personally identifiable, or sensitive data must be cleared to handle that information.  Access to information shall be activated only when required and needed.  Access shall be deactivated after services have been provided.
  • Security Incident Reporting – Vendor must report any security incidents related to physical or logical data compromises immediately to appropriate XXX’s personnel and take all appropriate actions to mitigate the security risk.
  • Termination of Service – Vendor shall ensure that all XXX’s data is collected and returned to the XXX or provide written certification of data destruction within a 24 Hour  window. 
  • Agency Requested Audits – Vendors are required to comply with all XXX auditing requirements. 

Data Breaches – Vendors shall notify XXX within 24 hours on the discovery of a service provider security breach. Upon such notification, XXX shall have the right, but not the obligation, to terminate the agreement with the cloud service provider.  The vendors shall pay for all costs incurred to remedy the breach for XXX, its customers, and related expenses related to the incident.

On-demand documented procedures and evidence of practice should be in place for this operational policy as part of the XXX internal operating processes.  Examples of control and management documentation include:

  • Compliant historical and current procurement documents (RFP, executed contracts, and statements of work) for current cloud provider vendors
  • Internal process and archival documentation related to risk assessments and mitigation components

A.5.24 Information security incident management planning and preparation

Control Objective: The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

The purpose is to ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events. Incident management responsibilities and procedure exist to ensure a quick, effective, and orderly response to security incidents. Incident management responsibilities and procedures must be established to ensure a quick, effective and orderly response to information security incidents. Information Owners must adopt the Information Security Incident Management Process and ensure that those responsible for information security incident management understand the priorities for handling information security incidents. XXX must follow the established Information Incident Management Process for reporting, managing, responding to and recovering from information security incidents. The process must include:

  • Procedures for incident response planning and preparation;
  • Procedures for monitoring, detecting, analyzing and reporting of information security incidents;
  • Procedures for logging incident management activities; and,
  • Procedures for handling different types of information security incidents, including immediate action for containment, response escalation and contingency plans.

Employees with security incident management responsibilities must be appropriately trained and deemed qualified (e.g., in forensics and investigations), and their authorization for access to live systems and data must be delineated formally. Incident response processes must be documented, tested and rehearsed regularly to evaluate their effectiveness. In case of an information security incident, the Chief Information Officer must be provided access to all and any relevant primary data stores in a quick, effective and expedient manner to ensure an orderly response to incidents. The Information Incident Management Process includes the following documents:

  • Information Incident Management Process document;
  • Information Incident Report Form;
  • Easy Guide for Responding to Information Incidents;
  • Process for Responding to Privacy Breaches; and,
  • Information Incident Checklist.

Guidelines:
Potential types of security incidents to be reported include:

  • Suspected or actual breaches of privacy and/or confidentiality;
  • Denial of service;
  • Detection of network probing;
  • Detection of malicious code (e.g., virus, worm, Trojan horse);
  • Errors due to incomplete or inaccurate data;
  • Outgoing network traffic not associated with typical business processing;
  • Repeated attempts of unauthorized access;
  • Inappropriate use of organization’s information resources;
  • Repeated attempts to e-mail unknown internal accounts;
  • System activity not related to typical business processing;
  • System failures and loss of service;
  • Privacy breaches of personal information;
  • Responses to phishing attacks;
  • Threatening or harassing communication; and,
  • Sharing of user credentials.

Employees who regularly ignore information security and privacy policies should be subject to a disciplinary process that includes notification of their Supervisor and suspension of privileges for repeated offences.

A.5.25 – Assessment and decision on information security events

Control Objective: The organization should assess information security events and decide if they are to be categorized as information security incidents.

The purpose is to ensure effective categorization and prioritization of information security events.. All incidents occurring in the, XXX. are documented and stored and handled as per the procedure.The Chief Information Security Officer must assess each information security event using the agreed upon information security event and incident classification scale and decide whether the event should be classified as an information security incident. An information incident is a single or a series of unwanted or unexpected events that threaten privacy or information security. Information incidents include the collection, use, disclosure, access, disposal, or storage of information, whether accidental or deliberate, that is not authorized by the business owner of that information. Information incidents include privacy breaches. Results of assessments and decisions should be recorded in detail and provided to the Chief Information Officer.

A.5.26– Response to information security incidents

Control Objective: Information security incidents should be responded to in accordance with the documented procedures.

The purpose is to ensure efficient and effective response to information security incidents. All incidents occurring in the, Information security incidents must be responded to in accordance with the documented procedures. Information security incidents must be responded to by the Chief Information Security Officer and other relevant employees of the organization or external parties. The response should include the following:

  • Collecting evidence as soon as possible after the occurrence;
  • Conducting information security forensics analysis, as required;
  • Escalation, as required;
  • Ensuring that all involved response activities are properly logged for later analysis;
  • Communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
  • Dealing with information security weaknesses found to cause or contribute to the incident; and,
  • Once the incident has been successfully dealt with, formally closing and recording it.

The goals of incident response are to resume ‘normal security level’ and to initiate the necessary recovery. Post-incident analysis should take place, as necessary, to identify the source of the incident. Information security incidents must be responded to in accordance with the documented procedures. Information security incidents must be responded to by the Chief Information Security Officer and other relevant employees of the organization or external parties. The response should include the following:

  • Collecting evidence as soon as possible after the occurrence;
  • Conducting information security forensics analysis, as required;
  • Escalation, as required;
  • Ensuring that all involved response activities are properly logged for later analysis;
  • Communicating the existence of the information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
  • Dealing with information security weaknesses found to cause or contribute to the incident; and,
  • Once the incident has been successfully dealt with, formally closing and recording it.

A.5.27 – Learning from information security incidents

Control Objectives: Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.

The purpose is reduce the likelihood or consequences of future incidents.. All incidents occurring in the, XXX. are documented and stored in the Corrective and Preventive Actions database. The , XXX. consolidates the incident reports for root cause analysis and considers these as an input for appropriate actions and necessary controls to avoid re occurrence of the incidents.Knowledge gained from analyzing and resolving information security incidents must be used to reduce the likelihood or impact of future incidents. The Chief Information Security Officer is responsible for monitoring and evaluating information security incidents by:

  • Using statistical analysis of incident frequency, type and location to identify trends;
  • Ensuring incident reports and trends are used to promote continuous improvement of security policies and processes, security awareness and training programs, and business continuity and disaster recovery plans;
  • Advising Information Owners and Information Custodians and Ministry Information Security Officers of evolving security exposures and mitigation strategies;
  • Evaluating the effectiveness of incident management, response and reporting; and,
  • Evaluating the effectiveness of information security technologies.

The Chief Information Security Officer must provide incident information to the Executive Director. as appropriate. The CISO  is the center of expertise and an essential capability in security incident protection, detection, response and correction where employees assigned responsibility for information incident management receive special training in managing crises across the spectrum of potential incidents. Information sharing with stakeholder and partner organizations. Information security incident response must be integrated within the broader requirements for business continuity and disaster recovery. Integration will simplify processes, maintain consistency and eliminate duplication. Continuous improvement of security incident management processes includes:

  • Monitoring incidents using statistical analysis of frequency, types and locations of security incidents;
  • Analysis of incidents, responses and successful containment;
  • Determining requirements for user awareness and training;
  • Improving the security of information systems through monitoring and reporting; and,
  • Integrating automated alarms and other security incident detection technology with user reporting, checking logs and auditing systems.

A.5.28– Collection of evidence

Control Objectives: The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

The purpose is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions. .All applicable laws and regulations have been identified by, XXX. wherever applicable, the records and documents that may be accepted as evidence shall be collected and maintained.  Shall ensure that all evidence collected in the process is:

  • Admissible as evidence – Acceptable to court and legal authorities
  • Complete – Present a complete trail of the incident
  • Meet quality requirements – Are readable, legible etc.

Investigations into information security incidents must ensure evidence is identified, collected, preserved, retained and presented in conformance with the rules for collection of evidence.
a) Information security incident investigation
b) Collection of evidence

a) Information security incident investigation
Information security incident investigation must be formalized and practiced in accordance with standard investigation techniques:

  • Information security incident investigation processes include:
    • identification of the incident cause,
    • planning of corrective action,
    • implementation of corrective action to prevent recurrence, and,
    • reporting action taken;
  • Employees with responsibilities for information security investigations (investigating officers) must be aware of processes for securing potential evidence such as technology assets, audit logs, audit trails, voice mail and e-mail accounts for analysis and as potential evidence in legal proceedings;
  • Inappropriate use of information and technology resources requires that within 48 hours the investigating officer contact:
    • in the case of an employee the individual’s excluded Supervisor  and,
    • in the case of a contractor or business partner the contract manager or relationship manager;
  • When criminal activity is suspected, the investigating officer must ensure that the appropriate law enforcement authorities are contacted. Before contacting law enforcement authorities, the Risk Management Branch and Security Office and Chief Information Officer must be consulted;
  • On resolution of an information security incident or weakness, the investigating officer must prepare a report that includes a detailed problem analysis, actions taken, and recommendations for corrective action or improvements; and,
  • Information security incident reports must be submitted to Information Owners, Information Custodians, Chief Information Officer  as part of security program management.

In order to enable quick, effective and immediate response to information security incidents and breaches, employees with responsibilities for security investigations (investigating officers) must be able to access security log data and security log data processing and reporting facilities immediately. This access will be for the purposes of evidence collection as well as security log parsing, searching, and reporting to enable identification, root cause analysis, and resolution of breaches and incidents. Access will be configured and enabled for on-line, real-time access to the GUI (Graphical User Interfaces)/Consoles/Interfaces of:

  • The systems that generate and produce security log data and feature an interface that has reporting, parsing or searching functions with relation to the security log data it generates;
  • The centralized log management system, service or facilities; and,
  • The centralized monitoring system, service or facilities.

If the specific technology does not have a GUI/Console/Interface available, and instead relies on raw log data generation, equivalent functionality that permits the timely and effective searching of the security logs produced must be implemented.

b) Collection of evidence
At the outset of an information security investigation it may not be known if legal or disciplinary actions will result and what evidence will be required. To ensure proper procedures, confidentiality and information privacy, evidence must only be collected by individuals authorized by the Chief Information Security Officer.

  • Evidence collection procedures must be documented by the Chief Information Security Officer;
  • Investigative processes must follow the rules of evidence to ensure relevance, admissibility and materiality; and,
  • Information Owners and Information Custodians in receipt of a legal order to produce electronic evidence must immediately contact the Chief Information Security Officer.

Guidelines:
In general, procedures for evidence collection should include identification, collection, acquisition and preservation of evidence in accordance with different types of media, devices and the status of devices (e.g., powered on or off). The procedures should take account of:

  • Chain of custody;
  • Safety of evidence;
  • Safety of employees;
  • Roles and responsibilities of employees involved;
  • Competency of employees;
  • Documentation; and,
  • Briefing.

A.5.29 Information security during disruption

Control Objective: The organization should plan how to maintain information security at an appropriate level during disruption.

The purpose is to protect information and other associated assets during disruption. This provides direction from a security focus for planning the resumption of business or services where a man-made or natural disaster has occurred. The organizations are required to be prepared and to re-establish business or services as swiftly and smoothly as possible. Business continuity plans include the evaluation of security risks in line with the directions set by Emergency Management. .Business continuity begins by identifying events that can cause interruptions to business processes, e.g. equipment failure, flood and fire. This is followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). This assessment considers all business processes and is not limited to the information processing facilities. Depending on the results of the risk assessment, a strategy plan is developed to determine the overall approach to business continuity. The organization must determine its requirements for information security and the continuity of information security management in adverse situations.
a) Business continuity planning
b) Business continuity risk assessment
c) Business continuity strategy
d) Business continuity plans
e) Coordination of business continuity plans

a) Business continuity planning
Information Owners must ensure business continuity and recovery plans address information security requirements consistent with the classification of the information. Processes for establishing business continuity and recovery plans are detailed in the Business Continuity Management Program Guidelines.

  • Information Owners must perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations; and,
  • Information security requirements remain the same in adverse situations, compared to normal operational conditions.

The Information owner must maintain the business continuity and recovery plans for information systems as part of the System Security Plan. The Organization policy on business continuity programs is defined in Core Policy and Procedures Manual – Business Continuity Management.

b) Business continuity risk assessment
The process for identifying, analyzing and evaluating risks, including information security risks, is detailed in the Business Continuity Management Program Guidelines – Identify, Analyze and Evaluate Risks. The process for analyzing and assessing business impacts, including those for information security risks, is detailed in the Business Continuity Management Program Guidelines – Review Business Functions and Analyze Business Impacts.

c) Business continuity strategy
The process for developing a business continuity strategy is detailed in the Business Continuity Management Program Guidelines, – Plan Mitigation Strategies and,  Plan Business Continuity Strategies.

d) Business continuity plans
Requirements for business continuity plans are defined in Core Policy and Procedures Manual 16 – Business Continuity Management. The process for developing and maintaining business continuity plans is detailed in the Business Continuity Management Program Guidelines.

e) Co-ordination of business continuity plans
Information Owners must ensure business continuity plans:

  • Include the classification of information assets to identify critical business operations;
  • Use organization-wide frameworks and processes; and,
  • Use information security processes which maintain approved security levels.

The Emergency Management BC must coordinate organization-wide business continuity plans to reconcile recovery priorities, business impacts, security impacts and business resumption processes. The Chief Information Officer is responsible for protecting the privacy, confidentiality, integrity and availability of electronic information. This responsibility includes providing expert advice to Emergency Management BC on information security aspects of business continuity plans.

Implementing information security continuity

The purpose is to ensure the required level of continuity for information security is maintained during an adverse situation.The organization must establish, document, implement and maintain processes, procedures and controls to ensure the required level of information security for business continuity during an adverse situation.
a) Implement required level of continuity
b) Information security continuity requirements
c) Processes and procedures
d) System redundancy

a) Implement required level of continuity
Information Owners must ensure that:

  • An adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using employees with the necessary authority, experience and competence;
  • Incident response employees with the necessary responsibility, authority and competence to manage an incident and maintain information security are nominated; and,
  • Documented plans, response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level, based on approved information security continuity objectives.

b) Information security continuity requirements
According to the information security continuity requirements, Information Owners must establish, document, implement and maintain:

  • Information security controls within business continuity or disaster recovery processes, procedures and supporting systems and tools;
  • Processes, procedures and implementation changes to maintain existing information security controls during an adverse situation; and,
  • Compensating controls for information security controls that cannot be maintained during an adverse situation.

c) Processes and procedures
Within the context of business continuity or disaster recovery, specific processes and procedures have been defined. Information that is handled within these processes and procedures or within dedicated information systems to support them must be protected. Information Owners must involve information security specialists when establishing, implementing and maintaining business continuity or disaster recovery processes and procedures.

d) System redundancy
Information security controls that have been implemented must continue to operate during an adverse situation. If security controls are not able to continue to secure information, other controls must be established, implemented and maintained to achieve an acceptable level of information security

Verify, review and evaluate information security continuity

The purpose is to o ensure business continuity plans are current, functional and address information security requirements. Business continuity plans shall be tested regularly to ensure that they are up to date and effective. Such tests should also ensure that all members of the recovery team and other relevant staff are aware of the plans. Business continuity plans must be regularly exercised and updated. Information Owners  must review business continuity plans annually to ensure they are current, valid and readily accessible during a business interruption. Business Continuity Plans must be coordinated with security management and emergency preparedness and response plans. Business Continuity Plans must be exercised at least annually to the extent necessary to confirm plan effectiveness and to ensure employees are prepared and trained. All employees and key stakeholders must be aware of the  Business Continuity Management Program and understand its contents and their role. Information Owners must report the number and type of exercises completed, the training conducted and the status of the business continuity plans to Emergency Management BC semi-annually. Requirements for exercising business continuity plans are defined in Core Policy and Procedures – Business Continuity Management. The processes for exercising business continuity plans are detailed in the Business Continuity Management Program Guidelines – Train and Exercise. Requirements for the maintenance of the business continuity plan are detailed in Business Continuity Management Program Guidelines – Monitor and Review.

A. 5.30 ICT readiness for business continuity

Control Objective: ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

XXX aligns its ICT readiness for business continuity approach to those required to establish and maintain an effective system of internal controls:

  • Accountability: A single Application Custodian representing business criticality and continuity requirements of business continuity and ICT readiness for business continuity. The Application Manager ensures the end-to-end redundancy, resilience and recovery performance of all component ICT systems supporting the application meets the agreed business criticality and continuity requirements.
  • Community of Practice: Sharing knowledge and collateral between business stakeholders and ICT service provider teams enables continuous improvement and establishes a broader community of good practice.
  • Risk based approach: Application of XXX’s risk management processes in line with levels of acceptable risk and risk appetite ensures consistent assessment of business criticality and consequent investment in ICT service continuity capability.
  • Managed: Consistent practice, terminology and processes across ICT service provider teams enables better alignment, planning, coordination and validation of ICT readiness for business continuity XXX’s business continuity requirements. Consolidated reporting of ICT service continuity readiness for critical systems enables management of gaps and risks associated with misalignment of ICT service continuity with business expectations;
  • Incident prevention: Protecting ICT services from threats, such as environmental and hardware failures, operational errors, malicious attacks, and natural disasters, is critical to maintaining the desired levels of system availability for an organisation;
  • Incident detection: Detecting incidents at the earliest opportunity will minimise the impact to services, reduce the recovery effort, and preserve the quality of service;
  • Response: Responding to an incident in the most appropriate manner will lead to a more efficient recovery and minimise any downtime. Reacting poorly can result in a minor incident escalating into something more serious;
  • Recovery: Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Understanding the recovery priorities allows the most critical services to be reinstated first. Services of a less critical nature may be reinstated later, or in some circumstances, not at all; and
  • Improvement: Lessons learned from small and large incidents should be documented, analysed and reviewed. Understanding these lessons will allow the organisation to better prepare, control and avoid incidents and disruption;

ICT readiness for business continuity shall be managed in accordance with the requirements outlined in the XXX’s Business continuity policy and proceed.

 A 5.31 Legal, statutory, regulatory and contractual requirements

Control Objective: Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

The purpose is to ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. XXX. adheres to all the applicable laws and acts. It is the responsibility of the HR department to review compliance and identify new or unidentified legal obligations. All agreements entered by the company are duly vetted and approved by the HR department for this purpose. The legislative, statutory, regulatory and contractual requirements for each information system must be explicitly defined, documented and maintained. Information Owners are responsible for ensuring that legislative statutory, regulatory, policy and contractual requirements of each information system are:

  • Identified and documented when commencing a system development or enhancement initiative;
  • Reviewed prior to, or concurrent with, changes to legislation, regulation or policy; and,
  • Explicitly identified in contracts and service agreements, and included in:
    • Privacy Impact Assessments,
    • Security Threat and Risk Assessments,
    • System Security Plans,
    • Risk Management Plans, and,
    • Business Continuity Plans.

Privacy requirements for information systems containing or handling personal information are defined in the Freedom of Information and Protection of Privacy Act – Policy and Procedures Manual

Regulation of cryptographic controls

The cryptographic regulations as per IT Act of Government of (P) shall be followed for XXX operations. In case of usage of third party cryptographic devices compliance letter from the third party shall be secured.Cryptographic controls must be used in compliance with relevant agreements, legislation and regulations. When cryptographic controls are used, Information Owners  must:

  • Ensure that the use of cryptographic control(s) is supported by an Information Security Threat and Risk Assessment;
  • Consult with the Chief Information Officer regarding the records management, electronic commerce, information access, privacy and security issues prior to acquiring cryptographic controls;
  • Ensure encrypted information assets do not become unavailable due to unavailability or loss of cryptographic keys by implementing a process to manage cryptographic keys as defined by the Chief Information Officer; and,
  • When acquiring cryptographic controls from outside the country, the procurement must be from a reputable vendor who can provide reasonable assurance on the legality of import into country.

The Chief Information Officer will:

  • Develop and document cryptographic key management processes;
  • Provide guidance and assistance to the departments and agencies in the selection and use of cryptographic controls; and,
  • Establish and publish cryptographic standards

A.5.32 – Intellectual property rights (IPR)

Control Objectives: The organization should implement appropriate procedures to protect intellectual property rights.

The purpose is ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.  XXX. ensures that all license agreements are respected and limits the use of the products to specified machines, and for specific purposes.

  1. The IPR of hardware, software and documentation belonging to , XXX  will not be disclosed to any outside party unless and otherwise cleared by XXX
  2. The IPR of programs and associated material supplied by outside organizations / collaborators will be used by, XXX. for only those purposes for which they are licensed.
  3. No unauthorized copies will be made for use within or outside, XXX 

Controls must be implemented to ensure compliance with legal, regulatory and contractual restrictions on the use of material with respect to intellectual property rights and proprietary software licensing.
a) Intellectual property rights of external creators and owners
b) Intellectual property rights for the organizational assets

a) Intellectual property rights of external creators and owners
Information Owners and Information Custodians must protect intellectual property by:

  • Ensuring that information and software is only acquired from reputable vendors;
  • Maintaining proof or evidence of ownership or right to use;
  • Adhering to the terms and conditions of use associated with intellectual property;
  • Ensuring the maximum number of users permitted is not exceeded;
  • Implementing processes to detect unlicensed information (e.g., ISO standards documents) and software or expired licenses;
  • Requiring the removal of unlicensed information and software from the  information systems;
  • Informing employees of the policies, including the Appropriate Use Policy;
  • Ensuring licensed intellectual property is securely removed from electronic media prior to media disposition; and,
  • Complying with terms and conditions for information and software obtained from public networks (e.g., “free for personal use only”, open source).

b) Intellectual property rights for the assets
Policy for the intellectual property of information assets is in the Core Policy and Procedures Manual  – Corporate Supply and Disposal Arrangements which is managed by the Chief Information Officer

A.5.33– Protection of Records

Control: Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

The purpose is to ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. The important records are protected from loss, destruction and falsification. The following records of, XXX are safeguarded:

  • Master List of Documents
  • Master List of Records
  • Database records
  • Transaction logs
  • All contracts and agreements

All records are retained for a defined period as specified by the owner of the information. Storage and handling of all these records is in accordance with a defined procedure. The documented information  must be protected from loss, destruction and falsification, unauthorized access, release, and disposal in accordance with legislative, regulatory, contractual and business requirements. When deciding upon protection of specific organizational records, Information Owners must consider the information security classification. Information Owners must ensure the protection of records by:

  • Using organization guidelines on the retention, storage, handling and disposal of records and information;
  • Following a retention schedule identifying records and the period of time for which they should be retained; and,
  • Maintaining an inventory of sources of key information.

A.5.34– Privacy and protection of PII

Control Objective : The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

The purpose is to ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII. However, all personal records are maintained as hard copies and classified as ‘Confidential’. Only HR department has access to those files. Online personal information is maintained which is password protected, and the access is limited to the HR.Privacy and protection of personal information must be ensured as required in legislation and regulation.Information Owners must document and implement policies for privacy and the protection of personal information. The policy must be communicated to all employees involved in the processing of personal information. There must be Privacy Impact Assessment and Security Threat and Risk Assessment documents for all operations areas that are collecting, processing and storing personal information. The Freedom of Information and Protection of Privacy Act requires personal information to be protected using ‘reasonable security measures’. The Information Security Policy includes detailed controls which enable and support the protection of information and information systems.

A.5.35 Independent review of information security

Control Objective: The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.

The purpose is to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. .Information System Security Committee is responsible for reviewing and auditing the ISMS for its compliance. All areas covered in the ISMS policy are considered for regular reviews and audits. MR prepares and publishes the annual audit/ review plan. Independent reviews of information security must be regularly conducted.
a) Independent review of information security
b) Remediation

a) Independent review of information security
Independent reviews are necessary to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. The review must include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives. The Chief Information Security Officer must initiate an independent third party review of the Information Security Program every two years including:

  • Assessing the operational effectiveness of the Information Security Program;
  • Documenting the results; and,
  • Reporting the results of the review to senior management.

b) Remediation
Information Owners must address the identified weaknesses and non-compliant controls prior to the next review.

A.5.36 – Compliance with policies, rules and standards for information security

Control Objective: Compliance with the organization’s information security policy, topic-specific policies, rules and
standards should be regularly reviewed.

The purpose is ensure that information security is implemented and operated in accordance with the organization’s information security policy, topic-specific policies, rules and standards. The XXX. with the help of the Security Committee and other Core Group members conducts periodic/event-driven review to ensure compliance with security policy & standards. Information Owners must ensure security procedures are followed in their areas of responsibility and facilitate regular reviews to ensure compliance with security policies and standards.
a) Compliance with security policies and standards
b) Review of controls
c) Review of implementation of information incident report recommendations

a) Compliance with security policies and standards
Information Owners must ensure security policies and processes are implemented and adhered to by:

  • Conducting periodic self-assessments;
  • Ensuring employees receive regular information security awareness updates; and,
  • Initiating independent assessments, reviews or audits to assess compliance with policy.

When review processes indicate non-compliance with policies, Information Owners must:

  • Determine cause(s);
  • Assess the threats and risks of non-compliant processes;
  • Document the marginal risks where required; and,
  • Develop plans to implement corrective action.

b) Review of controls
Information Owners must develop an annual plan which identifies information systems scheduled for a security review in each fiscal year. The information systems to be reviewed in each year should be:

  • Determined in conjunction with the Enterprise-wide Risk Management Plan;
  • Endorsed by the Audit Committee, or equivalent; and,
  • Reported as part of the annual information resource management plan.

Information Owners must ensure that critical information systems are reviewed at least every three years.

c) Review of implementation of information incident report recommendations
Information Owners and Information must ensure that recommendations from information incident reports are addressed. The Chief Information Security Officer may perform compliance reviews or audits of the implementation of recommendations from information incident reports, when necessary. The Chief Information Officer must ensure that Information Owners support the audit activities.

Guidelines:
When determining the review frequency for information systems consider:

  • The value of the information system as determined by a Security Threat and Risk Assessment or a Risk and Controls Review;
  • Frequency of changes or updates (as changes may introduce new risks, a system which has undergone frequent changes may have higher risks); and,
  • Results of previous reviews.

A.5.37 Documented operating procedures

Control Objective: Operating procedures for information processing facilities should be documented and made available to personnel who need them.

The purpose is to ensure the correct and secure operation of information processing facilities. XXX. has a set of defined operating manuals for processing the department functionality. All documented operating manuals are identified in the ‘PAL-Process Asset Library-Content Master’. Operating procedures and responsibilities for information systems and information processing facilities must be authorized, documented, and maintained. Information Owner must ensure that approved operating procedures and standards are:

  • Documented;
  • Consistent with the policies, standards and guidelines;
  • Reviewed and updated annually or when there are:
    • Alterations to building layouts,
    • Changes to equipment/systems located in the facility,
    • Changes in business services and the supporting information systems operations, and,
    • As part of any related security incident investigation.

Operations documentation must contain detailed instructions regarding:

  • Information processing and handling;
  • Last review and update;
  • Classification of document;
  • System re-start and recovery;
  • Back-up and recovery, including on-site and off-site storage;
  • Exceptions handling, including a log of exceptions;
  • Output and media handling, including secure disposal or destruction;
  • Audit and system log management;
  • Change management including scheduled maintenance and inter dependencies;
  • Computer room management and safety;
  • Information Incident Management Process;
  • Disaster recovery;
  • Business continuity;
  • Operations, technical, emergency and business contacts.

 A. 6.1 Screening

Control objective: Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

The Purpose is to ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.This identifies the information security requirements for employees that have an employment relationship with the organizations. To reduce information security risks, the terms and conditions of employment must establish expectations for the protection of assets, information, and services. It references the terms and conditions for employees and identifies the conditions for external personnel such as contractors. Supervisors and employees have different security responsibilities and liabilities that apply prior, during, and at the time of termination of employment. Prior to employment, the emphasis is on the awareness of expected roles and responsibilities, the screening of prospects, and the existence of agreements. During employment, policies establish Supervisor responsibilities, education, training, and formal processes to handle problematic security situations. This also establishes rules to ensure a secure transition when employment is ended or changed.

XXX. has a documented recruitment process. The screening requirements form part of the contract agreement with vendors. Employee security screening must be performed prior to entering a working relationship with the organization.
a) Screening for employees
b) Screening for contractors

a) Screening for employees
The process for employee screening is detailed in  Human Resource Policies.
b) Screening for contractors
The process for contractor screening is detailed in Core Policy and Procedures Manual – Procurement.

Guidelines:
The process for contractor screening can be used to screen other individuals such as volunteers. Applicants should be screened to assess their education, skills, knowledge, experience, and past work performance. The screening should also confirm the applicant’s identity. The extent of the screening process should be commensurate with the sensitivity of the information and the nature of the work to be performed.
XXX may exempt applicants from the screening process where:

  • Employees have been previously screened for similar types of organizational work within the last 2 years; or,
  • The sensitivity of the information and nature of work to be performed does not warrant a complete screening process.
  • The procurement Manager should maintain a list of contractors and other individuals who have been screened and the dates.

A.6.2 – Terms and conditions of employment

Control Objective: The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

The purpose is to ensure personnel understand their information security responsibilities for the roles for which they are considered. All employees of, XXX., at the time of joining, are required to agree and sign the Terms and Conditions of employment as detailed in the Recruitment Process. The Terms and Conditions also state the employees’ responsibility for Information Security. The terms and conditions of employment must document the responsibility of employees for information and information systems security.
a) Terms and conditions of employment
b) Communication of terms and conditions of employment
c) Violation of terms and conditions of employment

a) Terms and conditions of employment
The terms and conditions of employment are defined in the Human Resource Policies, the Oath of Employment, and the Standards of Conduct. The terms and conditions of employment defined in contracts must include:

  • Legal responsibilities and rights (e.g., laws relating to intellectual property rights, freedom of information, and privacy);
  • Confidentiality requirements that include responsibilities for the handling and storage of information assets; and,
  • Consequences of failing to adhere to the terms and conditions.

b) Communication of terms and conditions of employment
The Management must ensure terms and conditions of employment are agreed to by employees prior to employment or provision of services, including signing the Oath of Employment and receiving a copy of the Standards of Conduct.

c) Violation of terms and conditions of employment
Employees in violation of the terms and conditions of employment are subject to disciplinary action including dismissal, cancellation of the contract, or other legal remedies

A.6.3 Information security awareness, education and training

Control Objective: Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

The Purpose is ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.  XXX.  ensures that users (employees and the relevant external parties) are made aware of their security responsibilities through ongoing awareness training programs. All employees are to adhere to them while executing the Roles and Responsibilities as defined. A documented procedure for training exists. XXX., in association with the HR Dept. ensures that all, personnel are imparted ISMS-related training and that a training module on Information security policies becomes an integral part of induction training programs. Employees must receive appropriate information security training and be informed of changes to information security policy and practices.
a) Orientation for new employees
b) Ongoing information security awareness, education, and training

a) Orientation for new employees
The management will include an information security awareness component in orientation processes that employees must complete prior to accessing information or information systems.

b) Ongoing information security awareness, education, and training
Department heads must provide ongoing information security awareness, education, and training, addressing topics including:

  • Protection of information;
  • Information privacy requirements;
  • Records management;
  • Known information security threats;
  • Legal responsibilities;
  • Information security policies and directives;
  • Reporting information security events;
  • Appropriate use of resources;
  • Technology training;
  • Information on disciplinary processes; and,
  • How to obtain security advice.

Guidelines:
Resources on information security awareness, education and training are available from:

  • Information Security Officers;
  • Manager, HR department

A.6.4 Disciplinary process

Control Objective: A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

The purpose is ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation. Any violation of the signed documents is considered as a disciplinary offense and as such acts as a deterrent to employees who might otherwise be inclined to disregard security procedures.  The procedure shall ensure correct, fair treatment for employees who are suspected of committing serious or persistent breaches of security. It is addressed by the reference to XXX. Conduct, Disciplinary, and Appeal (CDA) Rules. Security breaches or policy violations caused by employees must be reviewed by the HOD.

Upon receipt of information identifying employees responsible for a potential or actual security breach or policy violation, HODs are responsible for:

  • Ensuring the Chief Information Officer has been informed of the outcome of the security incident and investigation;
  • Assisting in an investigation and verifying the details of the security breach or policy violation;
  • Determining, in consultation with the HR, if disciplinary action is warranted for employees; and,
  • Arranging for the permanent or temporary removal of access privileges when appropriate.

 A.6.5 Responsibilities after termination or change of employment

Control Objective: Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

The purpose is to protect the organization’s interests as part of the process of changing or terminating employment or contracts. Responsibilities for performing employment termination or change of employment are clearly defined and assigned. Refer to XXX. Conduct, Disciplinary, and Appeal (CDA) rules. The Responsibilities for employment termination must be documented. Supervisors must advise employees of ongoing confidentiality responsibilities that continue to apply after termination of employment, as outlined in the Standards of Conduct.

A.6.6 Confidentiality or non-disclosure agreements

Control Objective: Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

The purpose in to maintain confidentiality of information accessible by personnel or external parties. All contractors and external parties are required to sign NDA as covered by respective contract guidelines. A confidentiality agreement reflecting organizational requirements for the handling of information must be in place and reviewed regularly. Information Owners must:

  • Ensure employees are informed of their obligation to maintain the confidentiality of information; and,
  • Ensure individuals other than employees accept and sign an agreement to maintain the confidentiality of information.
  • Confidentiality requirements must be reviewed and updated annually.

A.6.7 Remote working

Control Objective: Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

The purpose is to ensure the security of information when personnel are working remotely .XXX. has a well-defined policy and guideline on the use of laptops for purposes of Remote working. Remote working must employ security controls to ensure that information resources are not compromised.
a) Remote working security controls
b) Remote working agreement
c) Remote working policy

a) Remote working security controls based on risk assessment
Information Owners must ensure that information and information technology assets are adequately protected regardless of the type of access or physical location of employees. Remote working security controls must consider:

  • The sensitivity and classification of information assets that may be accessed or stored at the Remote working location (e.g., paper files, mobile devices such as laptops, smartphones, USB drives);
  • The physical security of information, information technology assets and the Remote working location;
  • Unauthorized information access by people at the Remote working location, either inadvertent or deliberate;
  • Enrollment in Mobile Device Management Service;
  • Remote access threats if remote access is utilized;
  • Restriction of permitted information types and classifications at the Remote working location;
  • Provision of organization-managed equipment, if appropriate, due to information sensitivity or volume;
  • Use of secure cabinets, shredders and other physical security equipment;
  • Security awareness training for protection of information and information assets, including clear desk policy, information handling rules, physical security issues and remote access training;
  • Monitoring and review of Remote working equipment for security events and incident response.
  • Sensitive and confidential information must be stored only on protected organizations systems, as defined in the Appropriate Use Policy.

b) Remote working agreement
Remote working arrangements must be formally authorized and documented. A documented Remote working agreement between the employer and employee must exist that specifies the following employee responsibilities, terms, and conditions:

The expectation that the employee will actively protect information and information technology assets;
Reference to the XXX’s Human Resource Policies, Oath of Employment, Standards of Conduct, Appropriate Use Policy, Information and Communications Technology (ICT) Agreement, or contract terms as appropriate:

  • Restrictions on information asset types or classifications permitted at the Remote working location.
  • The requirement to protect information from inadvertent or deliberate disclosure to people at the Remote working location by use of secure cabinets, passwords or shredders;
  • The authorized Remote working location and contact information;
  • Information availability requirements;
  • What equipment and software is supplied by the employee and by the employer;
  • Completion of a Home Technology Assessment;
  • The terms of use for remote access, if applicable;
  • The requirement to meet or exceed specified wireless networking security controls, if wireless networking will be used at the teleworking location;
  • The requirement to report security events or unusual activity;
  • Arrangements for technical support; and,
  • The start date, end date, expected work hours and provision for termination of the Remote working arrangement.

c) Remote working policy
Information owners must develop and communicate policies and processes specific to their areas that govern remote working, in particular the practice of removing material from the workplace. Controls required for an remote working policy are:

  • Restriction of the information asset types and classifications that may be accessed or utilized while remote working;
  • Use of secure cabinets, shredders and other physical security equipment; and,
  • Minimum technical security controls required for non-organization computing equipment, in particular current anti-virus, personal firewall and current software patches.

Guidelines:
Remote working employees should use the following security measures when accessing the information services:

  • Desktop Terminal Service (DTS) – preferred access method for employees own devices;
  • DTS or Virtual Private Network (VPN) for organization devices; and
  • Application specific methods such as Secure Sockets Layer (SSL) enabled websites (e.g., Outlook Web Access).
  • Use of VPN access on employees own devices should be avoided, unless it is used with Remote Desktop Protocol (RDP) connection.

A.6.8 Information security event reporting

Control Objective: The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

The purpose is to support timely, consistent and effective reporting of information security events that can be identified by personnel.This establishes requirements for reporting a possible breach of information security as quickly as possible. This includes establishing procedures and processes so that employees understand their roles in reporting and mitigating security events. Information security incident management policies identify mechanisms to detect and report when information security events occur and the directives for the consistent management of such events. The information collected about the events can be analyzed to identify trends and to direct efforts to continually improve and strengthen the information security infrastructure of the Province.

.Security events are defined as incidents that could cause unauthorized disclosure, modification, or destruction of, XXX’s information assets, or loss or destruction of the physical equipment associated with the computer systems, it’s peripheral or network infrastructure components. Security incidents also include other aspects of security, such as carrying fire arms, or other lethal weapons on property, are as typically secured being left unlocked or unattended, fire or hazardous material spills, or witnessing someone performing an unsafe act, or committing a violation of security policies or procedures etc. All users in the, XXX are responsible to report any observed or suspected security incidents through email/help desk phone/on-line Incident reporting system available on Intranet. The security incidents are reported and are managed by the documented procedure. Information security events must be reported immediately.
a) Reporting information security events
b) Information security event logging

a) Reporting information security events
As required by the Information Incident Management Process, employees must immediately report all suspected or actual information security events as quickly as possible to their Dept. head. Dept. head will ensure that senior managers and  Chief Information Security Officer are also informed. CISO will seek further details and may give advice on next steps. All employees must be aware of:

  • Procedures for reporting information security events; and,
  • Points of contact for reporting.

Requirements for reporting events must be included in contracts and service agreements. Situations to be considered for information security event reporting include:

  • Ineffective security controls;
  • Breach of information integrity, confidentiality or availability expectations;
  • Breach of personal privacy;
  • Human errors;
  • Non-compliance with policies or guidelines;
  • Breaches of physical security arrangements;
  • Uncontrolled system changes;
  • Malfunctions of software or hardware; and,
  • Access violations.

b) Information security event logging
Information security event logs are logs that could be used in security investigations, auditing or monitoring and could give rise to a security incident. Security events may be any activities that can potentially impact the confidentiality, integrity or availability of the information in both paper and electronic format. Information security event logs are notification or alert that a device or software may be technically capable of producing, and are related to its status (e.g., configurations changes, log-on or log-off events), or its function and activities (e.g., data, traffic or sessions routed, transmitted, blocked, permitted). Information security event logging must always be enabled to provide context and data to support security investigation, audit, and monitoring. Information security event logging is not limited to security devices, but is applicable to any and all devices, systems, software or applications that can produce logs that can be used to validate the confidentiality, integrity or availability of the information whether in security investigations, auditing or ongoing monitoring. Examples of devices, systems, software or applications that can produce information security logs include, but are not limited to, routers, switches, content filtering, network traffic flow, network firewalls, Intrusion Prevention/Detection Systems, servers, applications, databases, operating systems, application firewalls, authentication services, directory services, DHCP, DNS, and hardware platforms. All devices, systems, software or applications that have logging capabilities must be configured to produce logs to enable the detection of security events and intrusions that otherwise would go undetected without such logging. If the logging that the device or software is technically capable of producing is disabled or only partially configured, then this decision must be documented and include the rationale for deactivating or only partially implementing the logging. The corresponding Security Threat and Risk Assessment must be updated to reflect this decision and must assess whether the risk introduced by the lack of logging is acceptable.

Reporting information security weaknesses

Security weaknesses are defined as loopholes, weak points or vulnerabilities in the information system. These vulnerabilities or the loopholes may be exploited to gain unauthorized access to data or systems. All users in the, XXX. are responsible to note and report any such observed or suspected security weakness. Any user (viz., employee, contractor and third party) can report the incident using email/help desk phone/online system available on Intranet. Employees using the organization’s information systems must note and report any observed or suspected security weaknesses in those systems. All employees must report as quickly as possible any observed or suspected security weaknesses in information systems. Ministries must follow the Information Incident Management Process for responding to suspected or actual security weaknesses which includes:

  • Reporting to the Chief Information Officer, Risk Management and Security Office, as appropriate. The response process must:
    • ensure all reports are investigated and handled in a secure, confidential manner, and,
    • ensure the individual who reported the weakness is advised of the outcome when the investigation is complete; and,
  • A user awareness program on information security advising employees that:
    • they have a responsibility to report observed or suspected weaknesses to the Ministry point-of-contact,
    • suspected or observed weaknesses must not be tried or tested, and,
    • weaknesses should not be discussed, or made known, except through approved reporting channels.

Guidelines:
The Information Incident Management Process should be part of the Business Continuity Program. The awareness program should build trust with employees and stress that “to err is human”. Positive reinforcement of good computing and reporting practices will help employees understand their responsibilities. Employees who commit errors that lead to security incidents should receive appropriate training and counselling. The reporting and response processes for all security weaknesses, threats, events and incidents should be consolidated to avoid duplication and establish a consistent approach..

A.7.1 Physical security perimeters

Control objective:Security perimeters should be defined and used to protect areas that contain information and other associated assets.

The purpose is to prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets. This identifies requirements for protection from environmental and man-made threats to employees and property. One of the principles used for protection is the use of a layered defense, with perimeters and security zones that place computers, people, and information in secure areas. Requirements for the installation, operation, protection, and maintenance of computer equipment are identified to preserve the security of information and information systems.

XXX. has a well-defined policy on physical security and procedure on physical access control. XXX has implemented different security barriers to check the access into the premises.

  • XXX. has main entry and exit point manned by security personnel.
  • Entry to company premises for the employees is through bio-metric /access card and for visitors is through visitors pass.
  • Access to specific /secure areas like server rooms is monitored through access card.
  • Video Surveillance will be done through cameras installed at critical location. 

The information processing facilities must be protected by a physical security perimeter.
a) Security perimeter
b) Maintenance

a) Security perimeter
Information Owners must ensure that the perimeters of an information processing facility are physically sound in design and consider landscaping, lighting, fencing, and closed-circuit television on the access routes to the building; that the roof, walls, and flooring are of solid construction; and that exterior access points, windows, and doors are equipped with appropriate security controls (e.g., locks, alarms, bars). All information processing facilities are a Restricted Access, Security Zone. Appropriate security controls must be applied to reduce the level of identified risks and include:

  • A structure that prevents external visual and audio observations and complies with all applicable building codes for structural stability (external walls, internal walls, ceilings, and doors). Walls surrounding the facility must be extended from true floor to true ceiling (slab to slab), to prevent unauthorized entry and minimize environmental contamination such as that caused by fires and floods. Appropriate control mechanisms (e.g., locks, alarms, and bars on windows and doors) must be applied to prevent unauthorized access;
  • All information processing facilities must be equipped with physical intrusion alarm systems that automatically alert monitoring employees to take immediate action;
  • Information processing facilities must be equipped with doors that close automatically. These doors must set off an audible alarm when kept open beyond a certain period of time;
  • All fire doors must be equipped with crash bars to allow a quick exit in the event of an emergency. When the doors are opened an audible alarm may also be set off;
  • Alarm systems must be continuously monitored (i.e., 24 hours a day, 7 days a week); and,
  • The information processing facilities must be physically separated from those managed by third parties.

b) Maintenance
Information Owner must review, and where appropriate test, physical security and environmental control requirements at least annually. Security requirements for facilities must be evaluated prior to significant:

  • Alteration to exterior building layouts;
  • Changes to perimeter security controls;
  • Change in operations; and,
  • As part of any related security incident investigation.

Guidelines:
The following guidelines support physical and environmental security by establishing perimeter security for information processing facilities:

  • Information processing facilities should have a manned reception area to control access to the facility where feasible;
  • Common service spaces such as eating areas, washrooms, cloakrooms, boardrooms, and storage areas should be located so that they cannot be used to circumvent physical security;
  • Visitor reception should be separate from entrance areas but provide an unobstructed view of the entrance; and,
  • When physical security is outsourced, the contract must require that contracted employees are security screened and bonded.

A.7.2 – Physical entry

Control Objective: Secure areas should be protected by appropriate entry controls and access points.

The purpose is to ensure only authorized physical access to the organization’s information and other associated assets occurs. Secured areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Secure areas must be protected by appropriate entry controls to ensure that only authorized employees are allowed access.
a) Entry controls
b) Maintenance

a) Entry controls
Information Owners must establish the appropriate type and number of restricted zones to achieve the necessary conditions for employee safety and for the protection of sensitive or valuable information and assets. The establishment of restricted zones must be supported by a Security Threat and Risk Assessment. Access to any information processing facility or areas where sensitive information is kept must be restricted. Access to restricted zones must be controlled, authorized, and monitored as required by the applicable zone. Entry controls must identify, authenticate and log all access attempts to a Restricted Access Operations Zone or a Restricted Access Security Zone as follows:

  • Restricted Access Operation Zone access is limited to ministry employees and their escorted visitors (i.e., standard working areas, conference rooms, offices); and,
  • Restricted Access Security Zone access is limited to authorized employees and their escorted visitors (i.e., communication closets, server rooms).

Every person authorized to enter a facility, including visitors, must be issued an identification badge that contains identifying information (such as name and photograph) and their level of building access. Badge color or some other bold identifier may be used to represent the level of access.

  • All badges must be checked prior to entry. A receptionist, security guard, or electronic reader that logs the identity, time, date, and access privileges of each entry attempt must do such checking. Entry control may be achieved using keys, proximity card readers, or other technologies;
  • Employees must challenge anyone in a secure area who is not displaying an identification badge;
  • Visitor or temporary access badges must be returned and accounted for at the end of each day;
  • Entry logs must be reviewed on a quarterly basis;
  • All entry logs must be secured and maintained according to the approved records retention schedule for the system or information asset; and,
  • Access rights to secure areas must be reviewed and updated regularly.

When physical security is outsourced (i.e., the use of security guards) the contract must require that contracted employees are security screened and bonded.

b) Maintenance
Information Owners are responsible for reviewing physical entry control requirements annually. All entry controls in place must be tested annually. Security requirements for facilities must be evaluated and a Security Threat and Risk Assessment completed prior to:

  • Alteration to interior building layouts;
  • Change to equipment/systems located in the facility;
  • Change in operations; and,
  • As part of any related security incident investigation.

c) Delivery and loading areas

The delivery and handling of material are strictly under the authorization control with the material gate pass. Without a proper gate pass, no material is allowed to enter or leave the premises. Access to delivery and loading areas must be controlled, and where possible, separated from information processing facilities. Information Owners must ensure that access to delivery and loading areas or access from Reception Zones is controlled. The following factors must be considered:

  1. Delivery and loading areas must be designed so that supplies can be unloaded without delivery employees gaining access to restricted access zones;
  2. Protection of the delivery and loading areas must begin at the perimeter with continuous monitoring in place (e.g., gated fence, CCTV, separation from public access);
  3. Access to delivery and shipping areas must be restricted to authorized employees only;
  4. Setting and maintaining hours of operation for delivery and pick-up;
  5. A combination of internal and external locking doors or gates must be used to provide security;
  6. Incoming and outgoing shipments should be segregated when possible;
  7. Incoming material must be inspected for potential threats before being moved to or from the delivery and loading area. Inspections can be undertaken randomly if resources are not available to inspect every package;
  8. Hazardous materials must be appropriately packaged and identified as to safety precautions;
  9. Bills of lading must be compared to goods delivered;
  10. Loading docks and delivery areas must be regularly inspected and actively monitored;
  11. Records must be kept for internal and external deliveries and shipments;
  12. Reception areas must confirm the identity of all visitors for restricted zone access; and,
  13. All visitors must be accompanied while in restricted operational and security zones.

For facilities that include delivery and loading areas, and/or reception zones, a Security Threat and Risk Assessment and inspection must be conducted to determine that access can be adequately controlled.

Guidelines:
The following guidelines support physical and environmental security by establishing security within information processing facilities:

  • Common service spaces such as eating areas, washrooms, cloakrooms, boardrooms and storage areas should be located so that they cannot be used to circumvent physical security;
  • Visitor reception should be separate from entrance areas but provide an unobstructed view of the entrance;
  • When physical security is outsourced, the contract must require that contracted employees are security screened and bonded.

The effective use of restricted access zones in an open office environment depends on the implementation of appropriate security procedures, which may include:

  • Respecting the need-to-access principle and zone perimeters;
  • Escorting visitors;
  • Securing sensitive or valuable information and assets when leaving the work areas; and,
  • Taking precautions when discussing sensitive information.

A.7.3 Securing offices, rooms, and facilities

Control Objective: Physical security for offices, rooms and facilities should be designed and implemented.

The purpose is to prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets in offices, rooms and facilities. XXX has taken the following security measures:

  • All employees, visitors and contract staff is supposed to report for security check-in and check-out formalities
  • Entry is restricted to authorize personnel
  • Each workstation, cubicle and cabin is provided with storage space, with lock and key arrangement to keep official documents/company classified information belonging to the employee of the workspace.
  • Employees working after office hours enter their names, and sign –in and sign-out in a separate register maintained by the security guard on duty. 

Physical security requirements must be designed, documented, and applied for all areas in and around an information processing facility. Information Owners must design, document, and approve security controls for information processing facilities based on a Security Threat and Risk Assessment. Considerations must include:

  • Determining security perimeter and maintenance factors;
  • Considering the operational use and information processing requirements of the facility;
  • Establishing appropriate security zones;
  • Design and construction complying with health and safety regulations and standards;
  • Designed with environmental controls for the protection of information assets (e.g., fire suppression, HVAC, generators, alarms);
  • Selecting unobtrusive sites and keep signage to the minimum required for meeting fire and other safety requirements;
  • Limiting the identification of critical information processing facility locations, in publicly and internally available directories, to the minimum required; and,
  • Selecting sites so that public access to highly sensitive or critical locations can be strictly controlled or avoided.

A. 7.4 Physical security monitoring

Control Objective Premises should be continuously monitored for unauthorized physical access.

The purpose is to detect and deter unauthorized physical access.Physical access monitoring includes publicly accessible areas within XXX. XXX shall

  1. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
  2. Review physical access logs at least once every week and upon occurrence of  events or potential indications of events and
  3. Coordinate results of reviews and investigations with the organizational incident response capability.

In XXX physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs should be done to identify suspicious activity, anomalous events, or potential threats. The reviews should be supported by audit logging controls. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

A.7.5 – Protecting against physical and environmental threats

Control Objectives: Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

The purpose is to prevent or reduce the consequences of events originating from physical and environmental threats. Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster is designed and applied. Information Owners, site planners, and architects must incorporate physical security controls that protect against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural disasters, malicious attacks, and accidents. Consideration must be given to any security threats presented by neighboring premises or streets. In addition to meeting building code specifications and fire regulations, the following must be considered:

  1. Combustible or hazardous materials must be stored in purposely designed rooms and in appropriate containers;
  2. Installing intrusion detection and environmental alarm systems, fire suppression and firefighting systems must be included in the design phase; and,
  3. Fallback equipment (e.g., for Disaster Recovery Plan) and backup media must be sited at a safe distance to avoid damage from a disaster affecting the main site.

A.7.6 – Working in secure areas

Control Objectives: Security measures for working in secure areas should be designed and implemented.

The purpose is to protect information and other associated assets in secure areas from damage and unauthorized
interference by personnel working in these areas. Physical protection and guidelines for working in secure areas are:

  • Unsupervised work within server room will be strictly prohibited for safety reasons.
  • Personnel shall only be aware of the existence of, or activities within, a secure area on a need to know basis
  • Eating and consuming other food products will be strictly prohibited in secure areas.
  • Photographic, video, audio or other recording equipment should not be allowed, unless authorized

Security controls and procedures must be used by employees working in secure areas.
a) Secure area requirements for employees
b) Other secure area requirements

a) Secure area requirements for employees
Information Owners must identify and document requirements that apply to employees authorized to work in secure areas. Information Owners must ensure that background checks including criminal records reviews are conducted for employees working in secure areas. Information Owners are responsible for informing employees working within a secure area that:

  • Activities within a secure area are confidential and must not be discussed in a non-secure area – sensitive information must not be discussed with persons without a need-to-know;
  • No type of photographic (including cameras in mobile devices), video, audio or other recording equipment is to be operated in a Restricted Access Security Zone unless authorized; and, Information security incidents must be reported immediately.

b) Other secure area requirements
Information Owners must identify and document requirements for other individuals who may need access to a secure area. Information Owners are responsible for ensuring that:

  1. Maintenance employees, cleaners and others who may require access on an ongoing basis to the secure area must be screened and their names placed on access lists;
  2. Visitors must obtain approval for visits, be screened, and their entry and departure times logged;
  3. Employees must escort visitors when they are within secure areas;
  4. Unoccupied secure areas must be physically locked and periodically checked; and,
  5. Physical intrusion alarms and detection devices must be installed to automatically alert monitoring employees of a breach.

A.7.7 Clear Desk and Clear screen policy

Control Objectives: C ear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

The purpose is to reduce the risks of unauthorized access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours. Personal computers are not left logged on when, not in use and are protected by a password. The screen saver is password protected. Employees must ensure the safety of sensitive information from unauthorized access, loss or damage.
a) Securing the workspace.
b) Secure work habits. 

a) Securing the work space
Employees must secure their work space whenever it is not supervised by an authorized person, including during short breaks, attendance at meetings, and at the end of the work day. Securing the work space includes:

  • Clearing desk tops and work areas;
  • Securing documents and mobile or portable storage devices in a locked desk or file cabinet;
  • Ensuring outgoing and incoming mail is appropriately secured;
  • Enabling a password protected screen saver;
  • Shutting down and restarting workstations at the end of each work day;
  • Locking doors and windows;
  • Checking fax machines and printers to ensure that no sensitive information is waiting to be picked up.

b) Secure work habits
Employees must develop and implement security-conscious work habits to reduce the likelihood of unauthorized viewing, access, or disclosure of sensitive information. Security-conscious work habits include:

  • Ensuring sensitive information is protected from accidental viewing by persons passing through the work space;
  • Ensuring that only the documents required for current work are out of their normal file cabinet;
  • Ensuring white boards, bulletin boards, flip charts do not contain sensitive information when the viewing audience cannot be defined;
  • Covering up, filing or storing paper documents when visitors are present in the work area;
  • Clearing, changing or turning off the computer screen (e.g., minimize open Windows) so that sensitive information is not displayed when visitors are present in the work area; and,
  • Not discussing sensitive information in open work spaces or public areas.

Guidelines:
Ensure that offices can be locked and that storage with locks is available.

A.7.8 – Equipment siting and protection

Control Objective: Equipment should be sited securely and protected.

The purpose is reduce the risks from physical and environmental threats, and from unauthorized access and damage. All equipment is physically protected from security threats and environmental hazards, by positioning them in secure areas. Only authorized personnel can enter secured areas. The controls are adopted to minimize the risk of potential security threats. The following practices are being followed.,

  • Business critical equipment are installed in server room, which is fully secured under lock and key
  • Fire and smoke alarms are deployed appropriately.
  • The information processing and storage facilities are fully secured
  • Users are not allowed to have drink, eatables & smoke in the server room.
  • Temperature and humidity levels are continuously monitored and maintained.
  • Power equipment is periodically serviced and checked.

Equipment must be protected to reduce the risks from unauthorized access, environmental threats and hazards.
a) Equipment siting
b) Equipment protection

a) Equipment siting
Information Owners must collaborate to ensure that the design and layout of information processing facilities provide protection for equipment from security threats as supported by a Security Threat and Risk Assessment. Safeguards must include:

  1. Locating servers and other centralized computing equipment within a Restricted Access Security Zone;
  2. Locating workstations, laptops and printers in a Restricted Access Operations Zone;
  3. Protecting information processing equipment from observation by unauthorized persons, including by observing through windows and walking through work areas;
  4. Locating shared printers, scanners, copiers, and facsimile machines away from public or reception areas, or in passageways or other areas where employees who do not have a need-to-know can access printed material.

b) Equipment protection
Information Owners must collaborate to ensure that the design and layout of information processing facilities provide protection from physical and environmental hazards. Safeguards must include:

  1. Using equipment designed for suppression of electromagnetic emanations that may be used to capture information, when the need is supported by a Security Threat and Risk Assessment;
  2. Ensuring that equipment is properly vented and that the temperatures and humidity in information processing facilities are appropriate for operating equipment safely;
  3. Providing lightning protection for information processing facilities which includes surge protection for power and communications;
  4. Assessing and protecting equipment to minimize damage from fire suppression and other safety systems;
  5. Protecting equipment from potential damage from environmental hazards such as water, dust, vibration, and sunlight;
  6. Providing employees with approved eating and drinking areas separate from work areas containing equipment;
  7. Briefing employees who work with equipment about safety practices in the workplace and emergency equipment procedures to prevent an escalation in equipment damage;
  8. Keeping information processing facilities free of biological pests that pose hazards to equipment and power systems; and,
  9. Regularly inspecting the information processing facility(s) for integrity of ceilings, walls, windows, and other infrastructure for damage from water and other environmental factors that may pose a threat to safe equipment operation.

A.7.9 – Security of assets off- premises

Control Objective: Off-site assets should be protected.

The purpose is to prevent loss, damage, theft or compromise of off-site devices and interruption to the organization’s operations. The person carrying the equipment outside the premises is responsible for the security of the equipment. XXX has a documented policy for Laptops and portable media taken outside premises. Equipment must be protected using documented security controls when off-site from the premises. Information Owners must ensure that equipment being used off-site to access information is protected commensurate with the sensitivity and the value of the information it contains. Information Owners must ensure that:

  • Sensitive data is encrypted;
  • Equipment is protected from unauthorized access by the use of a logical or physical access control mechanism (e.g., password, USB key or smart card);
  • Equipment is protected from loss with a physical locking, restraint or security mechanism when appropriate;
  • Employees are familiar with operation of the protection technologies in use.

To provide further protection employees must:

  • Not leave equipment unattended in a public place;
  • Ensure that equipment is under their direct control at all times when travelling;
  • Use the physical locking, restraint or security mechanisms provided by the Information Owner whenever possible;
  • Take measures to prevent viewing of sensitive information other than by authorized persons;
  • Not permit other persons to use the equipment; and,
  • Report loss of equipment immediately using the Information Incident Management Process and General Incident or Loss Report (GILR).

A.7.10 Storage Media

Control Objective: Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

The purpose is to ensure only authorized disclosure, modification, removal or destruction of information on storage media

1) Management of removable media

The purpose is to ensure that risks to the information introduced by portable storage devices are managed. All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.  XXX. has defined a procedure for the management of computer media containing sensitive data.  Refer ‘PR-17-ISMS-AHP-Media Handling Process.docx’. All removable computer media must be managed with controls appropriate for the sensitivity of the data contained on the media.
a) Management of records
b) Use of portable storage devices
c) Human factors
d) Risk assessment factors and controls
e) Mandatory controls

a) Management of records
CISO is responsible for the management and disposal of records according to records schedules approved under the Procedure for control of records.

b) Use of mobile or portable storage devices
The use of mobile or portable storage devices to store or transport information increases the risk of information compromise. These devices are typically small and are easily lost, stolen, or damaged, particularly when transported in public environments. Mobile or portable storage devices include, but are not limited to, USB drives, external hard drives, smartphones, tablets, laptops, and mp3 players. Information Owners must:

  • Ensure that use of mobile or portable storage devices is managed and controlled to mitigate risks;
  • Document processes for authorizing use of mobile or portable storage devices; and,
  • Ensure employees using mobile or portable storage devices protect information and information technology assets in their custody or control.

Information Owners must conduct a Security Threat and Risk Assessment on mobile devices or mobile computing services to determine the risk profile and suitability of the device or the service for use prior to deployment within the organization. Technical standards for each device type must be documented including product name, mandatory controls, permitted information classifications, and strength of controls such as encryption key length. Device handling procedures should include instructions to minimize the amount of information stored on mobile or portable storage devices.

c) Human factors
Information Owners must ensure employees using portable storage devices are:

  1. Aware of the additional risks and responsibilities inherent with portable storage devices;
  2. Familiar with the required protection technologies and when they must be used; and,
  3. Familiar with the Information Incident Management Process and General Incident or Loss Reporting procedures.

d) Risk assessment factors
The Security Threat and Risk Assessment must consider the impact of disclosure or loss of information stored on portable media from threats such as:

  • Loss or physical theft;
  • Limited ability to control and log access to stored data;
  • Accidental media disposal or destruction;
  • Improper long term storage environment;
  • Exposure to malware; and,
  • Incomplete erasure of data prior to device disposal.

Information classification and sensitivity levels must be considered in the risk assessment.

e) Mandatory controls

Minimum information protection safeguards for the use of portable storage devices must include:

  • Disabling portable storage devices, media drives or connection ports where no business reason exists for their use;
  • Documented definition of information classifications or sensitivities permitted to exist on specific media types;
  • Not storing the only version of a document on portable storage devices;
  • Documented authorization processes for use of portable storage devices;
  • Encryption of stored data;
  • Contractual requirements for external parties that transport, handle or store portable storage devices; and,
  • Adherence to manufacturer specifications for use of portable storage devices.

Documented portable storage devices handling procedures include:

Off-site storage;

  • Third party transportation;
  • Information backup;
  • Protection against malware;
  • Logging of media custody and location to allow for accounting and audit;
  • Media labeling to indicate owner, classification and special handling restrictions;
  • Maintenance of information where the information storage requirement exceeds the expected media lifetime; and,
  • Secure erasure and disposal

2) Disposal of media

The purpose is to ensure that information cannot be retrieved from media that is no longer in use.XXX. has defined procedure for the disposal of computer media. Media must be disposed of securely and in a manner appropriate for the sensitivity of the data it contains. The Tapes, CDs, and Hard Disks have been covered in ‘PR-17-ISMS–Media Handling Process.docx’.
Any asset capable of storing electronic information is considered a type of media, including mobile and portable storage devices, hard disks, CDs, DVDs, and tapes. Information Owners and Information Custodians must ensure that media that is no longer required operationally (e.g., due to expiry, surplus, damage or wear), is disposed of securely. Prior to disposal, the CISO office must be consulted. Media disposal procedures must:

  • Be documented and communicated to employees;
  • Specify erasure and disposal measures whose strength is based on information sensitivity and type of media (e.g., erasure software);
  • Include secure disposal or destruction of media if erasure is not sufficient, or not cost-effective (e.g., destruction by shredding, incineration, or chemical dissolution);
  • Include secure storage measures for media collected for and awaiting erasure or disposal, to avoid undetected theft of small amounts of media from large volumes awaiting disposal; and,
  • Include audit logs of media disposal.
  • Corporate Information and Records Management Office is responsible for ensuring secure disposal services are available to Information Owners and Information Custodians.

3) Physical media transfer

The purpose is to protect information from unauthorized disclosure or loss during the physical transport of media. Backup media, Floppy, CD, Hardcopy, etc. being transported from one location to the other is protected from unauthorized access, misuse and corruption by sending them through trusted, employees with proper authorization and adequate protection. The Chief Information Officer must document and implement security measures for the protection of media during transport that meet information classification and handling requirements. If information of various classifications is stored on media, the media must be protected according to the highest classification of the information stored. Minimum media transport requirements are:

  • Using couriers that are approved by the organization;
  • Inspecting identification credentials of couriers upon pickup and delivery of packages;
  • Obtain and retain receipts for media shipments;
  • Using packaging that will protect the media from loss or damage; and,
  • Packaging so that the classification of the media is not displayed.
  • Responsibility for specification of physical transport procedures are shared between Corporate Information and Records Management Office and the Risk Management Branch and Information Security Office.

4) Removal of assets

The purpose is to protect assets belonging to the Province from unauthorized removal. All the equipment that is taken out of the XXX follows a proper authorization process. A proper gate pass is to be signed by the IT Manager before taking any equipment out of the XXX. Equipment, information, or software belonging to the XXX must not be removed from the premises without prior authorization. Information Owners must establish a formal authorization process for the removal of assets for re-location, loan, maintenance, disposal, or any other purpose. Authorization forms for asset removal must include:

  • Description and serial numbers;
  • Information about where the asset will be located;
  • The removal date and return date;
  • The identity of the individual responsible for the asset;
  • Reason for removal of the asset.

The description and serial numbers must be verified when the asset is returned. Employees must be informed of, and accept responsibility for, protection of the asset (e.g., Terms and Conditions of Use).

Guidelines:
A Corporate Supply Arrangement exists for the provision of secure media disposal services. Secure disposal service companies should be used where practical to perform media disposal. Contact the Ministry Records Officer for further details.

Where supported by a Security Threat and Risk Assessment, additional controls to protect media during transport include:

  • Using notifications of transport activities, such as o sender informing receiver of the impending shipment, and, receiver confirming receipt of the shipment;
  • Using two layers of packaging where the inner layer indicates the classification and handling requirements; and,
  • Using a locked container.

A.7.11 – Supporting utilities

Control Objective: Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.

The purpose is to prevent loss, damage or compromise of information and other associated assets, or interruption to the organization’s operations due to failure and disruption of supporting utilities.  All IT equipment are protected from power failure and other electrical anomalies. Arrangements are made to provide an uninterrupted power supply (UPS) to all critical information processing facilities. UPS are maintained as per the OEM’s instructions and covered under the AMC contract. Lighting protection is provided to the building. The adequate capacity of DG sets is available which are turned on in case of failure or routine power cuts. Equipment must be protected from power supply interruption and other disruptions caused by failures in supporting utilities.
a) Planning and design
b) Maintenance

a) Planning and design
Information Owners, planners, architects, and engineers must collaborate in the planning and design of an information processing facility to ensure that supporting utilities (e.g., water, power, sewage, heating, ventilation) are adequate to support employees and systems that will be located in the facility. This includes estimating current and future utility capacity requirements for the facility. In addition to meeting the building code and other regulations, the following must be included in facility planning and specifications:

  • Uninterruptible power supply, back-up generators, and fuel, as required by business and technical requirements;
  • Emergency power off switches located near emergency exits in equipment rooms;
  • Emergency lighting;
  • Alarms to indicate inadequate water pressure for fire suppression;
  • Alarms to indicate malfunctions in heating, ventilation, air conditioning, humidity control and sewage systems;
  • Multiple connections to the power utility for critical systems and equipment;
  • Multiple telecommunications connections to prevent loss of voice services; and,
  • Adequate voice communications to meet regulatory requirements for emergencies.

b) Maintenance
Information Owners must ensure that facilities are inspected regularly in accordance with building codes and other regulations. Evacuation and other emergency drills must be practiced regularly in collaboration with fire and emergency services. The facility requirements for utilities shall be re-evaluated:

  • During the planning phase for replacing or changing existing technology hardware;
  • When moving significant numbers of new employees into facilities;
  • During the planning of renovations or major changes to an existing facility;
  • Prior to leasing a facility; and,
  • When there are major changes to the surrounding area that may affect utilities, evacuation routes or other safety aspects.

A.7.12 Cabling security

Control Objective: Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

The purpose is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations related to power and communications cabling. The power and data cables are well protected and isolated in order to protect from interception and damage. All the cables (data, telecommunication, and electrical) are laid using proper conduits, in order to protect them from external damage. Power cables and network cables are well separated to prevent any interference.

a) Protection
Information Owner, planners, and architects must include the protection of power and telecommunications cabling from interception and damage when designing or leasing facilities. The following methods to increase protection must be considered:

  • Access to communication closets and server rooms must be highly restricted;
  • Power and telecommunications cabling must be underground and/or in a secure conduit;
  • Information cabling other than fiber optic must be protected with electromagnetic shielding when required;
  • When supported by a Security Threat and Risk Assessment, consideration must be given to the use of fiber optics for telecommunications cabling;
  • Cables must not be accessible in public areas;
  • Power and telecommunications cabling must be segregated in accordance with building codes and other regulations; and,
  • Inspection boxes, termination points, patch panels, control rooms and other facilities must be secured and located inside a Restricted Access Security Zone.

b) Inspection and monitoring
Information Owners must ensure that:

  • The integrity of power and telecommunications cables are monitored through regular inspections and reports;
  • Power cabling and telecommunication schematics and documentation must be maintained in order to support inspections;
  • Records of patches and other changes are maintained and inspected;
  • Power and telecommunications cabling and wiring closets are inspected regularly and monitored for unauthorized access or inappropriate activity. The frequency of monitoring activities must be supported by a Security Threat and Risk Assessment.

A. 7.13 Equipment maintenance

Control Objectives: Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

The purpose is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations caused by lack of maintenance. All equipment in  Server Room is being correctly maintained to ensure their continued availability and integrity. Adhering to the following steps ensures this:

  • All equipment’s is maintained in accordance with the OEM’s recommendations for service intervals and specifications.
  • All critical equipment’s is covered under AMC.
  • All equipment’s is under regular preventive maintenance.

Equipment must be correctly maintained to enable continued availability and integrity.
a) Routine maintenance
b) Maintenance of systems, hardware, or media containing the Organization information

a) Routine equipment maintenance
Equipment being repaired or maintained must be protected commensurate with the sensitivity of the information it contains and the value of the equipment. Information Owners must determine if repair or maintenance can be conducted off-site. The need to protect sensitive information may justify equipment destruction and replacement rather than repair or maintenance. Information Owners are responsible for:

  • Ensuring the scheduling of routine, preventive maintenance of equipment by qualified, authorized employees;
  • Ensuring that maintenance is performed in accordance with the manufacturer’s specifications, in compliance with warranty requirements, and using safe practices as specified in building codes, other regulations and insurance policies;
  • Ensuring that, where possible, maintenance is scheduled to avoid interference with services or operations;
  • Notifying affected employees prior to taking equipment off-line for scheduled maintenance;
  • Ensuring that the value and sensitivity of the information contained on the device is considered prior to approval of off-site maintenance;
  • Equipment sent for off-site maintenance must be inspected and logged out;
  • Ensuring equipment returning from off-site repair or maintenance is inspected and logged in;
  • Maintaining detailed records to identify trends, weaknesses and additional maintenance requirements which must include:
    • Place, date, time, type of scheduled maintenance and technical employees,
    • Suspected and actual faults identified,
    • Diagnostics performed and corrective action taken,
    • Unusual or unexpected events, such as early failures or breakdowns, and,
    • Any other event that requires maintenance.
  • Ensuring maintenance on critical equipment is undertaken in such a manner that the system is not off-line due to scheduled maintenance; and,
  • Ensuring that when equipment is brought back on-line after scheduled maintenance that all operational specifications are satisfactory.

b) Maintenance of systems, hardware, or media containing the organization information
Dept HOD must consult with Information Owners regarding the value and sensitivity of the information stored on hardware or media when determining whether repairs will be conducted. Dept HOD must ensure that information is safeguarded:

  • Maintenance on critical systems must be undertaken in such a manner that the system is not off-line due to scheduled maintenance;
  • Hardware or media sent for repairs or maintenance outside of the information processing facility must do so through pre-approved and screened bonded couriers;
  • Hardware or media containing confidential or personal information must not have maintenance or repairs conducted off-site;
  • Hardware or media containing confidential or personal information that cannot be repaired on-site must be destroyed in accordance with approved disposal standards commensurate with the sensitivity of the information held;
  • Maintenance must be factored into system availability requirements; and,
  • Repair or maintenance must be conducted within the country.

A.7.14 Secure disposal or re-use of equipment

Control Objective: Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

The purpose is to prevent leakage of information from equipment to be disposed or re-used. The information available on equipment’s is removed or erased before the equipment disposal. The information available on equipment’s, which is re-used for some other purposes, is removed or erased before the equipment is re-used. The information available on media, which is re-used for some other purposes, is removed or erased before the media is re-used. All defective computer media, to be disposed of, is destroyed completely and all relevant information is made irrecoverable. Information, records, and software must be protected against unauthorized disclosure when hardware and media are reassigned or destroyed.
a) Reassignment of hardware and media
b) Destruction of hardware

a) Reassignment of hardware and media
Information Owners must consider the value and sensitivity of the information stored on hardware or media when determining whether it will be reassigned within organizations or destroyed. Reassignment must only occur within or between departments. Prior to the reassignment of hardware or media, Information Owners must ensure:

  • The integrity of the records is maintained by adhering to Records Management policies;
  • Information and software are erased using methods and standards approved by the Chief Information Officer;
  • Roles and responsibilities are documented;
  • Asset inventories are updated to record details of the erasure and reassignment including:
    • Asset identifier,
    • Date of erasure,
    • Names of employees conducting the erasure,
    • Date of transfer, and,
    • Name of new asset custodian.

Where information is erased by third parties there must be contractual and audit procedures to ensure complete destruction of the media. Third parties must certify that destruction has occurred.

b) Destruction of hardware
Information Owners are responsible for ensuring hardware media used to store information or software is destroyed in a secure manner. Management Representative is responsible for ensuring secure disposal or destruction services are available to Information Owners.

A. 8.1 User endpoint devices

Control Objectives: Information stored on, processed by or accessible via user endpoint devices should be protected.
The purpose is to protect information against the risks introduced by using user endpoint devices.

  1. Mobile Device Policy

XXX. has a well-defined policy and guidelines on the use of laptops. Refer ‘PR-17-ISMS-AHP-Asset Handling Process.docx’.Appropriate controls must be implemented to mitigate security risks associated with the use of mobile devices.
a) Information protection paramount
b) Service-specific risks and practices
c) Protection of credentials
d) Protection of network endpoint and physical device
e) Human factors
f) Risk assessment factors

a) Information protection paramount
The use of mobile devices such as laptops, tablets, or smartphones to access, store, or process information increases the risk of information compromise. Mobile devices are typically small and portable, used in uncontrolled public environments, and easily lost, stolen, or damaged. Information Owners must ensure that the use of mobile devices is managed and controlled. To ensure that sufficient safeguards are implemented to mitigate risks mobile devices must be enrolled in Mobile Device Management Service. Users of mobile devices must protect the information and information technology assets in their custody or control.

b) Service-specific risks and practices
Providers of mobile computing services (such as the Technology Services Division) must perform regular risk assessments to identify service-specific risks (e.g., perform or update the risk assessments on an annual basis). Information Owners and Information Custodians must develop, document, and maintain policies, standards, practices, and guidelines that address these risks, and communicate them to employees.

c) Protection of credentials
User identifiers and user credentials must be protected to reduce the risk of unauthorized access to information and information technology assets. In particular, employees must protect against visual eavesdropping of passwords, PINs, and other credentials, especially when in public places.

2) Unattended user equipment

 A well-defined policy exists at XXX. regarding equipment’s unattended for a long duration. Employees must ensure unattended equipment has appropriate protection. Information Owners must ensure that employees are aware of their responsibilities to secure unattended equipment to prevent unauthorized access to information systems by:

  • Locking or terminating information system sessions before leaving the equipment unattended;
  • Enabling password protection features on the equipment (e.g., screen savers on workstations);
  • Shutting down and restarting unattended workstations at the end of each workday;
  • Enabling password protection on mobile devices including portable storage devices;
  • Being aware of their responsibility to report security weaknesses where the above controls have not been applied.

Workstations and other devices used for information system access must automatically activate screen savers or equivalent locking systems after 15 or fewer minutes of inactivity.

a) Protection of network endpoint and physical devices
Mobile devices are typically used to store information or remotely access the networks and services. The policies and procedures governing remote access apply to mobile devices. Where Remote Access services are used, the mobile device must be configured to prevent its use as a conduit between the different networks (e.g., VPN split tunneling must be disabled). Network access to mobile devices from unauthorized networks must be blocked by the implementation of firewall or filtering technologies to protect against attacks (e.g., to prevent network attacks against the mobile device). Mobile devices must be protected against mobile and malicious code. Mobile devices must be locked and/or secured when unattended to prevent unauthorized use or theft (e.g., use device locks, cable locks, physical container locks, PINs or screensaver locks).

b) Human factors
Information Owners and Information Custodians must provide employees using mobile devices with security awareness training to ensure that they are:

  • Aware of the additional risks and responsibilities inherent in mobile computing and when using mobile devices;
  • Familiar with operation of the protection technologies in use; and,
  • Familiar with the Information Incident Management Process.

c) Risk assessment factors
The Security Threat and Risk Assessment must consider threats to information and information technology assets, such as:

  • Physical theft;
  • Use of mobile devices to remotely access the networks and systems;
  • Data interception;
  • Credential theft;
  • Unauthorized device use;
  • Device disposal;
  • Information disposal;
  • Covert key logging or password harvester programs; and,
  • Malicious and mobile code.

Information classification and sensitivity levels must be considered in the risk assessment. Storage of information on mobile devices must be avoided and is allowed only in extenuating circumstances, as defined in the Appropriate Use Policy. Minimum information protection safeguards for the use of mobile devices must include:

  • Encryption of stored data to prevent information loss resulting from the theft of the mobile or remote device;
  • Encryption of data transmitted via public network;
  • Access control permissions on a mobile device to prevent unauthorized access to information by system users, particularly for multi-user mobile systems;
  • Regularly maintained data backups of information stored on mobile devices using the backup facilities to protect against information loss;
  • Physical security of the device at all times to protect against asset and information loss;
  • User authentication to the mobile device and user authentication for remote access from the device in accordance with authentication policies.

While Security Threat and Risk Assessments are not required for all apps on mobile devices, where the app is used for processing the information, a Security Threat and Risk Assessment and Privacy Impact Assessment must be completed before the use of the app. Apps should be downloaded only from official vendor provided app stores. Mobile devices attached to the network must be used according to vendor specifications (e.g., not removing vendor built-in restrictions). Employees should always consider potential risks before downloading apps on their mobile devices. Some apps have been found to have harmful effects and may inadvertently release information from the mobile device to third parties.

A.8.2 Privileged Access rights

Control Objective: The allocation and use of privileged access rights should be restricted and managed.

The purpose is to ensure only authorized users, software components and services are provided with privileged access rights. The allocation and use of privileges are restricted and controlled. Any privilege given onto any system of XXX is covered. The allocation and use of system privileges must be restricted and controlled.
a) Managing, restricting, and controlling the allocation and use of system privileges
b) Managing the issuance of privileged user credentials
c) Managing the issuance of multiple factors of authentication credentials

a) Managing, restricting and controlling the allocation and use of system privileges

Information Owners are responsible for authorizing system privileges and must:

  • Identify and document the system privileges associated with each information system or service;
  • Ensure the process for requesting and approving access to system privileges includes Supervisor approval(s) prior to granting of system privileges;
  • Ensure processes are implemented to remove system privileges from employees concurrent with changes in job status (e.g., transfer, promotion, termination);
  • Limit access to the fewest number of employees needed to operate or maintain the system or service;
  • Ensure the access rights granted are limited to and consistent with employee job functions and responsibilities;
  • Maintain a record of employees granted access to system privileges;
  • Ensure use of system privileges is recorded in audit logs which are unalterable by the privileged user;
  • Implement processes for ongoing compliance checking of the use of system privileges; and,
  • Implement processes for regular review of authorizations in place to confirm that access is still needed and that the least number of users needed have access.

User identifiers with system privileges must only be used for performing privileged functions and not used to perform regular activities. User identifiers established to perform regular activities must not be used to perform privileged functions.

Privileged users should:

  • Not read the data of an information asset unless authorized;
  • Be able to alter user permissions for an information asset; and,
  • Be permitted to view, but not alter, user activity logs as part of security safeguards.

b) Managing the issuance and revocation of privileged user credentials
The issuance of privileged user credentials must have two levels of approval. The use of system privileges should require the use of multi-factor authentication.

c) Managing the issuance of multiple factors of authentication credentials
The management of issuance of multiple factors of authentication credentials is covered in the Cryptographic Standards for Information Protection.

Guidelines:

  • The design of information systems should include processes for performing regular maintenance activities which avoid the requirement of system privileges.
  • Whenever possible system routines should be used to execute system privileges rather than granting system privileges to individual employees.
  • System acquisition and development should encourage use of programs which minimize the need for employees to operate with system privileges.

A.8.3 Information access restriction

Control Objective: Access to information and other associated assets should be restricted in accordance with the
established topic-specific policy on access control.

 The purpose is to ensure only authorized access and to prevent unauthorized access to information and other associated assets.

Unauthorized access to information is restricted. Access to information systems functions and information must be restricted in accordance with the access control policy.
a) Information access controls
b) System configuration
c) Publicly accessible information
d) Segregation of sensitive information systems

a) Information access controls
Information Owners are responsible for ensuring the implementation of the access control policy for their business applications. Every information system must have an access control policy that specifies access permissions for information and system functions. The access control policy must identify the information and system functions accessible by various classes of users. The application and information section of the access control policy must specify:

  • The information to be controlled;
  • The system functions to be controlled; and,
  • The roles authorized to access the resources and information and what types of access are permitted (e.g., Create, Read, Update/Write, Delete, Execute) based on business need.

b) System configuration
Information system access controls must be configurable to allow Information Custodians to modify access permissions without making code changes. System utilities or functions that can bypass user access controls must be specified in the access control policy. Access to these utilities and functions must be restricted.

c) Publicly accessible information
Information that is publicly accessible must be segregated from non-public information.

d) Segregation of sensitive information systems
Information Owners must conduct a Security Threat and Risk Assessment to determine the information system classification level. The information system classification level determines which network security zone the information system must reside in. Security zones must be established using physical or logical methods, which may include separate network segments, separate servers, firewalls, access control lists, and proxy servers.

A.8.4 – Access to source code

Control Objective: Read and write access to source code, development tools and software libraries should be appropriately managed.

The purpose is to prevent the introduction of unauthorized functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property. . Source code and program libraries are not accessed by unauthorized people. Code management of IT-related applications is being performed according to the PR-08-SCM-Configuration Management Process’. Information Owners must implement procedures to control access to program source code for information systems to ensure that:

  • Program source code is isolated and stored separately from operational information systems;
  • Privileged users access is defined and monitored;
  • A change control process is implemented to manage updating of program source libraries and associated items;
  • Program source code contained on any media must be protected; and,
  • Accesses and changes to program source libraries are logged.

A.8.5 Secure authentication

Control Objective: Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.

The purpose is to ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted. All user machines are accessible through a user name and password. These are assigned to each authorized user and are unique in nature. Unauthorized access is not permitted. Access to information systems must use a secure login process.
a) Information displayed during logon
b) Unsuccessful logon attempts
c) Password transmission

a) Information displayed during logon
CISO must ensure that Information owners configure logon processes to minimize the opportunity for unauthorized access, which includes:

  • Not displaying details about backend systems (e.g., operating system information, network details) prior to successful completion of the logon process to avoid providing an unauthorized user with any unnecessary assistance;
  • Validating logon information only on completion of all input data; and,
  • Not displaying passwords in clear text as they are entered.

b) Unsuccessful logon attempts
CISO must ensure that Information owners configure logon processes to:

  • Record unsuccessful logon attempts;
  • Allow a limited number of unsuccessful logon attempts;
  • Limit the maximum and minimum time allowed for the logon procedure, and if exceeded, the system should terminate the logon; and,
  • Force a time delay or reject further logon attempts if the limited number of consecutive unsuccessful logon attempts is reached.

c) Password transmission
Information Owners and must ensure logon processes are configured to prevent transmission of passwords in cleartext.

Standards:
After three consecutive failed logon attempts for an account the logon process must:

  • Lock the account and require Administrator intervention; or,
  • Lock the account for 15 minutes and then allow a further three logon attempts.

Guidelines:
A general warning should be displayed that the information system is accessed only by authorized users. The logon procedure should permit users to monitor the security of their account by displaying the following information on completion of a successful login:

  • Date and time of the previous successful logon; and,
  • Details of any unsuccessful logon attempts since the last successful logon.

A.8.6 Capacity management

Control Objectives: The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

The purpose is to ensure the required capacity of information processing facilities, human resources, offices and other facilities.  It is the responsibility of the individual managers to look for capacity demands for their projects in advance. This ensures that the required capacity can be arranged in time to minimize the risk of failure due to lack of capacity. It also ensures the continuous availability of operational systems. The utilization of existing resources is monitored regularly. Controls must be applied to limit opportunities for information leakage. Information Owners must implement processes to reduce the opportunity for information leakage in information systems by:

  • Scanning for malicious code;
  • Monitoring resource usage in information systems;
  • Identifying and limiting the trusted connections in and out of the organization network;
  • Controlling third party network connections (e.g., only authorized traffic permitted);
  • Using software that is considered to be of high integrity;
  • Regular monitoring of information systems; and
  • Reviewing usage and access logs for irregularities.

Guidelines:
Scanning outbound media and communications for hidden information should be considered.

A 8.7 Protection from Malware

Control Objective: Protection against malware should be implemented and supported by appropriate user awareness.

The purpose is to ensure information and other associated assets are protected against malware. Precautions are required to prevent and detect the introduction of malicious software. Software information processing facilities are vulnerable to the introduction of malicious software, such as computer viruses, network worms, Trojan horses, and logic bombs, etc. XXX. has implemented several controls to address the threat:

  • XXX. has a policy for prevention against malicious software.
  •  XXX. has a policy for the use of networks or any other medium as a preventive measure against virus attacks.
  • Virus attacks and software malfunctions due to malicious software are treated as security incidents and handled.
  • To prevent loss of data due to malicious software regular backups of critical data are taken regularly.

Security awareness, prevention, and detection controls must be utilized to protect information systems against network and host-based threats.
a) Prevention and detection controls
b) User awareness

a) Prevention and detection controls
Information Owners must protect information systems from network and host-based threats by undertaking such activities as:

  • Installing, updating and consistently using software designed to scan for, detect and provide protection from network and host-based threats;
  • Prohibiting the use of unauthorized software;
  • Checking files, including electronic mail attachments and file downloads for malware before use;
  • Maintaining business continuity plans to recover from security incidents;
  • Regularly reviewing file and data content on critical systems to identify unapproved or unauthorized files and file changes; and
  • Scanning back-up media prior to restoration so that malware is not introduced or re-introduced into an information system and network.

The Chief Information Security Officer must ensure processes are implemented to:

  • Maintain a critical incident management plan to identify and respond to security incidents; and,
  • Maintain a register of specific threat countermeasures (e.g., blocked websites, blocked electronic mail attachment file types, blocked network ports, additional monitoring, etc.) including a description, the rationale, the approval authority and the date applied.

b) User awareness
The Chief Information Security Officer is responsible for developing user awareness programs for threat countermeasures. The Information Security Officers are responsible for communicating technical advice and providing information and awareness activities regarding network and host-based threats. Employees are required to complete the information protection courses provided by the CISO as part of their awareness training.

A.8.8 Management of technical vulnerabilities

Control objective: Information about technical vulnerabilities of information systems in use should be obtained, the
organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

The purpose is to prevent exploitation of technical vulnerabilities.. XXX. is using VA/PT to obtain information on new exposures while applying patches for earlier identified threats and vulnerabilities. The VA/PT shall be carried out as per Security Committee Review Procedure. Appropriate actions will be initiated based on threat assessment diagnosed from VA/PT. Assessments for known exposures must be conducted to evaluate information system vulnerabilities and the management of associated risks. Vulnerabilities that impact information systems must be addressed in a timely manner to mitigate or minimize the impact on the operations. Information Owners must establish processes to identify, assess and respond to vulnerabilities that may impact information systems by:

  • Monitoring external sources of information on published vulnerabilities;
  • Assessing the risk of published vulnerabilities;
  • Testing and evaluating options to mitigate or minimize the impact of vulnerabilities;
  • Applying corrective measures to address the vulnerabilities;
  • Completing a Security Threat and Risk Assessment to verify the risk has been mitigated; and,
  • Reporting to the Chief Information Security Officer on progress in responding to vulnerabilities.
  • Responsibilities for vulnerability response by service providers must be included in external party service agreements.

The Chief Information Security Officer must:

  • Evaluate vulnerabilities and provide advice on appropriate responses;
  • Monitor progress in responding to vulnerabilities;
  • Publish summary reports on vulnerability response activities and costs; and,
  • When required, initiate incident response processes to address vulnerabilities.

Technical compliance checking

Periodic internal audits, third party audits and independent VA/PT shall be planned for and conducted according to Security Committee Review Procedure.Information systems must be regularly reviewed for compliance with security policies and standards.
a) Technical compliance checking
b) Authorization to conduct technical compliance checking
c) Reporting results

a) Technical compliance checking
Information Owners must regularly test information system technical control compliance by using automated tools to:

  • Detect network intrusion;
  • Conduct penetration testing;
  • Determine if information system patches have been applied;
  • Confirm that system technical controls have been implemented and are functioning as designed; and,
  •  
  • Perform technical compliance checking as part of the system change management process to verify that unauthorized connections and/or systems changes have not been made.

b) Authorization to conduct technical compliance checking
Supervisors responsible for technical compliance checking must ensure that:

  • Information Owners and operations employees are consulted prior to initiating tests;
  • The Chief Information Security Officer is notified prior to testing to prevent triggering false security alarms from the infrastructure; and,
  • Automated testing of operational systems is conducted by employees authorized by the Chief Information Security Officer.

Department HOD must consult with the Chief Information Security Officer prior to issuing Requests for Proposal or contracts for technical compliance checking.

c) Reporting results
Supervisors responsible for technical compliance checking and Information Custodians must:

  • Assess results of testing and promptly develop action plans to investigate and mitigate identified exposures in consultation with the Ministry Information Security Officer;
  • Provide Information Owners and the Chief Information Security Officer with copies of test results and action plans;
  • Provide the Chief Information Security Officer with the internal or external audit reports immediately upon receipt; and,
  • Maintain records, in accordance with established records schedules, of tests for subsequent review by internal and external auditors.

Guidelines:
The Chief Information Security Officer should:

  • Develop and maintain testing processes for authorizing/conducting tests, storing results and building on previous testing experience; and,
  • Provide summarized quarterly reports to the Chief Information Officer on the status and results of testing.

A 8.9 Configuration management

Control objective: Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

The purpose is to ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.XXX uses a wide variety of components in creating and running its ICT infrastructure and end-user devices. These consist of hardware, software, cloud services and networks and all are potentially vulnerable to attack from threats from different sources. In order to lessen the risk of these components becoming compromised, it is important that we identify the most appropriate ways of configuring them and then ensure that these methods are used throughout our ICT landscape. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to XXX’s systems. New components that make up ISMS hardware, software, services and networks must have their required security settings defined and correctly configured prior to their implementation within our ICT environment. Configurations of existing components must be reviewed periodically to ensure they meet the requirements of this policy. Such components will include, but are not limited to:

  • Endpoint devices, such as desktops, laptops, mobile phones and tablets
  • Physical network devices, such as routers, switches and firewalls
  • Physical servers, including system software such as operating systems, databases and web servers
  • Cloud infrastructure, such as virtual servers, networks and storage
  • Where possible, standard templates will be used to document the required configuration of ICT components. These templates will be subject to change and version control.
  • The configurations defined will take appropriate account of available sources of information about securing the relevant components, such as vendor templates, guidance from cyber security authorities and best practice organizations, system hardening guides and our own information security policies.
  • Details of configuration standards will be protected as sensitive information which would be of use to an attacker.
  • Configuration standards must be reviewed on a regular basis and kept up to date with changes in the components themselves (such as new hardware or software versions) and the threats and vulnerabilities they face.
  • The correct configuration of components will be monitored and instances where existing settings deviate from the established standard will be investigated and, if necessary, corrected.
  • Where feasible, automated software methods such as Infrastructure as Code (laC) will be used to create components with the correct configuration. Automated audit tools may also be used to check configurations regularly and report on and correct those found to be non compliant.

Configuration Management
A configuration model must be established which records the relationship between configuration items. There must be a documented plan that will define the activities, applicable standards and organization for configuration management. The configuration Management Database must be managed to ensure continued availability and integrity. Repairs and maintenance must be scheduled, communicated, and arranged to minimize business disruption in accordance with the Change Management Policy.

Configuration Item Management
All Configuration Items must be uniquely identifiable, and their functional and physical characteristics must be documented in a Configuration Management Database. Configuration Baselines must be established. Configuration Items must be added, modified, replaced in the Configuration Management Database to support the Change Management Policy. Each Configuration Item must have one or more life cycle states through which it can progress over the course of the configuration item’s life.

Governance
Formal responsibilities and procedures must be in place to ensure Configuration Item documentation is kept upto-date and accurate. Regular checks (Verification and Audit) must be performed, to ensure that the information contained in the Configuration Management Database (CMDB) reflects an accurate representation of the Configuration Items (CIs) as they exist in the live production environment.

A 8.10 Information deletion

Control Objective: Information stored in information systems, devices or in any other storage media should be deleted when no longer required.
The purpose is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. XXX will ensure that information is not kept longer than is necessary and will retain the minimum amount of information that it requires to carry out its’ statutory functions and the provision of services.

Retention, Deletion and Archiving

In circumstances where a retention period of specific data or a document has expired, a review should always be carried out prior to a decision being made to dispose of it. This review should not be particularly time consuming and should be straightforward. If the decision to dispose of data or a document is taken, then consideration should be given to the method of disposal to be used. Archiving is defined as the process of moving data that is no longer actively used to a separate storage device for long-term retention. Archive data consists of older data that is still important to XXX and may be needed for future reference, as well as data that must be retained for regulatory compliance. Paper records shall be archived in secured storage onsite, clearly labelled in archived boxes Electronic data and records shall be archived in a format which is appropriate to secure the confidentiality, integrity and accessibility of the data.

Retention Period

Personal data of any staff member or customer shall not be kept for longer than necessary for the purposes for which it is processed. Backups for support purposes shall not be kept for longer than the job requires. Once the support job has been completed, any backups used should be removed in accordance with this policy on the destruction of electronic records. The archiving period of data shall be seven years unless an exception has been obtained permitting a longer or shorter active use period.

Destruction

The destruction of obsolete or superseded data is an essential step in running a credible, reliable, and effective software company. Keeping out-of-date records only creates confusion, making it difficult for personnel to know which records are authoritative and which records are no longer needed for business. Obsolete or superseded data must to be destroyed in order to:

  • ensure current data is reliable and efficient.
  • reduce maintenance and storage costs.
  • demonstrate accountability and consistency in implementing destruction decisions.
  • improve the efficiency of paper and electronic records systems by removing unwanted records.
  • reduce the risk that sensitive or personal information will fall into the wrong hands.

No destruction of data should take place without assurance that:

  • the record is no longer required by any part of the business.
  • no work is outstanding by any part of the business.
  • no litigation or investigation is current or pending which affects the record.
  • there are no current or pending access requests which affect the record.

The process of destroying records must be irreversible, so that there is no reasonable risk that the information may be recovered. The more sensitive the records, the more certain you must be of the irreversibility of the destruction process. Failure to ensure total destruction may lead to the unauthorized release of sensitive information.

Destruction of Paper Records

Destruction should be carried out in a way that preserves the confidentiality of the record. Confidential records with personal data relating to any customer or staff member must be shredded once no longer required. All copies including security copies, preservation copies and backup copies should be destroyed at the same time in the same manner. ­­­­­­

Destruction of Electronic Records

All electronic data must be destroyed in a manner in which the data cannot be ‘un-deleted’ or restored from backups. Backups used for support purposes must be removed from all places it has been stored.

Right to Erasure

Customers and staff have the right to obtain erasure from the Focus Micro Systems, without undue delay, if one of the following applies:

  • XXX doesn’t need the data anymore for the purpose which it was originally collected or processed.
  • XXX are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent.
  • XXX are processing the personal data for direct marketing purposes and the individual objects to that processing.
  • The subject uses their right to object to the data processing.
  • The controller and/or its processor is processing the data unlawfully.
  • There is a legal requirement for the data to be erased.

A 8.11 Data masking

Control Objective: Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
The purpose is to limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.A variety of data management techniques can be used to mask or anonymize PII and other private and sensitive data depending on the data type. These masking methods include the following:

  • Scrambling:Scrambling randomly reorders alphanumeric characters to obscure the original content. For example, a customer complaint ticket number of 3429871 in a production environment could appear as 8840162 in a test environment after being scrambled. Although scrambling is easy to implement, it only works on certain types of data. Data obfuscated this way is not as secure as other techniques.
  • Substitution: This technique replaces the original data with another value from a supply of credible values. Lookup tables are often used to provide alternative values to the original, sensitive data. The values must pass rule constraints and preserve the original characteristics of the data.
  • Shuffling: Values within a column, such as user surnames, are shuffled to randomly reorder them. For example, if customer surnames are shuffled, the results look accurate but won’t reveal any personal information. However, it is essential that the shuffling masking algorithm is kept secure so it cannot be used to reverse-engineer the data masking process.
  • Date aging: This method increases or decreases a date field by a specific date range. Again, the range value used must be kept secure.
  • Variance: A variance is applied to a number or date field. This approach is often used for masking financial and transaction value and date information. The variance algorithm modifies each number or date in a column by a random percentage of its real value. For instance, a column of employees’ salaries could have a variance of plus or minus 5% applied to it. This would provide a reasonable disguise for the data while maintaining the range and distribution of salaries within existing limits.
  • Masking out: Masking out only scrambles part of a value and is commonly applied to credit card numbers where only the last four digits remain visible.
  • Nullifying: Nullifying replaces the real values in a data column with a null value, completely removing the data from view. Although this sort of deletion is simple to implement, the nullified column cannot be used in queries or analysis. As a result, it can degrade the integrity and quality of the data set for development and testing environments.

8.12 Data leakage prevention

Control Objective: Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Th purpose is to detect and prevent the unauthorized disclosure and extraction of information by individuals or systems. Data Leakage Prevention is a set of technologies and business policies to make sure end-users do not send sensitive or confidential data outside the organization without proper authorization. It enforces remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data that could put the organization at risk. Sensitive information might include financial records, customer data, or other PII.

  • The documents containing classified information will be marked with an embedded security classification to facilitate technical measures within boundary controls to prevent data loss and indicate to information users its classification and handling requirements
  • Data at rest on portable computers will be protected from theft/loss by use of assured encryption.
  • Data at rest on portable data storage devices will be protected from theft/loss by use of assured encryption.
  • Boundary controls shall be cognizant of the levels of classification that are/are not appropriate for each egress path. For example, some classifications may be permitted for transmission over secure email systems, or for upload to secure websites within the network.
  • Boundary controls will block content that obfuscates electronic security classifications by encryption (e.g. zipped files).
  • The following boundary controls will implement technical measures to prevent data loss:
    – Email attachment filters (outgoing)
    – Internet/web traffic (outgoing)

A.8.13 Information back up

Control Objective: Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

The purpose is to enable recovery from loss of data or systems.  Backup of informational Servers are taken regularly. XXX. has a well-defined procedure for Information backup and restoration. Information and information systems must be backed up and the recovery process tested regularly.
a) Defining requirements
b) Safeguarding backup facilities and media
c) Testing

a) Defining requirements
Information Owners must define and document backup and recovery processes that reflect the security classification and availability requirements of information and information systems including:

  • Confirming that the backup and recovery strategy complies with:
    • Business continuity plans,
    • Policy, legislative, regulatory and other legal obligations, and,
    • Records management requirements, including the Administrative Records Classification System (ARCS)
    • Operational Records Classification System (ORCS), and,
  • Documenting the backup and recovery processes including:
    • Types of information to be backed up,
    • Schedules for the backup of information and information systems,
    • Backup media management (e.g., retention period, pattern of backup cycles),
    • Methods for performing, validating and labelling backups, and,
    • Methods for validating recovery of the information and information system.

b) Safeguarding backup facilities and media
Information Owner must conduct a Security Threat and Risk Assessment to identify safeguards for backup facilities and media that are commensurate with the value and sensitivity of the information and information systems. Safeguards include:

  • Using encryption to protect the backed up information;
  • Using digital signatures to protect the integrity of the information;
  • Physical and environmental security;
  • Access controls;
  • Methods of transit to and from offsite locations (e.g., by authorized couriers, by encrypted electronic transfer);
  • Storage of media adhering to manufacturer recommendations for storage conditions and maximum shelf-life; and,
  • Remote storage of backup media at a sufficient distance to escape any damage from a disaster at the main site.

A.8.14 Redundancy of information processing facilities

Control objective: Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

The purpose is to ensure the continuous operation of information processing facilities..Information processing facilities shall be monitored and sufficient redundancy shall be ensured by fixing the appropriate threshold level while maintain Control Effectiveness Measurement as defined. Information processing facilities must be implemented with redundancy sufficient to meet availability requirements.The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing information systems. Information Owners  must identify business requirements for the availability of information systems. Where the availability cannot be guaranteed using the existing systems architecture, redundant components or architectures must be considered. Where applicable, redundant information systems must be tested to ensure the fail over from one component to another component works as intended.

This establishes a framework to support the integration of information security in the services provided by the information processing facilities. Planning and management of the day-to-day activities are required to ensure the availability and capacity of the resources that provide information services. This framework identifies requirements to control and monitor operations for service delivery and to manage changes as the operations evolve. For critical systems, additional requirements are defined in the Critical Systems Standard. Controls for operations include documented processes, employee duties, and formal methods to implement changes to facilities. This includes methods to protect the information, create copies for back-up, and manage the media where those copies are stored. Network protection requirements from threats such as viruses or unauthorized disclosure are also described.

A.8.15 Logging

Control Objective: Logs that record activities, exceptions, faults and other relevant events should be produced, stored,
protected and analysed.

The purpose is to record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. All systems are monitored to detect deviation from access control policy. This audit trail serves as evidence in case of a security breach and is the basis for any action. Audit logs are maintained on servers and provide audit information related to User Id, Date and time of log-on and log-off, failed login attempts, Terminal Location. Audit logs must be produced, retained, and regularly reviewed.
a) Audit logging
b) Review of monitoring activities
c) Audit log retention
d) Response to alarms

a) Audit logging
Information Owners must ensure that audit logs are used to record user and system activities, exceptions, and information security and operational events including information about activity on networks, applications, and systems. Information Owners and Information Custodians will determine the degree of detail to be logged based on the value and sensitivity of information assets, the criticality of the system, and the resources required to review and analyze the audit logs. Audit logs must include, when relevant, the following information:

  • User identifier;
  • Dates, times, and details of key events (e.g., logon and logoff);
  • Logon method, location, terminal identity (if possible), network address;
  • Records of successful and unsuccessful system login attempts;
  • Records of successful and unsuccessful data access (including record and field access where applicable) and other resource access attempts;
  • Changes to the system configuration;
  • Use of privileges;
  • Use of system utilities and applications;
  • Files accessed and type of access (e.g., view, read, modify, delete);
  • For voice calls: source and destination telephone numbers, date, time, and length of call;
  • Name and size of file attachments that are part of or are included in data transmissions (e.g., email, instant messaging, unified communications platforms, etc.);
  • Network addresses (source and destination), ports (source and destination), protocols, and transferred network data traffic flow (packets and bytes);
  • Alarms raised by the access control system;
  • Activation and de-activation of protection systems (e.g., anti-virus, intrusion detection).

Audit logs may contain confidential data and access must be restricted to employees with need-to-know privileged access and be protected accordingly. Information Owners must not have the ability to modify, erase or de-activate logs of their own activities. If audit logs are not activated, this decision must be documented and include the name and position of the approver, date, and a rationale for de-activating the log. Where required, the Privacy Impact Assessment and Security Threat and Risk Assessment must be updated to reflect this decision.

b) Review of monitoring activities
Information Owner must set up and document processes for the review of audit logs based on the Information Owners assessment of the value and sensitivity of the information assets, the criticality of the system, and the resources required for review. Audit log reviews must:

  • Prioritize reviews of high value and highly sensitive information assets;
  • Be based on a documented Security Threat and Risk Assessment; and
  • Utilize automated tools to identify exceptions (e.g., failed access attempts, unusual activity) and facilitate ongoing analysis and review.

Monitoring must be tested at least annually to ensure that desired events are detected. Analysis of monitoring activities can indicate:

  • The efficacy of user awareness and training and indicate new training requirements;
  • Vulnerabilities that could be, or that are being, exploited; or
  • Increases or decreases in unauthorized access attempts or unauthorized use of privileges.

c) Audit log retention
Audit logs must be:

  • Retained according to the approved records retention schedule for the system or information asset; and,
  • Retained indefinitely if an investigation has commenced which may require evidence to be obtained from the audit logs.

d) Response to alarms
Information Owners must establish and document alarm response procedures in collaboration with Information Owners to ensure alarms are responded to immediately and consistently. They should have documented authority to shut down all or part of a system or network when the alarm indicates new unacceptable threats are present. When exercising this authority, Information Owners must report the circumstances to the CISO as soon as possible. Normally, the response to an alarm will include:

  • Identification of the alarm event;
  • Isolation of the event including affected assets;
  • Identification and isolation or neutralization of the source;
  • Corrective action;
  • Forensic analysis of event;
  • Action to prevent recurrence; and,
  • Securing audit logs as evidence.
  1. Protection of log information

 Logging facilities and log information are protected against tampering and unauthorized access. Information system logging facilities and log information must be protected against tampering and unauthorized access.
a) Protecting information system logging facilities
b) Protecting log information

a) Protecting information system logging facilities
CISO is responsible for ensuring periodic independent reviews or audits are conducted to confirm that Information Owners have implemented appropriate controls. They must implement controls to protect logging facilities and log files from unauthorized modification, access, or disposal. Controls must include physical security safeguards such as situating logging facilities within a secure zone with restricted access.

b) Protecting log information
Information Owners must apply controls to protect log files from tampering or modification. Controls must include:

  • Consideration of multi-factor authentication for access to sensitive records;
  • Back-up of audit logs to off-site facilities;
  • Automatic archiving of audit logs to remain within storage capacity;
  • Scheduling the audit logs as part of the records management process; and,
  • Digital signing for detecting alteration or corruption where available.
  • All employees must not have permission to erase logs or de-activate logging of their own activities.

2. Administrator and operator logs

Logging facilities and log information are protected against tampering and unauthorized access. Activities of privileged users must be logged, and the log must be subject to regular independent review.
a) Activities logged
b) Independent review
c) Repairing and logging fault
d) Analysis, resolution, and corrective action

a) Activities logged
Privileged users typically have extensive system permissions not granted to most users. Information Owners must ensure that the activities of privileged users are regularly reviewed, including logging:

  • Event occurrence times;
  • Event details, such as files accessed, modified, or deleted, errors and corrective action;
  • Identity of the account and the privileged user involved; and,
  • The system processes involved.

Privileged users must not have permission to erase logs or de-activate logging of their own activities.

b) Independent review
Information Owner must have a documented process to ensure that the activity of privileged users is independently reviewed. Reviews must be conducted regularly and at random with the frequency being commensurate with the criticality, value, and sensitivity of system and information assets. Following verification of logs, the individual checking them should digitally sign them and store or archive them securely in accordance with the approved records retention schedule. The audit logs must be reviewed prior to being discarded or overwritten.

c) Reporting and logging faults
Information Owners must implement processes for monitoring, reporting, logging, analyzing, and correcting system faults reported by users and automated detection systems. Fault logging requirements should be determined through a Security Threat and Risk Assessment and Privacy Impact Assessments. Fault management reports must include:

  • Description of the fault including date and time, location, the extent of fault;
  • Analysis of probable source and cause;
  • Actions were taken to respond to and resolve the fault; and,
  • Corrective action is taken.

d) Analysis, resolution, and corrective action
Information Owners must review fault logs to ensure that faults have been resolved and documented in a fault management report. They must provide the fault management report to CISO.
Analysis and corrective action include:

  • Defining the fault and probable cause(s);
  • Assessing the effectiveness of corrective action(s);
  • Checking to ensure that corrective action has not introduced unforeseen vulnerabilities;
  • Identifying trends so that corrective action makes increasingly effective use of resources while improving results;
  • Recommending upgrades, replacement of components, software, or other elements that create or cause faults;
  • Improving fault detection and reporting to reduce the time between fault occurrence and taking corrective action;
  • Measuring the exposure caused by the fault;
  • Reporting on performance impact(s); and,
  • Periodically re-assessing logging requirements.

A. 8.16 Monitoring activities

Control Objective: Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.

The purpose is to detect anomalous behavior and potential information security incidents. Automated tools provide real time notification of detected wrongdoing and vulnerability exploitation.  Where possible, staff shall develop security baselines and tools to report exceptions.  Baselines and tools shall be deployed to monitor:

  • Internet traffic
  • Electronic mail traffic
  • LAN traffic, protocols, and device inventory
  • Operating system security parameters

The following files shall be checked for signs of wrongdoing and vulnerability exploitation at a frequency determined by the CISO or their designee:

  • Automated intrusion detection system logs
  • Firewall logs
  • User account logs
  • Network scanning logs
  • System error logs
  • Application logs
  • Data backup and recovery logs
  • Help desk trouble tickets
  • Telephone activity (e.g. call detail reports)
  • Network printer and fax logs

An evaluation of the efficacy of the current program and practices shall be conducted and documented by the IT coordinator on an annual basis.  Such evaluations shall minimally include review of:

  • Password strength
  • Unauthorized network devices
  • Unauthorized personal web servers or devices
  • Unsecured sharing of devices
  • Unauthorized remote connectivity
  • Unauthorized operating systems
  • Unauthorized software licenses

Any security issues discovered will be reported to the CISO for follow-up investigation and remediation. As part of the review, procedures shall be developed to review and record growth and traffic patterns, bandwidth issues, etc.  Appropriate reporting shall be in place to allow IT to anticipate performance issues and delays and react in a timely and proactive manner.

A.8.17 Clock synchronization

Control Objective:The clocks of information processing systems used by the organization should be synchronized to approved time sources.

The purpose is to enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.. The correct setting of critical computer clocks is important and carried out to ensure the accuracy of audit logs, which may be required for the investigation or as evidence in legal or disciplinary cases.  One Server is identified as Time Master Server & other Servers of the network are synchronized with the Master. Computer clocks must be synchronized for accurate reporting.
a) Synchronization
b) Checking and Verification

a) Synchronization
System administrators must synchronize information system clocks to:

  • the local router gateway; or,
  • the organization approved clock host.

b) Checking and Verification
System administrators must confirm system clock synchronization:

  • Following power outages or brownouts;
  • As part of incident analysis and audit log review; and,
  • At least semi-annually in conjunction with Daylight Savings Time.

Time discrepancies must be reported to IT Helpdesk, Customer Service Centre. The clock hosts must be synchronized with a national time service

A.8.18 Use of privileged utility programs

Control Objective: The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

The purpose is to ensure the use of utility programs does not harm system and application controls for information security. All system utility programs, which impact the operations of the systems, are installed with controlled access to administrative accounts. System Utilities are controlled. The use of system utility programs must be restricted and tightly controlled.
a) Restriction and control of system utility programs
b)Session time-out

a) Restriction and control of system utility programs
Information Owners must limit use of system utility programs by:

  • Defining and documenting authorization levels;
  • Restricting the number of users with access to system utility programs;
  • Annually reviewing the status of users with permissions to use system utility programs;
  • Ensuring that the use of system utilities maintains segregation of duties;
  • Requiring a secure logon process to be used to access system utilities;
  • Ensuring that all system utility programs are identified and usage logged;
  • Segregating system utilities from application software where possible; and,
  • Removing or disabling unnecessary and obsolete system utilities and system software.

b) Session time-out
Information Owners must define and implement automatic termination or re-authentication of active sessions after a pre-determined period of inactivity. The information systems must have session time-outs managed by operating system access, application, or infrastructure controls. Application and network sessions must be terminated or require re-authentication after a pre-defined period of inactivity commensurate with the:

  • Risks related to the security zone;
  • Classification of the information being handled; and,
  • Risks related to the use of the equipment by multiple users.

The session must be terminated or require re-authentication after a period of no more than 15 minutes of inactivity.

Guidelines:
The use of system utility programs should be limited to privileged users. The use of system privileges should require the use of multiple factors of authentication.

A.8.19 Installation of software on operational systems

Control Objective: Procedures and measures should be implemented to securely manage software installation on operational systems.

The purpose is to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.. To ensure secured implementation of Software on Operational System. The installation of software on operational information systems providing services must be controlled.
a) Software changes to operational information systems
b) Software implementation controls
c) Protection of systems documentation

a) Software changes to operational information systems
Information Owners must implement procedures to control software installation on operational information systems providing services to ensure that:

  • Updates of operational information systems are planned, approved, impacts assessed, tested, logged, and have a rollback plan;
  • Operations employees and end-users have been notified of the changes, potential impacts and if required have received additional training;
  • New releases of software are reviewed to determine if the release will introduce new security vulnerabilities;
  • Modifications to operational software are logged;
  • The number of employees able to perform the updates is restricted and kept to a minimum;
  • Development code or compilers are not present on operational information systems;
  • Vendor-supplied software is maintained at the supported level.

b) Software implementation controls:

  1. Pre-Implementation
    Before an updated or new information system is implemented into the operational environment, checks must be performed to ensure that:  
    • A Security Threat and Risk Assessment has been carried out;
    • A Privacy Impact Assessment has been performed and approved;
    • Limitations of security controls are documented;
    • Performance and capacity requirements can be met and support organizations have the capacity to maintain the information system;
    • Development problems have been resolved successfully;
    • The effects on existing operational information systems are known;
    • Arrangements for fall-back have been established if the updated or new information system fails to function as intended;
    • Error recovery and restart procedures are established;
    • Business continuity plans are developed or updated;
    • Operating procedures are tested;
    • Changes are communicated to users who may be affected by the change;
    • Users are educated to use the information system correctly and securely; and,
    • Computer operators and system administrators are trained in how to run the information system correctly and securely.
  2. Implementation
    The installation process must include:
    • Validating the load or conversion of data files;
    • Installing executable code only, and not source code;
    • Providing ongoing technical support;
    • Implementing new or revised procedures and documentation;
    • Discontinuing old software, procedures, and documentation;
    • Arranging for fallback in the event of failure;
    • Informing the individuals involved of their roles and responsibilities;
    • Transferring responsibility for the information system from development teams to operational teams to ensure segregation of duties; and,
    • Recording installation activity.
  3. Post-implementation
    Post-implementation reviews must include:
    • The efficiency, effectiveness, and cost of security controls;
    • Lessons learned and scope for improvements of security controls; and,
    • Security incidents and mitigation.

c) Protection of systems documentation
Information Owners must ensure that documented procedures for the secure use and storage of systems documentation are established and followed. Procedures must:

  • Require information classification labeling of system documentation;
  • Establish lists of users authorized to access system documentation on a ‘need to know basis;
  • Establish handling rules for the information regardless of storage media (e.g., electronic, paper);
  • Require use of access controls, passwords, encryption, or digital signatures as appropriate to the information classification; and,
  • Include a compliance monitoring process.

d) Restrictions on software installation

The purpose is to limit the installation of software to authorized employees to avoid security incidents. Users should not run any unauthorized or undocumented software on their desktops. IT department will approve on the recommendation of Department Heads, the installation of any software on Desktop/Laptop/Servers. A review of the rules governing the installation of software by employees must be established and implemented. Uncontrolled installation of software on computing devices can lead to introducing vulnerabilities and then to information leakage, loss of integrity or other information security incidents, or to violation of intellectual property rights. Employees must receive authorization prior to installing software on the organization’s devices. Software installation must be consistent with the requirements of the Appropriate Use Policy.

A.8.20 Networks security

Control Objective: Networks and network devices should be secured, managed and controlled to protect information in systems and applications.

The purpose is to protect information in networks and its supporting information processing facilities from compromise via the network. Also to ensure that network security controls and network security management practices are implemented and documented to maintain network security. XXX. has a dedicated team of employed professionals in the network, who are responsible for the smooth and secure operation of the network. Controls must be implemented to achieve and maintain security within the network.
a) Control and management of networks
b) Configuration control
c) Secured path
d) Wireless Local Area Networking
e) Equipment management
f) Logging, monitoring, and detection
g) Coordination and consistency of control implementation

a) Control and management of networks
Information Owners must implement network infrastructure security controls and security management systems for networks to ensure the protection of information and attached information systems. Selection of controls must be based on a Security Threat and Risk Assessment, taking into account the information security classification determined by the Information Owners, and applicability to the network technology. The Security Threat and Risk Assessment must consider network-related assets which require protection including:

  • Information in transit;
  • Stored information (e.g., cached content, temporary files);
  • Network infrastructure;
  • Network configuration information, including device configuration, access control definitions, routing information, passwords, and cryptographic keys;
  • Network management information;
  • Network pathways and routes;
  • Network resources such as bandwidth;
  • Network security boundaries and perimeters; and,
  • Information system interfaces to networks.

b) Configuration control
To maintain the integrity of networks, Information Owners must manage and control changes to network device configuration information such as configuration data, access control definitions, routing information, and passwords. Network device configuration data must be protected from unauthorized access, modification, misuse, or loss by the use of controls such as:

  • Encryption;
  • Access controls and multi-factor authentication;
  • Monitoring of access;
  • Configuration change logs;
  • Configuration baselines protected by cryptographic check sums; and,
  • Regular backups.

Status accounting must be regularly performed to ensure that configuration baselines reflect actual device configuration.

c) Secured path
Where required by information classification and a Security Threat and Risk Assessment, information must only be transmitted using a secured path. Secured paths for information transmission must use controls such as:

  • Data, message or session encryption, such as SSH, SSL or VPN tunnels; and,
  • Systems to detect tampering.

d) Wireless Local Area Networking
Wireless Local Area Network access points must be authorized by the Chief Information Officer for attachment to the network. Wireless Local Area Networks must utilize the controls specified by the Chief Information Security Officer and must include:

  • Strong link layer encryption, such as Wi-Fi Protected Access;
  • User and device network access controlled by authentication services;
  • The use of strong, frequently changed, automatically expiring encryption keys and passwords;
  • Segregation of wireless networks from wired networks by the use of filters, firewalls or proxies; and,
  • Port-based access control, for example use of 802.1x technology.

Where supported by the information classification or a Security Threat and Risk Assessment, additional controls for wireless networks may include:

  • Virtual Private Network tunnel technology;
  • The use of Desktop Terminal Services (DTS) technology; and,
  • Intrusion detection systems, firewalls and Media Access Control (MAC) address filtering.

e) Equipment management
Information Owners must document responsibilities and procedures for the operational management of network infrastructure, including devices at network boundaries and in user areas.

f) Logging, monitoring, and detection
To facilitate monitoring, response, and investigation, logging to a centralized log management service must be enabled, including logging of:

  • Traffic traversing network security boundaries;
  • Traffic within networks housing sensitive or critical systems or information;
  • Security-relevant events on network devices, such as operator logon and configuration changes;
  • Security-relevant events on systems that provide authentication and authorization services to network infrastructure devices such as routers, firewalls, or switches.

Logs must be continuously monitored to enable detection and response to security events and intrusions (e.g., automation of log monitoring and event alerting). Logs from available sources (including, but not limited to, network traffic, network firewalls, Intrusion Prevention Systems, routers, switches, content filtering, servers, applications, databases, application firewalls, authentication services) must be continuously correlated to enable detection and response to security events and intrusions, that otherwise would go undetected without such correlation and alerting.
In order to support the monitoring and correlation of logs from available sources, in cases when infrastructure or services are provided via a third-party, it must be ensured that security event logs from the respective outsourced infrastructure or services can be forwarded real-time to the centralized monitoring services to allow for the centralized monitoring, correlation and alerting across the organization. Information Owner must ensure there is a clear segregation of duties for employees involved in logging, monitoring, or detection activities. Active automated surveillance of networks must be implemented to detect and report on security events (e.g., network intrusion detection systems). Sensors enabling on-demand capture of network traffic must be implemented at network security boundaries and within networks housing sensitive information or information systems as determined by a Security Threat and Risk Assessment.

g) Coordination and consistency of control implementation
Information Owners must document network security controls in the System Security Plan including:

  • A summary of risks identified in the Security Threat and Risk Assessment;
  • Roles and responsibilities for network security management;
  • Specific procedures and standards used to mitigate risks and protect the network;
  • Communication procedures for security-relevant events and incidents; and,
  • Monitoring procedures (including monitoring frequency, review, and remediation processes).

A.8.21 Security of network services

Control Objective: Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

The purpose is to ensure security in the use of network services. Security attributes for network services like Leased Line / Wireless Radio modem are taken care of through SLA (Service Level Agreement) with ISP (Internet Service Provider) viz., STPI. Security configuration, service levels, and management requirements of all network services must be documented and included in any network service agreement. Formal network service agreements must be established between network service providers and consumers of network services to specify service levels, services offered, security requirements, and security features of network services. The network service agreement must include specification of:

  • The rules of use to be followed by consumers to maintain the security of network services;
  • The schedule for ongoing verification of network security controls;
  • The rights of either party to monitor, audit, or investigate as needed;
  • Security incident response responsibilities, contacts and procedures; and,
  • The requirement to meet or exceed Information Security Policy and standards.

Information Owners must confirm that the specified security features are implemented prior to commencement of service delivery.

A.8.22 Segregation in networks

Control Objective: Groups of information services, users and information systems should be segregated in the organization’s networks.

The purpose is to split the network in security boundaries and to control traffic between them based on business needs. This can done to isolate information systems, users, and networks based on risk and business connectivity requirements. Groups of information services, users, and information systems must be segregated on networks.
Segregation based on risk and requirements
Information Order must segregate services, information systems, and users to support business requirements for information system connectivity and access control based on the principles of least privilege, management of risk, and segregation of duties. Information Order must establish network perimeters and control traffic flow between networks. Network traffic flow control points such as firewalls, routers, switches, security gateways, VPN gateways, or proxy servers must be implemented at multiple points throughout the network to provide the required level of control. The techniques and technologies selected for network segregation must be based on Security Threat and Risk Assessment and Privacy Impact Assessment findings. Factors to consider include:

  • The information and information system security classification;
  • The trustworthiness of the network, based on the amount of uncontrolled malicious traffic present, the level of device identification and authentication in the networks, and sensitivity to eavesdropping (e.g., the Internet is a less trusted network than a controlled server network zone);
  • Transparency, usability and management costs of network segregation technologies; and,
  • The availability of compensating controls for detection, prevention, and correction of malicious network traffic and unauthorized access attempts.

Network zones must be defined and network perimeters established, according to business requirements and risk as identified in the Security Threat and Risk Assessment and Privacy Impact Assessment (e.g., network zones, core network, wireless network). Information system operational management and business applications must be defined and separated by network flow control points.

Guidelines:
Security gateways should be used to verify the trustworthiness of devices attempting to connect to the network (e.g., VPN Quarantine systems, network switch isolation, and admission control systems).

8.23 Web filtering

Control Objective: Access to external websites should be managed to reduce exposure to malicious content.

The purpose is to protect systems from being compromised by malware and to prevent access to unauthorized web resources. The Web URL Filter application will restrict, monitor and log Internet usage of users on the XXX’s Network. The Web URL Filter assigns web sites to one of a number of predefined categories. Exceptions may be granted upon request, based upon work requirements. Accounts that are granted exceptions may be subject to elevated monitoring and additional security controls to protect XXX’s resources.

  • Abused Drugs:Sites that promote the abuse of both legal and illegal drugs, use and sale of drug-related paraphernalia, manufacturing and/or selling of drugs.
  • Adult:Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort services, strip clubs, etc..
  • Alcohol and Tobacco: Sites that pertain to the sale, manufacturing, or use of alcohol and/or tobacco products and related paraphernalia. Includes sites related to electronic cigarettes.
  • Command and Control:URLs and domains used by malware or compromised systems, or both, to surreptitiously communicate with an attacker’s remote server to receive malicious commands or exfiltrate data.
  • Copyright Infringement:Websites and services that are dedicated to illegally serving videos, movies, or other media for download, explicitly infringing copyright holders.
  • Dynamic DNS: Sites that provide and/or utilize dynamic DNS services to associate domain names to dynamic IP addresses. Dynamic DNS is often used by attackers for command-and-control communication and other malicious purposes.
  • Extremism:Websites promoting terrorism, racism, fascism, or other extremist views discriminating people or groups of different ethnic backgrounds, religions, or other beliefs.
  • Gambling:Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials or advice regarding gambling, including betting odds and pools. Corporate websites for hotels and casinos that do not enable gambling are categorized under Travel.
  • Games:Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/media. Includes sites that support or host online sweepstakes and/or giveaways.
  • Hacking:Sites relating to the illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs, how-to-advice and/or tips that may result in the compromise of networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.
  • Malware:Sites containing malicious content, executables, scripts, viruses, trojans, and code.
  • Nudity:Sites that contain nude or semi nude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.
  • Parked: URLs which host limited content or click-through advertisements, which may generate revenue for the host entity but generally, do not contain content that is useful to the end user.
  • Peer-to-Peer: Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications.
  • Phishing: Seemingly reputable sites that harvest personal information from its users via phishing.
  • Proxy Avoidance and Anonymizers: Proxy servers and other methods that bypass URL filtering or monitoring, or pharming.
  • Questionable: Sites containing tasteless humor, offensive content targeting specific demographics of individuals or groups of people, criminal activity, illegal activity, and get rich quick sites.

A.8.24 Use of cryptography

Control Objective: Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented..

The process is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. The use of cryptography for information controls needs to be based on the Security Threat and Risk Assessment and the level of harm caused by the loss of confidentiality and/or integrity. The cryptographic policies are under the direction of the Chief Information Officer.The use of cryptographic controls must be based on the risk of unauthorized access and the classification of the information or information system to be protected.
a) Cryptographic controls – Roles and responsibilities
b) Acceptable use of cryptography

a) Cryptographic controls – Roles and responsibilities
The Chief Information Officer provides direction and leadership in the use of cryptography and the provision of cryptographic services, such as those used for user registration services and key management services, by:

  • Establishing policy and providing strategic direction on the use of cryptography across the organization;
  • Instituting the approach to key management;
  • Establishing roles and responsibilities;
  • Setting standards for cryptographic algorithms and key length; and,
  • Approving the use of cryptographic services.

The Chief Information Security Officer supports the use of cryptography in organization by:

  • Defining and maintaining the Cryptographic Standard for Information Protection; and,
  • Providing technical advice on the use of cryptography.

Information Owners must document the use of cryptography in the System Security Plan for the information system.

b) Acceptable use of cryptography
The type and quality of cryptographic controls used in information systems must be based on a Security Threat and Risk Assessment, and include consideration of:

  • Confidentiality requirements, in accordance with information classification, labelling and handling requirements;
  • Integrity requirements (e.g., for financial payment instructions in excess of a specified dollar amount);
  • Non-repudiation requirements (e.g., for proof of the occurrence or non-occurrence of an event);
  • Authentication requirements (e.g., proof of identity);
  • Other security measures (e.g., for proof of origin, receipt, or ownership);
  • Legislation, regulations or policies requiring the use of cryptography;
  • Restrictions on the export or use of cryptographic products; and,
  • Risks relating to the long-term storage of electronic information (e.g., recovery of encrypted data, long-term key maintenance).

Information Owners must register the use of approved cryptographic products and services with the Chief Information Security Officer.

Key Management

A key management system based on policy, procedures, and approved methods must be used to support and protect the use of cryptographic controls throughout their life-cycle. The Chief Information Officer is responsible for approving key management standards and processes, including:

  • Selection of cryptographic keys with sufficient lengths;
  • Distribution, storage and periodic updating of cryptographic keys;
  • Revocation of cryptographic keys (e.g., when a recipient changes job);
  • Recovery of cryptographic keys that are lost, corrupted or have expired;
  • Management of cryptographic keys that may have been compromised;
  • Archival of cryptographic keys and the maintenance of cryptographic key history; and,
  • Allocation of activation/de-activation dates.

 A.8.25 Secure development life cycle

Control Objective: Rules for the secure development of software and systems should be established and applied.

The purpose is to ensure ensure information security is designed and implemented within the secure development life cycle of software and systems. The information security is designed and implemented within the development life-cycle of information systems. Software development will be as per the agreed Software Development Life cycle defined in ‘PR-09-SLC-Software Life Cycle Process.doc’. Policies, standards, and guidelines for the development of software and systems must be established and applied to developments within the organization.
a) Secure development process
b) Secure programming techniques

a) Secure development process
Information Owners  must ensure that software and systems developed internally follow established policies, standards and best practices for secure development process. The established policies and standards must be applied consistently to all developments within the organization. A secure development process is a necessity in developing a secure information system. Within a secure development life-cycle of information systems, the following aspects must be considered:

  • Security of the development environment;
  • Security in the software development methodology;
  • Secure coding guidelines for each programming language used;
  • Inclusion of security requirements starting from the design phase;
  • Security checkpoints within the development milestones;
  • Secure repositories;
  • Security in the version control and updates;
  • Required application security knowledge; and,
  • Developer capability of avoiding, finding and fixing vulnerabilities.

b) Secure programming techniques

Secure programming techniques must be used both for new developments and in code re-use scenarios where the standards applied to development may not be known or are not consistent with current best practices. Secure coding standards must be considered and where relevant mandated for use.

  • Program code must not be altered unless authorized to do so;
  • Any variations to program code must be documented; and,
  • All changes to existing code must ensure applicable standards have been applied for program security.

If development is outsourced, the organization must obtain assurance that the external party complies with the policies for secure development.

A.8.26 Application security requirements

Control Objective: Information security requirements should be identified, specified and approved when developing or acquiring applications.

The purpose is to ensure all information security requirements are identified and addressed when developing or acquiring applications.

A. Securing applications services on public networks

Information in application services information systems must be protected from fraudulent activity, contract dispute, unauthorized disclosure and modification.
a) Electronic commerce
b) Electronic documents

a) Electronic commerce
Prior to initiating or implementing electronic commerce information systems, Information Owners  must:

  • Ensure that the Security Threat and Risk Assessment is conducted and addresses threats and risks related to electronic commerce;
  • Confirm that a Privacy Impact Assessment has been conducted and approved;
  • Determine the security classification of the information and information system involved;
  • Ensure that the user notification and acceptance of terms and conditions of use complies with policies and standards;
  • Ensure multi-factor authentication is used commensurate with the sensitivity and value of the information;
  • Develop and implement processes to maintain content currency;
  • Confirm the information system has received security certification and accreditation;
  • Develop Business Continuity Plans and supporting Disaster Recovery Plans.

b) Electronic documents
When accepting or submitting electronic documents, Information Owners  must:

  • Authenticate the users claimed identity;
  • Determine an authorization process for approving contents, issue or sign key documents;
  • Determine the requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the confidentiality of contracts; and,
  • Ensure the protection requirements of any confidential information.

B. Protecting application services transactions

The Purpose is to maintain the confidentiality, integrity and availability of on-line transactions in information systems. Information systems utilizing on-line transactions must have security controls commensurate with the value and sensitivity of the information.
a) On-line transaction security
b) Payment card transaction security

a) On-line transaction security
Information Owners are responsible for ensuring information systems containing on-line transactions have implemented security controls commensurate with the value and sensitivity of the information. Security controls must be implemented to prevent incomplete transmission, misrouting, repudiation of transaction, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication and replay. Security controls include:

  • Validating and verifying user credentials;
  • Using digital signatures;
  • Using cryptography to protect data and information;
  • Establishing secure communications protocols; and,
  • Storing on-line transaction details on servers within the appropriate network security zone.

b) Payment card transaction security
Information Owners are responsible for ensuring that information systems used for processing payment card transactions, or connected to payment card transaction processing systems, comply with the Payment Card Industry Data Security Standard. The Payment Card Industry Data Security Standard V3.0 has 12 high-level requirements:
 Install and maintain a firewall configuration to protect cardholder data

  • Do not use vendor-supplied defaults for system passwords and other security parameters;
  • Protect stored cardholder data;
  • Encrypt transmission of cardholder data across open, public networks;
  • Protect all systems against malware and regularly update anti-virus software or programs;
  • Develop and maintain secure systems and applications;
  • Restrict access to cardholder data by business need-to-know;
  • Identify and authenticate access to system components;
  • Restrict physical access to cardholder data;
  • Track and monitor all access to network resources and cardholder data;
  • Regularly test security systems and processes; and,
  • Maintain a policy that addresses information security for all employees.

8.27 Secure system architecture and engineering principles

Control Objective: Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.

The purpose is to ensure information systems are securely designed, implemented and operated within the development life cycle. The information security is designed in all architectural layers of information systems.Software development will be as per the agreed Software Development Lifecycle defined in ‘PR-09-SLC-Software Life Cycle Process.doc’. Principles for engineering secure systems must be established, documented, maintained and applied to any information system implementation efforts.
a) Secure engineering principles
b) Outsourcing engineering security
c) Application development

a) Secure engineering principles
Information Owners must establish and document secure information system engineering procedures based on security engineering principles and best practices. The procedures must be applied to all in-house information system engineering activities. Security must be designed into all architecture layers (business, data, applications and technology) balancing the need for information security with the need for accessibility. New technology must be analyzed for security risks and the design must be reviewed against known attack patterns. Secure engineering procedures must be reviewed regularly to ensure they remain current to reflect the changes in the environment and threat landscape.

b) Outsourcing engineering security

Information Owners must ensure that contracts and other binding agreements incorporate the secure engineering principles and procedures for outsourced information systems.

c) Application development
Application development procedures must apply secure engineering techniques in the development of applications that have input and output interfaces and provide guidance on user authentication techniques, secure session control and data validation, sensitization and elimination of debugging codes.

processes in secure development procedures and provide these to all individuals who need them. Personal information must not be used in the testing or development phases without a valid policy exemption from the Office of the Chief Information Officer.

8.28 Secure coding

Control Objective: Secure coding principles should be applied to software development.

The purpose is to ensure software is written securely thereby reducing the number of potential information security
vulnerabilities in the software. All software written for or deployed on systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed in production. The items enumerated in this standard are not an exhaustive list of high-risk attacks and common coding errors but rather a list of the most damaging and pervasive. Therefore, code written must contain mitigating controls not only for the items specifically articulated in the standard below, but also for any medium and high-risk threats that are identified during a system’s life cycle.  High risk threats include, but are not limited to:

  1. Code Injection
  2. Cross-site scripting (XSS)
  3. Cross-site request forgery (CSRF)
  4. Information leakage and improper error handling
  5. Missing Authentication for Critical Function
  6. Missing Encryption of Sensitive Data
  7. URL Redirection to Untrusted Site (‘Open Redirect’)

Use of common security control libraries and common API’s, that have undergone security testing, is required to ensure a consistent approach that minimizes defects and prevents exploitation. When available, publicly available or vendor-supplied libraries or APIs should be used unless there’s a business case developed and exception granted by the Information Security Officer (ISO)/designated security representative to develop a custom library. To prevent defects or detect and remove them early, thereby realizing significant cost and schedule benefits to the entity, code must be checked for errors throughout development and during maintenance. Entities must verify that the software assurance model used by the vendor is in line with this standard through vendor assurances, security testing and/or contract requirements.

A 8.29 Security testing in development and acceptance

Control Objective: Security testing processes should be defined and implemented in the development life cycle.

The purpose is to validate if information security requirements are met when applications or code are deployed to the production environment.

A. System security testing

The security functionality is carried out during the development process. Testing of security functionality must be carried out during development.Information Owners must ensure that new and updated systems undergo thorough testing and verification during the development processes. A detailed schedule of test activities, inputs and expected outputs under a range of conditions must be prepared as part of testing and verification processes.Independent acceptance testing must be undertaken to ensure that the system works as expected and only as expected. The extent of testing must be in proportion to the importance and nature of the system.

B System acceptance testing

The new or upgraded information systems are tested against defined, agreed and documented criteria for acceptance, prior to becoming operational.New information systems, upgrades, and new versions are put through a system acceptance for their acceptability and interoperability. A separate environment comprising of hardware and software is used to carry out tests prior to deploying or upgrading the main system. Appropriate tests are carried out to confirm that all acceptance criteria are fully satisfied. The tests results are documented and operational, maintenance and usage procedure are established. Training is provided for use and operation of new system. Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance.
a) System acceptance process
b) System acceptance criteria
c) Security certification
d) System accreditation

a) System acceptance process
Information Owners must ensure that system acceptance criteria are defined as part of the system development and acquisition process. Prior to implementing new or upgraded information systems, Information Owners must ensure:

  • Acceptance criteria are identified including privacy, security, systems development and user acceptance testing;
  • Security certification is attained, indicating the system meets minimum acceptance criteria; and,
  • Security accreditation to proceed with implementation is attained.

A Privacy Impact Assessment must be completed for new or upgraded information systems.

b) System acceptance criteria
Information Owners must document system acceptance criteria, including:
• Projected performance and resource capacity requirements;
• Disaster recovery, restart, and contingency plans and procedures;
• Impact on standardized routine operating procedures and manual procedures;
• Implementation of security controls;
• Assurance that installation of the new system will not adversely affect existing systems, particularly at peak processing times;
• Business continuity arrangements;
• Training requirements; and,
• User acceptance testing.

c) Security certification
The Information Owners must receive assurance that a new or updated information system meets minimum security acceptance criteria.Assurance should be obtained by conducting either an independent Security Threat and Risk Assessment or a Risk and Controls Review which determines whether a system includes adequate controls to mitigate security risks. This process will also determine the effect of the new system on the overall security of information systems.

d) System accreditation
Information Owners must authorize the implementation of new or upgraded information systems based on the degree to which the acceptance criteria are satisfied.

A. 8.30 Outsourced development

Control Objectives: The organization should direct, monitor and review the activities related to outsourced system development.

The purpose is to ensure information security measures required by the organization are implemented in outsourced system development.Controls must be applied to secure outsourced information system development.Information Owners must consider the following when outsourcing information system development:

  • Procurement policy for licensing, ownership and intellectual property rights;
  • Escrow arrangements in the event of the failure of the external party;
  • Testing of the information system for common vulnerabilities and malicious code;
  • Rights of access for audit and certification of the quality and accuracy of the work; and,
  • Contractual requirements for quality and security functionality of the information system.

Information Owners must ensure that the outsourced information system meets the requirements defined in the system development arrangements.

A. 8.31 Separation of development, test and production environments

Control Objectives: Development, testing and production environments should be separated and secured.

The purpose is to protect the production environment and data from compromise by development and test activities. Also to reduce the risk of system failures and unacceptable performance levels by monitoring and optimizing resources to meet current and future information system capacity requirements. The development and testing activities shall not be done on the production server. The use of information system resources must be monitored, optimized and projections made of future capacity requirements.
a) Resource capacity management
b) Resource capacity planning

a) Resource capacity management

Information Owners are responsible for implementing capacity management processes by:

  • Documenting capacity requirements and capacity planning processes;
  • Identifying and managing storage requirements;
  • Including capacity requirements in service agreements;
  • Monitoring and optimizing information systems to detect impending capacity limits;
  • Projecting future capacity requirements based on:
    • New business and information systems requirements,
    • Statistical or historical capacity requirement information,
    • Current and expected trends in information processing capabilities (e.g., the introduction of more efficient hardware or software).

b) Resource capacity planning

Information Owner must use trend information from the capacity management process to identify and remediate potential bottlenecks that present a threat to system security or services. Information Owners must plan and budget for business and service capacity management.

c) Secure Development Environment

The purpose is to ensure the security of information during the development and system integration process.To secure the selected product of development environment the process of configuration management need to be adopted so that the correct product is available to authenticated users. Organizations must establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life-cycle. A secure development environment includes people, processes and technologies associated with system development and integration. Information Owners must assess the risks associated with individual system development efforts and establish secure development environments for system development, considering:

  • Sensitivity of data to be processed, stored or transmitted by the system;
  • Applicable external and internal requirements (e.g., from regulations, policies and standards);
  • The need for segregation between different development environments;
  • Security controls already in place that support system development;
  • Trustworthiness of employees working in the environment;
  • The degree of outsourcing associated with system development;
  • Control of access to the development environment;
  • Monitoring of changes to the environment and code stored therein;
  • Backups are stored at secure offsite locations; and,
  • Control over movement of data from and to the environment.

Once the level of protection is determined for a specific development environment, Information Owners must document corresponding

Guidelines:
Resource capacity management processes should be automated where feasible.

A.8.32 Change management

Control Objective: Changes to information processing facilities and information systems should be subject to change management procedures.

The purpose is to preserve information security when executing changes.. Whenever a change in the IT infrastructure is to be done, a proper evaluation and analysis are done which includes cost, security, technical functionality, and compatibility. Any user can initiate a change request. Manager/IT is authorized to initiate the change & Head/IT approves these operational and process changes. To control all operational changes XXX. has defined policy. Changes to information systems and information processing facilities must be controlled.
a) Planning changes
b) Change management process
c) Implementing change

a) Planning changes
Information Owners must plan for changes to information systems and information processing facilities by assessing the impact of the proposed change on security by conducting a security review based on the size of the change.

b) Change management process
Information Owners must plan, document and implement a change management process to control changes by:

  • Identifying and recording significant changes;
  • Assessing the potential impact, including the security impact, of the change by conducting a Security Threat and Risk Assessment;
  • Developing an implementation strategy;
  • Obtaining approval of changes from the manager(s) responsible for the information system;
  • Planning and testing changes including documenting fallback procedures;
  • Communicating change details to relevant employees;
  • Identifying the impact on agreements with business partners and third parties including information sharing agreements, Memoranda of Understanding, licensing and provision of services;
  • Evaluating that planned changes were performed as intended; and,
  • Training technical and operations employees if required.

c) Implementing changes
Information Owners must implement changes by:

  • Notifying affected parties, including business partners and third parties;
  • Completing re-certification and re-accreditation as required prior to implementation;
  • Training employees if required;
  • Documenting and reviewing the documentation throughout the testing and implementation phases;
  • Recording all pertinent details regarding the changes;
  • Checking after the change has been performed that only the intended changes took place.

A) Change control procedures

The purpose is to ensure that information systems are not compromised from changes to software..XXX. has a defined procedure to manage and control changes in the software developed and support systems, during the development life cycle. Changes to software must be controlled by the use of formal change control procedures.
a) Changes to software during information systems development
b) Changes to software for operational information systems 

a) Changes to software during information systems development
Information Owners must implement a change control process during development which includes:

  • Requiring that change requests originate from authorized employees;
  • Requiring that proposed changes are reviewed and assessed for impact; and,
  • Logging all requests for change.

b) Changes to software for operational information systems
Information Owners must implement a change control process during the maintenance phase including:

  • Requiring that change requests originate from authorized employees;
  • Performing an impact assessment considering items such as the System Security Plan and proposed modifications;
  • Documenting fallback plans;
  • Documenting approval of changes proposed prior to the commencement of the work;
  • Documenting the acceptance tests and approval of the results of acceptance testing;
  • Updating the System Security Plan and other system, operations and user documentation with the details of changes in accordance with records management policy;
  • Maintaining version control for all changes to the software; and,
  • Logging all requests for change.

B) Technical review of applications after operating system changes

The purpose is to ensure information systems will not be disrupted or compromised. The application systems are reviewed to ensure that there is no adverse impact on operation and security due to changes in operating system. Information systems must be reviewed and tested when operating system changes occur. Information owners must notify CISO and other affected parties of operating system changes to allow:

  • Sufficient time for the review and testing of information systems prior to implementation;
  • Review of System Security Plans to ensure information systems will not be compromised by the change;
  • Significant changes to the operating system must have a completed Security Threat and Risk Assessment completed;
  • Information system testing with the changes to the operating system in a separate (i.e., test) environment; and,
  • Update of business continuity plans if required.

C) Restrictions on changes to software packages

The purpose is to reduce the risk of information system functionality loss.Modification to software package is not permitted without the consent of project team. To ensure that only desired changes are implemented after the approval, a process need to be followed for controlling the changes in software packages.Modification of commercial-off-the-shelf software is limited to essential changes that are strictly controlled and documented.
a) Modifying commercial-off-the-shelf software
b) Applying vendor supplied patches and updates

a) Modifying commercial-off-the-shelf software
Other than vendor supplied patches, commercial-off-the-shelf (COTS) software must not be modified except in exceptional circumstances when needed for a critical business requirement. This requirement must be documented and approved by the Information Owner. If changes to COTS software are required, the Information Owners must determine:

  • The effect the change will have on the security controls in the software;
  • If consent of the vendor is required;
  • If the required functionality is included in a new version of the software;
  • If the organization becomes responsible for maintenance of the software as a result of the change; and,
  • Compatibility with other software in use.

if changes are made to COTS software the original software must be kept unaltered and the changes must be:

  • Logged and documented, including a detailed technical description;
  • Applied to a copy of the original software; and,
  • Tested and reviewed to ensure that the modified software continues to operate as intended.

b) Applying vendor supplied patches and updates
A software update management process must be maintained for commercial-off-the-shelf (COTS) software to ensure:

  • The most up-to-date approved patches have been applied; and,
  • The version of software is vendor supported.

A.8.33 Test information

Control Objective: Test information should be appropriately selected, protected and managed.

The Purpose is to ensure relevance of testing and protection of operational information used for testing. System and acceptance testing usually requires substantial volumes of test information that are as close as possible to operational information, hence test information is carefully selected and controlled such that security violations do not occur. Test information must be protected and controlled using the same procedures as for information from operational information systems. Information Owners must implement procedures to ensure that:

  • Using test information extracted from operational information systems is authorized and logged to provide an audit trail;
  • Test information is protected with controls appropriate to the security classification of the information and information system; and,
  • Information from operational information systems is removed from the test environment once testing is complete.

Sensitive or personal information from operational information systems should not be used as test information. Where personal or sensitive information must be used for testing purposes, sensitive details and content should be removed, depersonalized or de-identified. In rare cases when sensitive or personal information from operational systems has to be used for testing purposes, the following conditions must be met:

  • Information Owners must provide a strong business case for the use of operational information containing sensitive or personal data for testing purposes;
  • Privacy Impact Assessment and Security Threat and Risk Assessment must be completed specific to the use of operational information in test;
  • Use of production information for testing purposes must be approved by the Executive Director and Chief Information Officer;
  • Testing with the use of operational information must occur only in a production-like environment;
  • The information to be used for testing purposes in the production-like environment must be handled with the same care and diligence as in the production environment with the same or more stringent security controls;
  • Access to test information must be limited to the minimum number of individuals required to perform testing activities and must be based on clearly defined roles and responsibilities, and formal approval process;
  • Information Owners must ensure that access to sensitive or personal information used for testing is monitored and reviewed on a regular basis to detect inappropriate or unauthorized access attempts, at a minimum once a week;
  • Where sensitive or personal information is used, Information Owners must ensure that only information fields necessary for testing be used (e.g., if successful results can be achieved using the last four digits of a Social Insurance Number, avoid using the whole number);
  • Information Owners must ensure that the smallest subset of sensitive or personal information is used, which is necessary to complete the testing (e.g., if successful results can be achieved using a small number of records, avoid using the whole dataset);
  • Information Owners must maintain detailed project documentation on testing activities and processes for audit purposes, including a list of employees involved in testing, date and time when testing began and ended, any deviations from the established processes or procedures that may affect the existing security controls, and any other relevant information; and,
  • The documentation must demonstrate why the use of sensitive or personal information is necessary.

Information Owners must ensure that the use of personal information for testing purposes does not contravene the requirements of the Freedom of Information and Protection of Privacy Act. Privacy. HR manager should be consulted when test data involves personal information.

Guidelines:
Output from test systems should be labelled “test”.

A.8.34 Protection of information systems during audit testing

Control Objective: Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.

The purpose is minimize the impact of audit and other assurance activities on operational systems and business processes. Audit activities involving checks on the operating system shall be carefully planned and agreed upon to minimize the risk of disruption to business processes. Audit requirements and activities involving checks on operational systems must be planned and approved to minimize disruption to business processes. Audit requirements and activities involving checks on operational systems must be planned and approved to minimize disruption to business processes.
a) Management of information systems compliance checking
b)Protection of information system audit tools

a) Management of information systems compliance checking
Prior to commencing compliance checking activities such as audits, risk and controls reviews, monitoring or security reviews of operational information systems, the Manager responsible for the compliance checking activity, Information Owners must define, document, and approve the activities by:

  • Determining the scope, duration, and level of detail of the compliance checking activity;
  • Limiting access rights to operational information systems for compliance checking employees to “read-only”;
  • Determining handling requirements for copies of files made by compliance checking employees including:
    • establishing a separate environment for the analysis of files,
    • restricting access to those files,
    • logging the accesses made to those files, and,
    • erasing files at the conclusion of compliance checking activities unless needed to support report findings;
  • Identifying special testing or processing which may impact the operational information system (e.g., penetration tests, server vulnerability assessments) and by:
    • notifying the Chief Information Security Officer prior to compliance checking activities to prevent triggering false security alarms from the infrastructure, and,
    • scheduling tests to minimize disruption;
  • Submitting the reports of penetration tests or vulnerability assessments to the Chief Information Security Officer immediately upon receipt; and,
  • Requiring that employees conducting compliance checking activities maintain segregation of duty from the operational information systems being checked.

Guidance for compliance checking activities can be obtained from the Information Security Branch, Office of  Chief Information Officer.

b) Protection of information system audit tools
Managers responsible for compliance checking activities and Information Custodians must control the use of audit tools by:

  • Restricting access to authorized employees who have a need-to-know;
  • Installing or enabling specialized audit tools for the duration required by the compliance checking activity;
  • Removing information system access at the conclusion of the compliance checking activities; and,
  • Notifying the Chief Information Security Officer prior to the use of audit tools.

12.  ISMS Master list of Records and its Retention Period

Sl. NoRecord NameResponsibilityClassification of InformationRetention Period
          1.Security Council Meeting MinutesMRRestricted1 Year
          2.Corrective Action RecordMRRestricted1Year
          3.Preventive Action RecordMRRestricted1 Year
          4.User Registration & Deregistration Record Restricted1 Year
          5.Incident LogMRRestricted3 Years
  6.Asset RecordMRRestricted3 Years
          7.Risk Assessment RecordMRRestricted3 Years
          8.List of Applicable LegislationsMRRestricted3 Years
          9.Server LogsSystem AdministratorInternal1 Year
       10.NC ReportsMRRestricted3 Years
       11.BCP RecordIT ManagerRestricted3 Years
       12.Change Request RecordSystem AdminInternal3 Years
       13.Change Request Impact Analysis RecordSystem AdminInternal3 Years
       14.Software License Usage Monitoring ReportSystem AdminInternal1 Year
       15.Bandwidth Monitoring ReportSystem AdminInternal6 Months
       16.H/W and S/W Verification RecordsSystem AdminInternal1 Year
 17.List of authorized persons for sensitive dataMR/CISORestricted1 Year
 18.Antivirus record of user machinesSystem AdminInternal1 Year
 19.Backup logsSystem AdminInternal1 Year
 20.Backup restoration logsSystem AdminInternal1 Year
 21.Network Access Authorization RecordsSystem AdminRestricted1 Year
 22.Media Disposal RecordsMRInternal3 years
 23.Visitor Log BookSystem AdminInternal 
 24.Management Authorization Approval sheetMRConfidential3 years
 25.Contract for Power SupplyMRInternal 
 26.Contract for DG SetMRInternal 
 27.Contract for Air ConditionerMRInternal 
 28.Contract for Security AgencyAdminInternal 
 29.Contract for Fire preventionAdminInternal 
 30.Contract for Leased LineMRInternal3 years
 31.Contract for FMMRInternal 
 32.Contract for Antivirus ProtectionMRInternal1 year
 33.Third Party Contract & NDA documentsMRRestricted3 years
 34.IBM/MacAfee Service Level AgreementMRRestricted3 years
 35.Background Verification RecordHRConfidential 
 36.KPI related recordsMRInternal 
 37.ISMS PlanMRInternal 

ISO 27001:2022 A 8.6 Capacity management

Capacity management is the broad term describing a variety of IT monitoring, administration and planning actions that are taken to ensure that a computing infrastructure has adequate resources to handle current data processing requirements as well as the capacity to accommodate future loads.The primary goal of capacity management is to ensure that IT resources are rightsized to meet current and future business requirements in a cost-effective manner. Capacity management, in the context of ICT, isn’t limited to ensuring that organisations have adequate space on servers and associated storage media for data access and Backup and Disaster Recovery (BUDR) purposes. Organisations need to ensure that they have the ability to operate with a set of resources that cater to a broad range of business functions, including HR, information processing, the management of physical office locations and attached facilities. All of these functions have the ability to adversely affect an organisation’s information management controls. The use of resources must be monitored, tuned and projections made of future capacity requirements to ensure the required system performance to meet the business objectives. Capacity management typically looks at three primary types; Data storage capacity – (e.g. in database systems, file storage areas etc.); Processing power capacity – (e.g. adequate computational power to ensure timely processing operations.); and Communications capacity – (often referred to as “bandwidth” to ensure communications are made in a timely manner). Capacity management also needs to be; Pro-active – for example, using capacity considerations as part of change management; Re-active – e.g. triggers and alerts for when capacity usage is reaching a critical point so that timely increases, temporary or permanent can be made.

Control

The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

Purpose

To ensure the required capacity of information processing facilities, human resources, offices and other facilities.

ISO 27002 Implementation Guidance

Capacity requirements for information processing facilities, human resources, offices and other facilities should be identified, taking into account the business criticality of the concerned systems and processes. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems. The organization should perform stress-tests of systems and services to confirm that sufficient system capacity is available to meet peak performance requirements. Detective controls should be put in place to indicate problems in due time. Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization’s information processing capabilities. Particular attention should be paid to any resources with long procurement lead times or high costs. Therefore, managers, service or product owners should monitor the utilization of key system resources. Managers should use capacity information to identify and avoid potential resource limitations and dependency on key personnel which can present a threat to system security or services and plan appropriate action. Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. The following should be considered to increase capacity:
a) hiring new personnel;
b) obtaining new facilities or space;
c) acquiring more powerful processing systems, memory and storage;
d) making use of cloud computing, which has inherent characteristics that directly address issues of capacity. Cloud computing has elasticity and scalability which enable on-demand rapid expansion and reduction in resources available to particular applications and services.

The following should be considered to reduce demand on the organization’s resources:
a) deletion of obsolete data (disk space);
b) disposal of hardcopy records that have met their retention period (free up shelving space);
c) decommissioning of applications, systems, databases or environments;
d) optimizing batch processes and schedules;
e) optimizing application code or database queries;
f) denying or restricting bandwidth for resource-consuming services if these are not critical (e.g. video streaming).
A documented capacity management plan should be considered for mission critical systems.

The methodologies and processes used for IT capacity management may vary, it requires the ability to monitor IT resources closely enough to be able to gather and measure basic performance metrics. With that data in hand, IT managers and administrators can set baselines for operations to meet a company’s processing needs. The baselines — or benchmarks — represent average performance over a specific period of time and can be used to detect deviations from those established levels. Capacity management tools measure the volumes, speeds, latencies and efficiency of the movement of data as it is processed by an organization’s applications. All facets of data’s journey through the IT infrastructure must be monitored, so capacity management must be able to examine the operations of all the hardware and software in an environment and capture critical information about data flow. Capacity planning is typically based on the results and analysis of the data gathered during capacity management activities. By examining performance variances over time, IT management can use those performance statistics to help develop models describing anticipated processing which can be used for short- and long-term planning. By noting which particular resources are being stressed, current configurations can be appropriately revised and IT planners can assemble purchasing plans for hardware and software that will help meet future demands. Measurement and analysis tools must be able to observe the individual performances of IT assets, as well as how these assets interact. A comprehensive capacity management process should be able to monitor and measure the following IT elements:

  • Servers
  • End-user devices
  • Networks and related communications devices
  • Storage systems and storage network devices
  • Cloud services

Organisation’s ability to operate as a business on an ongoing basis depends upon the following:

  1. Organisations should consider business continuity as a top priority when implementing capacity management controls, including the wholesale implementation of detective controls that flag up potential issues before they occur.
  2. Capacity management should be based upon the proactive functions of tuning and monitoring. Both of these elements should work in harmony to ensure that systems and business functions are not compromised.
  3. In operational terms, organisations should perform regular stress tests that interrogate a systems ability to cater to overall business needs. Such tests should be formulated on a case-by-case basis and be relevant to the area of operation that they are targeted at.
  4. Capacity management controls should not be limited to an organisation’s current data or operational needs, and should include any plans for commercial and technical expansion (both from a physical and digital perspective) in order to remain as future-proof as is realistically possible.
  5. Expanding organisational resources is subject to varying lead times and costs, depending on the system or business function in question. Resources that are more expensive and more difficult to expand should be subject to a higher degree of scrutiny, in order to safeguard business continuity.
  6. Senior Management should be mindful of single points of failure relating to a dependency on key personnel or individual resources. Should any difficulties arise with either of these factors, it can often lead to complications that are markedly more difficult to rectify.
  7. Formulate a capacity management plan that deals specifically with business critical systems and business functions.

A dual-fronted approach to capacity management that either increases capacity, or reduces demand upon a resource, or set of resources.When attempting to increase capacity, organisations should:

  • Consider hiring new employees to carry out a business function.
  • Purchase, lease or rent new facilities or office space.
  • Purchase, lease or rent additional processing, data storage and RAM (either on-premise or cloud-hosted).
  • Consider using elastic and scalable cloud resources that expand with the computational needs of the organisation, with minimal intervention.

When attempting to reduce demand, organisations should:

  • Delete obsolete data to free up storage space on servers and attached media.
  • Securely dispose of any hard copies of information that the organisation no longer needs, and is not legally required to obtain, either by law or via a regulatory body.
  • Decommission any ICT resources, applications or virtual environments that are no longer required.
  • Scrutinise scheduled ICT tasks (including reports, automated maintenance functions and batch processes) to optimise memory resources and reduce the storage space taken up by outputted data.
  • Optimise any application code or database queries that are run on a regular enough basis to have an effect on the organisation’s operational capacity.
  • Limit the amount of bandwidth that is allocated to non-critical activities within the boundaries of the organisation’s network. This can include restricting Internet access and preventing video/audio streaming from work devices.

Formal capacity management processes involve conducting system tuning, monitoring the use of present resources and, with the support of user planning input, projecting future requirements. Controls in place to detect and respond to capacity problems can help lead to a timely reaction. This is often especially important for communications networks and shared resource environments (virtual infrastructure) where sudden changes in utilization can in poor performance and dissatisfied users. To address this, regular monitoring processes should be employed to collect, measure, analyze and predict capacity metrics including disk capacity, transmission throughput, service/application utilization. Also, periodic testing of capacity management plans and assumptions (whether tabletop exercises or direct simulations) can help proactively identify issues that may need to be addressed to preserve a high level of availability of services for critical services.

Whether capacity management is achieved via software, hardware or manual means — or a combination of any of those — it relies on the interception of data movement metrics and the internal processes of individual components.Capacity management could have a fairly narrow scope, providing high-level information on a variety of infrastructure components or, perhaps, providing detail metrics related to one segment of the computing environment. The trend, however, is to gather as much information as possible and then to attempt to correlate those measurements into an application-centric picture that focuses on the performance and requirements of mission-critical applications across the environment, rather than how individual components are performing. Still, to achieve that application-centric view of capacity management, virtually all elements of the IT infrastructure must be monitored and the definition of capacity must be broad enough to consider the impact an application will have on processing power, memory, storage capacity and speed for all physical and software components comprising an infrastructure.

  • Performance — is a key metric in capacity management as it may point to processing bottlenecks that affect overall application processing performance. The central processor unit (CPU) in servers and other connected devices, such as routers, storage and controllers, should be monitored to ensure that their processing capabilities are not frequently “pinning” at or near 100%. An overtaxed processor would be a candidate for upgrading.
  • Memory is also a factor in capacity management. Servers and other devices use their installed memory to run applications and process data — if too little memory is installed, processing will slow down. It’s relatively easy to determine if a server has adequate memory resources, but it’s also important to monitor other devices in the environment to ensure that insufficient memory doesn’t turn them into processing bottlenecks.
  • Physical space is what is most commonly associated with capacity management, with the focus generally on storage space for applications and data. Storage systems that are near capacity will have longer response times, as it takes longer to locate specific data when drives — hard disk or solid-state — are full or nearly full. As with processor and memory measurements, it’s important to monitor space usage in devices other than servers and end-user PCs that may have installed storage that’s used for caching data.

Capacity management in networking
Managing the capacity of IT networks can be a complex process given the number of different networking elements that can be found in an enterprise environment. The number and type of networks being monitored is likely to vary as well. In addition to the wired and wireless Ethernet-based network infrastructure that connects servers to storage, end-user devices, networking gear, etc., comprehensive network capacity management must also consider dedicated storage networks based on Fibre Channel technologies; the FC networks are likely to be physically isolated from other data networks and will require different tools for monitoring and management. External networking should also be monitored. Again, different tools will be required to track traffic and performance for network connections to remote offices and users, the internet and to cloud services. The networking devices that should be monitored include network interface cards (NICs), network switches, network routers, storage network interfaces (e.g., host bus adapters), storage network switches and optical network devices. Although capacity management for networks doesn’t directly address security, it can be a good method of keeping track of network access, which can help inform security procedures.

Benefits of capacity management
Capacity management provides many benefits to an IT organization and is a factor in overall management of a computing infrastructure. In addition to ensuring that systems are performing at adequate levels to achieve a company’s goals, capacity management can often realize cost savings by avoiding over-provisioning of hardware and software resources. It can also help save money and time by identifying extraneous activities like backing up unused data or maintaining idle servers.Good capacity management can also result in more-effective purchasing to accommodate future growth by being able to more accurately anticipate needs and, thus, make purchases when prices may be lower. By constantly monitoring equipment and processing, problems that might have hindered production may be avoided, such as bottlenecks or imminent equipment failures.

Components of capacity management
The activities that support the capacity management process are crucial to the success and maturity of the process. Some of these are done on an ongoing basis, some daily, some weekly, and some at a longer, regular interval. Some are ad-hoc, based on current (or future) needs or requirements. Let’s look at those:

  • Monitoring – Keeping an eye on the performance and throughput or load on a server, cluster, or data center is extremely important. Not having enough headroom can cause performance issues. Having too much headroom can create larger-than-necessary bills for hardware, software, power, etc.
  • Analysis – Taking that measurement and monitoring data and drilling down to see the potential impact of changes in demand. As more and more data become available, having the tools needed to find the right data and make sense of it is very important.
  • Tuning – Determining the most efficient use of existing infrastructure should not be taken lightly. A lot of organizations have over-configured significant parts of the environment while under-configuring others. Simply reallocating resources could improve performance while keeping spend at current levels.
  • Demand Management – Understanding the relationship of current and future demand and how the existing (or new) infrastructure can handle this is incredibly important. Predictive analytics can provide decision support to IT management. Also, moving non-critical workloads to quieter periods can delay purchase of additional hardware (and all the licenses and other costs that go with it).
  • Capacity Planning – Determining the requirements for resources required over some future time. This can be done by predictive analysis, modeling, benchmarking, or other techniques – all of which have varying costs and levels of effectiveness.

ISO 27001:2022 Information Security Management System

https://preteshbiswas.com/wp-content/uploads/2019/07/ISO-27001_2022-Information-Security-Management-System-Requirements.wav

Overview of an Information Security Management System

Information security is the protection of information to ensure:

  • Confidentiality: ensuring that the information is accessible only to those authorized to access it.
  • Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
  • Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions). An Information Security Management System (ISMS) is the way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security.
ISO publishes two standards that focus on an organization’s ISMS:

  • The code of practice standard: ISO 27002. This standard can be used as a starting point for developing an ISMS. It provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.
  • The management system standard: ISO 27001. This standard is the specification for an ISMS. It explains how to apply ISO/IEC 27002. It provides the standard against which certification is performed, including a list of required documents. An organization that seeks certification of its ISMS is examined against this standard.

The standards set forth the following practices:

  • All activities must follow a method. The method is arbitrary but must be well defined and documented.
  • A company or organization must document its own security goals. An auditor will verify whether these requirements are fulfilled.
  • All security measures used in the ISMS shall be implemented as the result of risk analysis in order to eliminate or reduce risks to an acceptable level.
  • The standard offers a set of security controls. It is up to the organization to choose which controls to implement based on the specific needs of their business.
  • A process must ensure the continuous verification of all elements of the security system through audits and reviews.
  • A process must ensure the continuous improvement of all elements of the information and security management system. (The ISO 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as its basis and expects the model will be followed in an ISMS implementation.)

ISO 27001:2022 structure

Clause 0: Introduction

This Standard provides requirements for establishing, implementing, maintaining and continually improving an information security management system. The organization will implement the information security management as a strategic decision influenced by its needs objectives, security requirements, processes , its size and structure of the organization. The introduction also draws attention to the order in which requirements are presented, stating that the order does not reflect their importance or imply the order in which they are to be implemented. The Introduction refers to just requirements instead of any models, and it now states explicitly the objective of an information security management system (ISMS) is to preserve the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed’. It also emphasizes that the ISMS is part of and integrated with the organization’s processes and overall management structure; this reinforces a key message – the ISMS is not a bolt-on to the business. It reinforces this by stating that information security is considered in the design of processes, information systems, and controls. . The compatibility with other management system standards remains and is tangibly demonstrated and reinforced by the adoption of Annex SL.

Clause 1: Scope

The purpose of this clause is to state the applicability of the standard through the requirements to establish, implement and continually improving an ISMS within the context of the organization. It goes on to require the assessment and treatment of information security risks tailored to the needs of the organization. This is a generic standard and is applicable to all organization irrespective of its size , nature and type. To claim conformity to this standard exclusions are not acceptable.

Clause 2: Normative references

The only normative reference is to ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Clause 3: Terms and definitions

There are no terms and definitions included. All the terms and definitions given in ISO/IEC 27000 apply which includes the the common terms and definitions given in Annex SL are included. A comparison should be made and where necessary, further clarification sought from the other documents referenced. However, please ensure that you use a version of ISO/IEC 27000 that was published after ISO/IEC 27001:2022 otherwise it will not contain the correct terms or definitions. This is an important document to read. Many definitions, for example ‘management system’ and ‘control’, have been changed and now conform to the definitions given in the new ISO directives and ISO 31000. If a term is not defined in ISO/IEC 27000, please use the definition given in the Oxford English Dictionary. This is important, otherwise, confusion and misunderstanding may be the result

ISO and IEC maintain terminology databases used in ISO 27000/27001 at the following addresses:
— 1SO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org

Clause 4: Context of the organization

This clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the ISMS. It meets these objectives by drawing together relevant external and internal issues i.e. those that affect the organization’s ability to achieve the intended outcome of its ISMS with the requirements of interested parties to determine the scope of the ISMS. It should be noted that the term ‘issue’ covers not only problems, which would have been the subject of preventive action in the previous standard, but also important topics for the ISMS to address, such as any market assurance and governance goals that the organization might set for the ISMS.
Note that the term ‘requirement’ is a ‘need or expectation that is stated, generally implied or obligatory’. Combined with Clause 4.2, this in itself can be thought of as a governance requirement, as strictly speaking an ISMS that did not conform to generally-accepted public expectations could now be ruled non-conformance with the standard.You must identify the “relevant” requirements of interested parties and determine which will be addressed through the ISMS .
The final requirement (Clause 4.4) is to establish, implement, maintain and continually improve the ISMS including the process needed and their interaction in accordance with the requirements the standard.

Clause 5: Leadership

This clause places requirements on ‘top management’ which is the person or group of people who directs and controls the organization at the highest level. Note that if the organization that is the subject of the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller organization. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. A particular responsibility of top management is to establish the information security policy, and the standard defines the characteristics and properties that the policy is to include. Finally, the clause places requirements on top management to assign information security-relevant responsibilities and authorities, highlighting two particular roles concerning ISMS conformance to ISO  27001 and reporting on ISMS performance.

Clause 6: Planning

Clause 6.1.1 (General) works with Clauses 4.1 and 4.2 to complete the new way of dealing with preventive actions. The first part of this clause (i.e. down to and including 6.1.1 c)) concerns risk assessment whilst Clause 6.1.1 d) concerns risk treatment. As the assessment and treatment of information security risk is dealt with in Clauses 6.1.2 and 6.1.3, then organizations could use this clause to consider ISMS risks and opportunities.
Clause 6.1.2 (Information security risk assessment) specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats, and vulnerabilities as a prerequisite to risk identification. This widens the choice of risk assessment methods that an organization may use and still conforms to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk. The clause refers to ‘risk owners’ rather than ‘asset owners’ and later requires their approval of the risk treatment plan and residual risks.In also requires organizations to assess consequence, likelihood, and levels of risk.

Clause 6.1.3, (Information security risk treatment) concerns the treatment of information security risk. It refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A. Nevertheless, the standard retains the use of Annex A as a cross-check to make sure that no necessary control has been overlooked, and organizations are still required to produce a Statement of Applicability (SOA). The formulation and approval of the risk treatment plan is now part of this clause.
Clause 6.2, ( Information security objectives and planning to achieve them) concerns information security objectives. It uses the phrase “relevant functions and levels”, where here, the term ‘function’ refers to the functions of the organization, and the term ‘level’, its levels of management, of which ‘top management’ is the highest. The clause defines the properties that an organization’s information security objectives must possess. Information security objectives must be monitored and made “available as documented information”

Clause 6.3 (Planing of change) is about how to ensure that changes in ISMS is in planned manner.Since it does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned.

Clause 7: Support

This clause begins with a requirement that organizations shall determine and provide the necessary resources to establish, implement, maintain and continually improve the ISMS. Simply expressed, this is a very powerful requirement covering all ISMS resource needs. The Support clause identifies what is required to establish, implement and maintain and continually improve an effective ISMS, including:

  • Resource requirements
  • Competence in terms of education, training and experience of people involved in Information security performance
  • Awareness of Information security policy, security performance and implication of not conforming with the ISMS requirements.
  • communication on what, when, with whom, how to with interested parties.

Finally, there are requirements for ‘documented information’. The standard refers to “documented information” rather than “documents and records” and requires that they are retained as evidence of competence These requirements relate to the creation and updating of documented information and to their control. There is no longer a list of documents you need to provide or particular names they must be given. The new revision puts the emphasis on the content rather than the name. Note that the requirements for documented information are presented in the clause to that they refer to.

Clause 8: Operation

The organization must plan, implement and control the processes needed to meet information security requirements and to implement the actions determined in the standard.The organization must establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria. They are required to control “externally provided processes, products or services” relevant to the ISM The organization must perform information security risk assessments at planned intervals, and shall also implement the information security risk treatment plan. This clause deals with the execution of the plans and processes that are the subject of previous clauses. Organizations must plan and control the processes needed to meet their information security requirements including:

  • keeping documents
  • management of change
  • responding to adverse events
  • the control of any outsourced processes

Operation planning and control also mandate the carrying out of information security risk assessments at planned intervals and the implementation of an information security risk treatment plan.
Clause 8.1 deals with the execution of the actions determined in Clause 6.1, the achievement of the information security objectives and outsourced processes;
Clause 8.2 deals with the performance of information security risk assessments at planned intervals, or when significant changes are proposed or occur; and
Clause 8.3 deals with the implementation of the risk treatment plan.

Clause 9: Performance evaluation

The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organization’s own requirements and to the International Standard requirements.

The first paragraph of Clause 9.1 (Monitoring, measurement, analysis, and evaluation) states the overall goals of the clause. As a general recommendation, determine what information you need to evaluate the information security performance and the effectiveness of your ISMS. Work backward from this ‘information need’ to determine what to measure and monitor, when who and how. There is little point in monitoring and making measurements just because your organization has the capability of doing so. Only monitor and measure if it supports the requirement to evaluate information security performance and ISMS effectiveness. Note that an organization may have several information needs, and these needs may change over time. For example, when an ISMS is relatively new, it may be important just to monitor the attendance at, say, information security awareness events. Once the intended rate has been achieved, the organization might look more towards the quality of the awareness event. It might do this by setting specific awareness objectives and determining the extent to which the attendees have understood what they have learned. Later still, the information need may extend to determine what impact this level of awareness has on information security for the organization.A comparable and reproducible method for monitoring, measurement, analysis and evaluation should be selected to give a valid result.
Internal audits and management review continue to be key methods of reviewing the performance of the ISMS and tools for its continual improvement. he requirements include conducting internal audits at planned intervals, plan, establish, implement and maintain an audit programme(s), select auditors and conduct audits that ensure objectivity and impartiality of the audit process.
In Clause 9.3 (Management review),  rather than specify precise inputs and outputs, this clause now places requirements on the topics for consideration during the review. The requirement for reviews to be held at planned intervals remains but the requirement to hold the reviews at least once per year has been dropped.

Clause 10: Improvement

Due to the new way of handling preventive actions, there are no preventive action requirements in this clause. However, there are some new corrective action requirements. The first is to react to nonconformity and take action, as applicable, to control and correct the nonconformity and deal with the consequences. The second is to determine whether similar nonconformity exist, or could potentially occur. Although the concept of preventive action has evolved there is still a need to consider potential nonconformity, albeit as a consequence of an actual nonconformity. There is also a new requirement to ensure that corrective actions are appropriate to the effects of the nonconformity encountered. The requirement for continual improvement has been extended to cover the suitability and adequacy of the ISMS as well as its effectiveness, but it no longer specifies how an organization achieves this

Annex A Information security controls reference

Information security controls can be categorized into 4 groups or theme. These are:

  1. people, if they concern individual people;
  2. physical, if they concern physical objects;
  3. technological, if they concern technology;
  4. otherwise they are categorized as organizational.

5 Organizational controls

5.1 Policies for information security

Control
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

The purpose of this control is to ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements.Management should define a set of policies to clarify their direction of, and support for, information security. At the top level, there should be an overall “information security policy” A document needs to be created, containing how the organization manages information security objectives. This document needs to be approved by management, and needs to contain both high- and low-level policies. Once the policies are in place, they need to be reviewed regularly. The best approach to this is to set a regular meeting and plan an extra meeting in between should the situation require it. If any changes are made, management needs to give their approval. The policies should be shared with internal and external stakeholders.

5.2 Information security roles and responsibilities

Control
Information security roles and responsibilities should be defined and allocated according to the organization needs.

The purpose of this control is to establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization. The policy needs to define who is responsible for what asset, process, or information security risk activity. It is important that the assignment is done clearly and for all assignments. Make sure that the roles and responsibilities suit your organization; a small team of five probably does not need a full time security officer.

5.3 Segregation of duties

Control
Conflicting duties and conflicting areas of responsibility should be segregated.

The purpose of this control is to reduce the risk of fraud, error and bypassing of information security controls. To prevent any misuse of company assets, the “power” to fully control a sensitive activity should not lie with the same person. The best way to implement this is to log all activities and split important tasks in doing and checking or approving and initiating. This prevents fraud and error, e.g. in the case of having one person create and sign all company cheques.

5.4 Management responsibilities

Control
Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

The purpose of this control is to ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfill their information security responsibilities. Management needs to make sure all employees and contractors are aware of and follow the organization’s information security policy. They should lead by being an example and show that Information Security is both useful and necessary.

5.5 Contact with authorities

Control
The organization should establish and maintain contact with relevant authorities.

The purpose of this control is to ensure appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities. It should be clear who is responsible for contacting authorities (e.g. law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g. which region/country), and in what cases this needs to happen. A quick and adequate response to incidents can greatly decrease the impact, and may even be mandatory by law.

5.6 Contact with special interest groups

Control
The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

The purpose of this control is to ensure appropriate flow of information takes place with respect to information security.To make sure that the latest information security trends and best practices are kept up with, good contact with special interest groups should be maintained by personnel with ISMS tasks. Such groups can be asked for expert advice in certain cases, and be a great source for improving one’s own knowledge.

5.7 Threat intelligence

Control
Information relating to information security threats should be collected and analysed to produce threat intelligence.

The purpose of this control is to provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken. Reacting to threats does little to prevent their first materialized occurrence. By collecting and analyzing information about threats to your organization, you have a better idea of which protection mechanisms need to be put in place to protect against the threats that are relevant to your organization. Computer chip manufacturers need to prepare for targeted IP-theft attacks by state actors, but for a small SaaS-provider, automated phishing mails are a greater threat.

5.8 Information security in project management

Control
Information security should be integrated into project management.

The purpose of this control is to ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle. To assure a successful organization wide ISMS implementation, information security should be considered and documented in all projects in the form of requirements. These requirements can stem from business, legal, and compliance with other standards or regulations. If you have project management handbooks or templates, an information security chapter should be included.

5.9 Inventory of information and other associated assets

Control
An inventory of information and other associated assets, including owners, should be developed and maintained.

The purpose of this control is to identify the organization’s information and other associated assets in order to preserve their information security and assign appropriate ownership. The organization should have identified of all information- and information processing assets. All the assets must be drawn up in an inventory, which should be properly maintained. Knowing what assets there are, their importance, where they are, and how they are handled is essential in identifying and predicting risks. It might even be mandatory for legal obligations or insurance purposes.
All assets in the inventory, so of the whole company if the inventory is complete, must have an owner. Thanks to asset ownership, assets are watched and taken care of through their whole life cycle. Similar assets may be grouped and the day to day supervision of an asset may be left to a so-called custodian, but the owner remains responsible. Asset ownership must be approved by management.

5.10 Acceptable use of information and other associated assets

Control
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

The purpose of this control is to ensure information and other associated assets are appropriately protected, used and handled. There should be well-document rules for accessing information assets. Users of the asset should be aware of the information security requirements regarding asset use, and follow them. For the handling of assets, procedures should be in place as well. Personnel need to understand the labeling of assets, and know how to handle different levels of classifications. Since there is no universal standard for classification, it is also important to have knowledge of classification levels of other parties, since they will most likely differ from yours.

5.11 Return of assets

Control
Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

The purpose of this control is to protect the organization’s assets as part of the process of changing or terminating employment, contract or agreement. When an employee or external party may no longer access an asset due to, for example, the end of employment of agreement, they must return the asset to the organization. There should be a clear policy for this, which has to be known by all involved. Non-tangible assets important to current operations such as specific knowledge that is not yet documented should be documented and returned as such.

5.12 Classification of information

Control
Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

The purpose of this control is to ensure identification and understanding of protection needs of information in accordance with its importance to the organization. Certain information is considered to be sensitive due to e.g. monetary or legal value, and has to remain confidential while other information is less crucial. The organization should have a policy in place on how to handle classified information. The accountability to classify information assets lies with its owner. To distinguish between the importance of different classified assets, it can be useful to implement several levels of confidentiality from non-existent to severely impacting the organization’s survival.

5.13 Labeling of information

Control
An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

The purpose of this control is to facilitate the communication of classification of information and support automation of information processing and management. Not all information falls in the same category, as discussed in 5.12 above. It is, therefore, important to label all information in accordance to their classification. When information is handled, stored, or exchanged it may be vital to know the classification of the object. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of storage media..

5.14 Information transfer

Control
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

The purpose of this control is to maintain the security of information transferred within an organization and with any external interested party. Information is shared inside and outside the organization. There should be a protocol for all types of information sharing, including digital documents, physical documents, video, but also by word of mouth. Clear rules on how information can be safely shared helps lower the risk of information contamination and leaks. Information that is shared between the organization and external parties needs to be preceded by an information transfer agreement. This way, the source, content, confidentiality, transfer medium, and destination of the information transfer is known by and agreed upon by both parties. Business communication often happens by means of electronic messaging. Organizations are advised to have an overview of approved types of electronic messaging and should document how these are protected and may be used.

5.15 Access control

Control
Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

The purpose of this control is to ensure authorized access and to prevent unauthorized access to information and other associated assets. An access control policy should be in place to define how access is managed, and who is allowed to access what. The rules per asset lie with the asset owners, who set up requirements, restrictions, and rights for the access to “their” asset. Frequently used terms in an access control policy are need-to-know and need-to-use, where the former restricts the access rights only to information an employee needs to perform their task and the latter restricts the access rights only to information processing facilities needed to perform the task.

5.16 Identity management

Control
The full life cycle of identities should be managed.

The purpose of this control is to allow for the unique identification of individuals and systems accessing the organization’s information and other associated assets and to enable appropriate assignment of access rights. To assign access rights to assets and networks and keep track of who actually does the accessing, users need to be registered under an ID. When an employee leaves an organization, the ID and access to it should be removed. When an employee only needs to be denied access, the access of the ID can be limited. Even though using another employee’s ID might be quicker and easier to access something, this should not be allowed by management in most cases. Sharing ID’s removes the link between an access limitation and an employee, and makes it nearly impossible to keep the right person responsible for their actions. Assigning, altering, and ultimately deleting an identity is often called the identity life cycle.

5.17 Authentication information

Control
Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

The purpose of this control is to ensure proper entity authentication and prevent failures of authentication processes. Secret authentication, such as passwords and access cards, must be managed in a formal process. Other important activities that should be stated in the policy are, for example, forbidding users to share secret authentication information, giving new users a password that has to be changed on first use, and having all systems authenticate a user by requiring a user’s secret authentication information (password on PC, swiping access card for doors).
If password management systems are used, they need to provide good passwords and strictly follow the organizations secret authentication information policy. The passwords themselves should be stored and transmitted securely by the password management system.

5.18 Access rights

Control
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

The purpose of this control is to ensure access to information and other associated assets is defined and authorized according to the business requirements. Management should have a system in place for the provisioning and revoking of access rights. It is advised to create certain roles based on activities certain types of employees perform, and give the same basic access rights to them. Part of having a system in place is having repercussions for attempted unauthorized access. Employees have no need to try to access places they should not, since access rights can easily be requested from the asset owner and/or management. Organisations and their employees are not static. Roles change or employees leave the company, constantly changing access needs. Asset owners should regularly review who may access their asset, while role changing or leaving should trigger an access rights review by management. Since privileged access rights are more sensitive, they should be reviewed more often. Once a contract or agreement has been terminated, the access rights of the receiving party should be removed.

5.19 Information security in supplier relationships

Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

The purpose of this control is to maintain an agreed level of information security in supplier relationships. Since suppliers have access to certain assets, organizations need to establish a policy stating requirements for risk mitigation. This policy needs to be communicated to suppliers and agreed upon. Examples of such requirements are predetermined logistic processes, an incident process obligations for both sides, Non Disclosure Agreements, and documentation of the supplying process.

5.20 Addressing information security within supplier agreements

Control
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

The purpose of this control is to maintain an agreed level of information security in supplier relationships. Every supplier that in any way, directly or indirectly, comes into contact with the organization’s information must follow the set information security requirements and agree to them. Examples are requirements on information classification, acceptable use, and rights to audit. An easily forgotten aspect of an agreement is what to do when the supplier cannot or will not supply anymore. It is important to implement a clause for that.

5.21 Managing information security in the ICT supply chain

Control
Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

The purpose of this control is to maintain an agreed level of information security in supplier relationships. Agreements with suppliers should also state the information security requirements and agreements on ICT services and supply chain. Examples of included requirements are the need to be able to follow items through the supply chain, and that a certain minimal level of security is maintained at every level of the “chain”.

5.22 Monitoring, review and change management of supplier services

Control
The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

The purpose of this control is to maintain an agreed level of information security and service delivery in line with supplier agreements. Everyone makes mistakes, and so do suppliers. Whether the mistake happened by accident or deliberately , the result is the same: the organization does not receive exactly what has been agreed upon and trust may decrease. For this reason, organizations should keep an eye on suppliers, and audit them where felt necessary. This way, an organization is aware when a supplier does something out of the ordinary. Just like with system changes, management needs to control any changes in supplier services. They need to make sure that information security policies are up to date and any changes in the provision of the service itself is managed. A small change in the provided service combined with an outdated information security policy might result in a large new risk. Supplier-side changes can easily occur, for example when the service is enhanced, a new app or system is supplied, or the supplier’s policies and procedures change.

5.23 Information security for use of cloud services

Control
Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

The purpose of this control is to specify and manage information security for the use of cloud services. Cloud suppliers offer a service that, when in use, is more often than not a vital part of an organisation’s infrastructure. Office documents are stored in the cloud, but many SaaS-providers offer their product to their customers via a cloud provider such as Amazon AWS, Microsoft Azure, or Google Cloud. The risks surrounding this critical part of the organisation should be appropriately mitigated. Organizations should have processes for using, managing, and leaving (exit strategy) a used cloud. Severing ties with a cloud provider often means a new cloud provider is on the horizon, so controlling the purchasing and on boarding onto a new cloud should not be forgotten either. Just like any other third party software, a new cloud environment should allow you to keep your desired level of information security, not compromise it.

5.24 Information security incident management planning and preparation

The purpose of this control is to ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events. Organizations need to create and document procedures for information security incidents, and who is responsible for what. This way, should an information security incident occur, it can be handled effectively and quickly. Security incident happen unexpected and can cause quite some chaos, which can be mitigated by having a protocol that is followed by knowledgeable and trained staff.

5.25 Assessment and decision on information security events

Control
The organization should assess information security events and decide if they are to be categorized as information security incidents.

The purpose of this control is to ensure effective categorization and prioritization of information security events. Organizations should have a well document assessment method for security incidents. When a suspicious event occurs, the responsible person is to test the event against the requirements and determine whether there was an actual information security incident. The results of this assessment should be documented, so that they can be used for future reference.

5.26 Response to information security incidents

Control
Information security incidents should be responded to in accordance with the documented procedures.

The purpose of this control is to ensure efficient and effective response to information security incidents. This point seems straight forward, but is still important to mention and sometimes hard to do in practice. Once an information security incident occurs, it needs to be responded to following the set-up procedures by the appointed staff. The pre-determined actions should be taken, and the whole process accurately documented. This helps prevent future occurrences and weed out related security vulnerabilities.

5.27 Learning from information security incidents

Control
Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.

The purpose of this control is to reduce the likelihood or consequences of future incidents. Even though incidents are unwanted, they still possess great value. The knowledge gained from solving an incident should be used to prevent similar incidents in the future, and can help identify a possible systematic problem. With additional controls, it is important to keep an eye on the costs; a new control should not cost the organisation more on an annual basis than the incidents it mitigates.

5.28 Collection of evidence

Control
The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events

The purpose of this control is to ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions. Once an accident occurs, the cause is usually not immediately clear. When the cause is an individual or organization, they should be disciplined based on the intention and effect. To link an incident to a cause, evidence needs to be collected. In case of a malicious action, this evidence and the way it was obtained might be used in legal proceedings. To prevent accidental or deliberate destruction of evidence, there should be a clear and safe evidence identification procedure.

5.29 Information security during disruption

Control
The organization should plan how to maintain information security at an appropriate level during disruption

The purpose of this control is to protect information and other associated assets during disruption. Organizations should determine their requirements for information security continuity in case of a crisis. The easiest choice is to resume standard information security activities as best as possible in an adverse situation. Once the requirements have been determined and agreed upon in management, procedure, plans, and controls should be put in place to resume with an acceptable level of information security in case of a crisis.
As organizations change, the best way to respond to a crisis changes as well. An organization that, for example, doubled in size within a years’ time will most likely benefit from a different response than a year ago. For this reason, the information security continuity controls on a regular basis.

5.30 ICT readiness for business continuity

Control
ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

The purpose of this control is to ensure the availability of the organization’s information and other associated assets during disruption. During Business Continuity planning, special attention should be placed on scenarios where IT systems fail. There should be a clear strategy how systems will be restored, who will do this, and how long this may and will take. It should also be clear what “restoring” means in a specific scenario, since having only the core systems running is likely enough for the first week after a complete meltdown.

5.31 Identification of legal, statutory, regulatory and contractual requirements

Control
Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

The purpose of this control is to ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. Requirements come from all places, and are there to be met. Organizations should therefore have an overview of all information security related requirements they need to comply to, and how this is done. Since requirements can change or get added, the requirement compliance overview needs to be kept up to date. An example of changing requirements is when your organization expands to a new country on a different continent. This country is likely to have different laws on privacy, information storage, and cryptography.

5.32 Intellectual property rights

Control
The organization should implement appropriate procedures to protect intellectual property rights.

The purpose of this control is to ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products Intellectual property (IP) rights, also a part of legal compliance, is an area that deserves special attention. IP can be of great value, so it is important to document one’s own intellectual property and the use of other’s intellectual property well. (Accidental) wrong use of other’s IP may result in large lawsuits, and should be prevented at all costs.

5.33 Protection of records

Control
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

The purpose of this control is to ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. Any records, be it accounting records or audit logs, should be protected. Records are at the risk of being lost, compromised, or accessed unauthorized. The requirements for the protection of record might come from the organization itself or from other sources such as legislation or insurance companies. For this, strict guidelines should be created and followed.

5.34 Privacy and protection of Personal Identifiable Information (PII)

Control
The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

The purpose of this control is to ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII. Depending on the country or economic space an organization is located in, different legislation on the protection of personal data might apply. To organizations situated in the Qatar and/or processing personal data in Qatar, Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection. Organizations need to make sure they are aware of the requirements set by such legislation, and follow it religiously. The Law, for example, mandates conducting data processing agreements, keeping a register of processing activity, and data processing transparency.

5.35 Independent review of information security

Control
The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.

The purpose of this control is to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. It is impossible for organizations to objectively review their own information security system. For this reason, organizations should have their information security audited by an independent party on a regular basis, or when large changes occur. This keeps an organization’s view of their information security correct and transparent. An independent party can also be a full-time internal auditor, who has the sole task of performing the internal audits and does not have other conflicting tasks and responsibilities.

5.36 Compliance with policies and standards for information security

Control
Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.

The purpose of this control is to ensure that information security is implemented and operated in accordance with the organization’s information security policy, topic-specific policies, rules and standards. With all these security policies, standards and procedures, it is important for managers to regularly review whether the activities and/or processes they are responsible for are fully compliant. For this to be done correctly, they should be aware of exactly which rules and requirement they need to comply with and check this manually or with an automatic reporting tool. Information systems need to be regularly reviewed for compliance as well. The easiest and usually most cost-effective way to do this is by means of automated tooling. This tooling can quickly check all the nooks and crannies of a system and report exactly what went/could go wrong. Vulnerability tests such as penetration tests can effectively show any weaknesses, but might actually harm the system when done without caution.

5.37 Documented operating procedures

Control
Operating procedures for information processing facilities should be documented and made available to personnel who need them.

The purpose of this control is to ensure the correct and secure operation of information processing facilities. Procedures for the operating of equipment should be documented and made available to those using the equipment. From the simple procedure of computer use (from start to shut-down) to the use of more complicated equipment there should be a guide on how to safely and correctly operate it. Due to their importance, the procedures should be treated as formal documents, meaning that any changes should be approved by management.

6.0 People control

6.1 Screening

Control
Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

The purpose of this control is to ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment An information security management system needs a policy for screening all new or promoted employees, including consultants and temporary staff. This is to ensure that employees are competent and trustworthy. The policy needs to take into account both local legislation and regulations and the role of the new employee to insure that screening is sufficient but not disproportionate. Some roles within an organisation may require a higher level of screening, for example if employees will be handling confidential information. For information security roles in particular, screening should also include necessary competences and trustworthiness, and this should be documented accordingly.

6.2 Terms and conditions of employment

Control
The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

The purpose of this control is to ensure personnel understand their information security responsibilities for the roles for which they are considered. Before beginning work, the employee needs to be aware of the organisation’s information security policy, including information security roles and responsibilities. This could be communicated via a signed code of conduct or similar method. The employees’ contracts should also include the organisation’s relevant information security policy, including a confidentiality agreement if the employee will be have access to confidential information.

6.3 Information security awareness, education and training

Control
Personnel of the organization and relevant interested parties should receive appropriate informationbsecurity awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

The purpose of this control is to ensure personnel and relevant interested parties are aware of and fulfill their information security responsibilities. Employees need information security training when they join the organisation of change roles. Longer serving personnel also need to have their awareness maintained with regular training and communication. The training needs to be relevant to the role. For many staff, this will include basics such as reminders about password security and social-engineering attacks. For technical staff or those handling confidential material more in-depth education will be required for their specific role.

6.4 Disciplinary process

Control
A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

The purpose of this control is to ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation. A policy for the disciplinary process following a confirmed information security policy violation should be in place. The disciplinary procedure should be proportionate and graduated, with actions that depend on the severity of the incident, the intention, whether it was a repeat offence and importantly whether the employee was adequately trained. Many recorded security incidents will be the result of a policy violation and should to lead to disciplinary action. This is important to remember because staff should avoid reporting security incidents through fear of disciplinary action.

6.5 Responsibilities after termination or change of employment

Control
Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

The purpose of this control is to protect the organization’s interests as part of the process of changing or terminating employment or contracts. Information security responsibilities do not end when employment is changed or terminated. The employee’s terms and conditions of employment should contain confidentiality agreements, which require the employee to respect the confidentiality of information after they have left the organisation. When an employee leaves, they may also leave information security roles vacant. To maintain continuity of security, management must identify these roles so that they can be transferred.

6.6 Confidentiality or non-disclosure agreements

Control
Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

The purpose of this control is to maintain confidentiality of information accessible by personnel or external parties. If the confidentiality of information is sufficiently high, it may need to be protected by legally enforceable terms. In this case, confidentiality agreements can be used, setting out the information covered, the responsibilities of all parties, the duration of the agreement and the penalties should the agreement be broken. These protect the information from disclosure after the employee has left the organisation for a given time period.

6.7 Remote working

Control
Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

The purpose of this control is to ensure the security of information when personnel are working remotely. Remote working has become standard at many organisations, giving both organisations and employees more flexibility. There are however information security implications for remote working, which should be considered and documented. The remote working policy should outline where and when remote working in permitted, device and equipment provision, authorized access and what information may be accessed remotely. Of particular importance are policies governing the use of strange networks and the risk that friends, family or strangers may overhear or see confidential information.

6.8 Information security event reporting

Control
The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

The purpose of this control is to support timely, consistent and effective reporting of information security events that can be identified by personnel. Employees sometimes encounter information security incidents during their daily work. Incidents can instances such as include human errors, confidentiality breaches, malfunctions, suspected malware infections and non-compliance with the IS policy or the law. The first step in identifying, fixing and preventing incident re occurrence is reporting. Employees therefore need a reporting channel and to be aware of its existence.

7.0 Physical controls

7.1 Physical security perimeter

Control
Security perimeters should be defined and used to protect areas that contain information and other associated assets.

The purpose of this control is to prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets. The first step when protecting a physical space is to define its perimeter. Sensitive or critical areas within the perimeter can then be identified. The perimeter must be sufficiently physically secure to protect the contents, with alarms and intruder detection systems. If necessary a monitored reception can control access. The image at the top of this article is an example of a zone plan showing perimeter and secure areas.

7.2 Physical entry controls

Control
Secure areas should be protected by appropriate entry controls and access points.

The purpose of this control is to ensure only authorized physical access to the organization’s information and other associated assets occurs. Only authorized persons should be able to gain entry to assets and information. The level of restrictions depends on the organizational requirements. Things to consider include personal identification and logging who accesses the premises. A procedure should be in place for receiving visitors to establish their identity, where they are can go and if they must be accompanied. Deliveries also present a risk, both because delivery areas need to be secured and to prevent delivery personnel entering restricted areas.

7.3 Securing offices, rooms and facilities

Control
Physical security for offices, rooms and facilities should be designed and implemented.

The purpose of this control is to prevent unauthorized physical access, damage and interference to the organization’s information and other associated assets in offices, rooms and facilities. Offices need to be secured with digital or physical keys. In general, detailed directories and maps should not be openly accessible as these can highlight the location of sensitive assets.

7.4 Physical security monitoring

Control
Premises should be continuously monitored for unauthorized physical access.

The purpose of this control is to detect and deter unauthorized physical access. Monitoring can deter intruders and detect intrusion. Guards, cameras and alarms all monitor against unauthorized access. The design of any monitoring system should be considered confidential. Regular testing is required to ensure that the system works. Camera surveillance systems and other monitoring systems that collect personal information or may be used to track individual may require special consideration under data protection laws. For example, camera surveillance may require a data protection impact assessment under GDPR legislation.

7.5 Protecting against physical and environmental threats

Control
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

The purpose of this control is to prevent or reduce the consequences of events originating from physical and environmental threats Natural or man made disasters and physical attacks threaten information security and business continuity. The level of these risks is highly dependent on location. Floods, fires and large storms are the most likely risks, but the risk from earthquakes, civil unrest and terrorist attacks can also be considered in risk assessments.

7.6 Working in secure areas

Control
Security measures for working in secure areas should be designed and implemented.

The purpose of this control is to protect information and other associated assets in secure areas from damage and unauthorized interference by personnel working in these areas. The existence and purpose of secure environments should only be shared on a need-to-know basis. They should be kept locked, with access limited to authorized persons. Generally, lone-working should be discouraged, for both safety and for security purposes.

7.7 Clear desk and clear screen

Control
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

The purpose of this control is to reduce the risks of unauthorized access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours. Sensitive information left on desks, screens, printers and whiteboards can be accessed by anyone. a clear desk and screen policy defines how and where information can be accessed. A basic policy includes no printed documents left unattended, either at work spaces or printers (clear desk) and locked device screens (clear screen). More detailed policies may be required for sensitive information, for example that information cannot be viewed on a screen in an open environment.

7.8 Equipment siting and protection

Control
Equipment should be sited securely and protected.

The purpose of this control is to reduce the risks from physical and environmental threats, and from unauthorized access and damage. Careful citing of equipment can minimize a host of risks: not just unauthorized access but also the risks due to environmental factors, spilled food and drink, vandalism, and degradation due to light or humidity. The protection required will depend on the sensitivity of the equipment.

7.9 Security of assets off-premises

Control
Off-site assets should be protected.

The purpose of this control is to prevent loss, damage, theft or compromise of off-site devices and interruption to the organization’s operations. Devices, including private devices (bring-your-own-devices), still need protection when they leave the premises. Basics include appropriate physical protection such as covers and theft prevention by not leaving devices unattended. The organization should be aware of what devices are used off premises, by whom, and what information is being accessed or used when off-site.

7.10 Storage media

Control
Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

The purpose of this control is to ensure only authorized disclosure, modification, removal or destruction of information on storage media. Information stored in any media format brings the risk of unauthorized access, and loss of information integrity through modification or degradation, loss, destruction or removal. Media should therefore be safely stored and eventually securely destroyed. Policies governing the management of removable media should cover what information can be stored on removable media, the registration and tracking of such media, how it should be safely stored to prevent unauthorized access or degradation, and how it should be transported. When storage is no longer required, secure destruction is necessary. This may be performed by an external party.

7.11 Supporting utilities

Control
Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.

The purpose of this control is to prevent loss, damage or compromise of information and other associated assets, or interruption to the organization’s operations due to failure and disruption of supporting utilities. Power failures can immediately compromise a business’s activities. Less obviously, telecommunications and air conditioning will all interrupt digital activities, and failures of gas, sewage or water supplies will prevent employees from working on-site. Inspection and alarms systems can identify actual or potential failures. Continuity plans should identify back-up options and emergency contact details for service providers.

7.12 Cabling security

Control
Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

The purpose of this control is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations related to power and communications cabling. Information and data are transferred via cables, while computers, security systems and environmental controls all require power, supplied by cabling. The former can be intercepted and outages of either can compromise information security and business continuity. The degree of security required depends on the organization, and in many cases will be managed by building facilities providers or telecoms and utilities companies. Basic protections include using cabling conduits or cable floor covers to prevent damage, and locked access to utility access and entry points.

7.13 Equipment maintenance

Control
Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

The purpose of this control is to prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations caused by lack of maintenance. Equipment maintenance introduces two information security considerations: poorly maintained equipment risks the loss of information; while equipment servicing or maintenance can expose information to external or unauthorized parties. Regularly serviced and updated equipment is less likely to require riskier repairs or to lead to outages. When repairs are required, care should be taken in choosing service providers and checking their work.

7.14 Secure disposal or re-use of equipment

Control
Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

The purpose of this control is to prevent leakage of information from equipment to be disposed or re-used. Equipment that is no longer in use may still have licensed software installed or stored sensitive data. This also applies to equipment that requires repair, and should be a consideration when deciding whether to use external repair services. Standard delete functions may not be adequate to remove sensitive information. Instead, specialist destruction, deletion or overwriting methods reduce the risk of residual information remaining on the storage media. Remember to remove physical labels or markings too!

8.0 Technological controls

8.1 User endpoint devices

Control
Information stored on, processed by or accessible via user endpoint devices should be protected.

The purpose of this control is to protect information against the risks introduced by using user endpoint devices. User endpoint devices are any devices from which information can be accessed, processed or where information can be saved. They include laptops, smartphones and PCs. A policy for user endpoint devices should include registration, physical, password and cryptographic protection, and responsible use. Responsible use includes controlling who has access to the device, installation of software, regularly updating the operating system and backing device up. An organisation may require a specific policy for bring-your-own-device to prevent disputes and the information security risks associated.

8.2 Privileged access rights

Control
The allocation and use of privileged access rights should be restricted and managed.

The purpose of this control is to ensure only authorized users, software components and services are provided with privileged access rights.The allocation of privileged or admin access rights to users, software components and systems should be done on a case-by-case basis and only as needed. This means that there needs to be a policy in place determining when access rights can be granted and when they should expire or be revoked. when privileged access rights are granted, the user should understand what they are for and when they should be used. The first step is that privileged users should always be aware that they have admin access rights. These rights should not be used for day-to-day tasks, which should always be done with standard access accounts. Privileged access should only be used when administrator tasks are being conducted.

8.3 Information access restriction

Control
Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

The purpose of this control is to ensure only authorized access and to prevent unauthorized access to information and other associated assets. Access to information and other assets should be based on business need, with access restricted to particular users. Information should not be accessible to anonymous users to prevent untraceable and unauthorized access. This is important to preserve the confidentiality of information, to monitor its use, and to prevent modification and distribution.

8.4 Access to source code

Control
Read and write access to source code, development tools and software libraries should be appropriately managed.

The purpose of this control is to prevent the introduction of unauthorized functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property. Source code needs to be kept secure to prevent unwanted changes and to keep the code confidential. The employees role and business need determines if they have read and write access. Limiting access to read-only for the majority of staff helps to protect the integrity of the code. For the same reason, developers should use development tools that control activities, rather than having direct access to the source code repository.

8.5 Secure authentication

Control
Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.

The purpose of this control is to ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted Secure authentication helps to guarantee that a user is who they say they are. The required strength of authentication is dependent on the classification of the information. Usernames and passwords provide a basic level of authentication, which can be strengthened using cryptographic or bio metric controls, smart cards or tokens, or other multi factor authentication. Login screens should show the minimum amount of information possible to avoid providing help to unauthorized persons. All login attempts should be logged, successful or not, so that attacks or unauthorized usage can be identified.

8.6 Capacity management

Control
The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

The purpose of this control is to ensure the required capacity of information processing facilities, human resources, offices and other facilities. Capacity management covers all of human resources, office space and other facilities, not just information processing and storage. Future requirements should be taken into account in business and security planning, particularly if asset acquisition has a long lead time. Cloud computing often allows flexible capacity management. In contrast, physical facilities and personnel may require more strategic planning. Optimization of physical and digital information storage, deletion of old data, and optimized batch processing and applications will mean that existing capacity is more efficiently used.

8.7 Protection against malware

Control
Protection against malware should be implemented and supported by appropriate user awareness.

The purpose of this control is to ensure information and other associated assets are protected against malware. Malware detection software (e.g. virus scanners) provides some protection, but it is not the only was to protect against malware. Protection also includes information security awareness, access controls and change management controls to prevent malware being installed or causing problems. As a first line of defense, malware detection software needs to be installed and updated regularly. However, a policy to prevent unauthorized software installation, the use of suspicious websites, the download of files from remote sources and vulnerability detection are equally as important. Finally, the security risks can be reduced by actively planning for a malware attack. Keeping abreast of new malware, isolating critical environments, and making business continuity plans should an attack occur will all help maintain business continuity in the event of an attack.

8.8 Management of technical vulnerabilities

Control
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

The purpose of this control is to prevent exploitation of technical vulnerabilities.The management of technical vulnerabilities can be divided into three categories: identification, evaluation and action. In order to identify vulnerabilities, assets must be inventoried with details of the supplier, version, deployment state and responsible owner. The vendor may provide information on vulnerabilities, but the owner should identify additional resources that monitor and release information about vulnerabilities and methods to identify vulnerabilities, such as pen-testing. When a vulnerability has been identified, the risk and urgency need to be assessed, as well as the potential risks of applying an update or patch. Updates can often be used to take action against vulnerabilities, but may not always adequately fix the problem and can introduce new issues. If no update is available or the update is considered inadequate, measures such as work arounds, isolation from the network and increased monitoring may be sufficient to mitigate the risk.

8.9 Configuration management

Control
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

The purpose of this control is to ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. Software, hardware, service and networks need to be configured to function correctly with the security settings considered necessary to protect the organisation. The configuration should be based on business need and known threats. As with all secure systems, privileged access should be limited and unnecessary functions disabled. Configuration changes should follow the change management procedure and be fully approved and documented.

8.10 Information deletion

Control
Information stored in information systems, devices or in any other storage media should be deleted when no longer required.

The purpose of this control is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. Information should not be kept for longer than necessary in order to reduce the information security exposure risk, to optimism resource use and to comply with laws . Approved secure deletion software should be used to ensure permanent deletion and certified disposal providers should be used for physical media. The deletion method used by cloud service providers should be checked by the organisation to ensure it is adequate. Maintaining a record of deletion is useful in the event of a data leak.

8.11 Data masking

Control
Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

The purpose of this control is to limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements. Only the minimum amount of data required for a task should be available in search results. In order to achieve this, personal data should be masked (or anonymized or pseudononymized) to hide the identity of the subjects. This may be required by laws.

8.12 Data leakage prevention

Control
Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

The purpose of this control is to detect and prevent the unauthorized disclosure and extraction of information by individuals or systems. Monitoring and detecting unauthorized attempts to disclose or extract data are key to prevention. When an attempt is detected, measures such as email quarantine or access blocks can be activated. Other methods, such as policies and training about uploading, sharing or accessing data should be used to address the risks of staff leaking data.

8.13 Information backup

Control
Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

The purpose of this control is to enable recovery from loss of data or systems. The organisation needs a specific policy on back-ups, which covers method, frequency and testing. When developing the policy, the organisation should consider points such as ensuring the completeness of back-ups and restores, the business needs of back-ups, where and how they are stored, and how the back-up system is tested. The back-up system should be considered as part of the business continuity plans and be adequate to meet the continuity requirements.

8.14 Redundancy of information processing facilities

Control
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

The purpose of this control is to ensure the continuous operation of information processing facilities. Any organisation needs a system architecture that is sufficient to satisfy the business availability requirements. Redundancy ensures availability by having spare capacity in case of system failure, and often requires duplicate systems such as power supplies. Adequate redundancy that can be spun up when necessary forms an important part of business continuity planning and should be tested regularly.

8.15 Logging

Control
Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

The purpose of this control is to record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. Logging records events, generates evidence, ensures the integrity of log information, can help to prevent against unauthorized access, identifies information security events and supports investigations. A logging plan needs to identify what information should be logged (e.g. user ID) and can cover events such as system access attempts, changes, transactions, or file access, among other things. The logs must be protected even from privileged users so that they cannot be deleted or changed. The logs need to be monitored and analysed to detect patterns or incidents that may be information security incidents.

8.16 Monitoring activities

Control
Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.

The purpose of this control is to detect anomalous behavior and potential information security incidents. The aim of monitoring is to detect anomalous behavior and to identify potential information security incidents. The monitoring system could cover network traffic, system access, logs and use of resources. Monitoring can help to identify system failures or bottlenecks, activity associated with malware, unauthorized access, unusual behavior, and attacks such as denial of service attacks.

8.17 Clock synchronisation

Control
The clocks of information processing systems used by the organization should be synchronized to approved time sources.

The purpose of this control is to enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents. Clock synchronization is important to ensure that the timing of an information security incident is reliably recorded. On-premises systems should use a network time protocol (NTP) to ensure synchronisation. Cloud service providers generally handle timing for logging. However, on-premises clocks may not be perfectly synchronised with the Cloud provider’s clock. In this case, the difference should be recorded and monitored.

8.18 Use of privileged utility programs

Control
The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

The purpose of this control is to ensure the use of utility programs does not harm system and application controls for information security. A utility program may be capable of overriding system and application controls. The usage of and access to utility programs should therefore be tightly restricted, with unique user identification and logging of usage.

8.19 Installation of software on operational systems

Control
Procedures and measures should be implemented to securely manage software installation on operational systems.

The purpose of this control is to ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities Software installation can introduce vulnerabilities in operating systems. To minimize this risk, software should only be installed by authorized persons. The software should be from trusted and maintained sources or fully tested if developed internally. Previous versions should be kept and all changes logged so that roll-back is possible if required.

8.20 Network security

Control
Networks and network devices should be secured, managed and controlled to protect information in systems and applications.

The purpose of this control is to protect information in networks and its supporting information processing facilities from compromise via the network. Networks must be secure enough to protect the information passing over them. To keep them secure, they need to be kept up to date and monitored, with the option to limit both connections to authenticated devices and what traffic can pass over the network. A method to isolate the network may be useful should the network come under attack.

8.21 Security of network services

Control
Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

The purpose of this control is to ensure security in the use of network services. Network security services cover everything from the provision of a simple connection and bandwidth to complex services such as firewalls and intrusion detection systems. The level of security required will depend on business need. When the required security is identified it needs to be implemented and monitored. This is often done by third party network service providers. Access authorization procedures and access means such as VPNs should be considered when setting up network security services.

8.22 Segregation in networks

Control
Groups of information services, users and information systems should be segregated in the organization’s networks.

The purpose of this control is to split the network in security boundaries and to control traffic between them based on business needs. Large networks can be split into several domains. This means that different security levels can be applied to each domain, with limited access to different parts of the business network. The networks can be fully physically separated or digitally separated using logic networks. Wireless networks do not have physical boundaries and should therefore be considered as external connections until a gateway such as a VPN has been passed when sensitive data is being accessed.

8.23 Web filtering

Control
Access to external websites should be managed to reduce exposure to malicious content.

The purpose of this control is to protect systems from being compromised by malware and to prevent access to unauthorized web resources. Not every website on the internet is innocent. Some contain illegal information and others distribute malware. Blocking the IP addresses of suspicious websites can reduce the risks. However, not every malicious website can be blocked, so filtering must be accompanied by rules and awareness training on appropriate and responsible internet use.

8.24 Use of cryptography

Control
Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.

The purpose of this control is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography. The use of cryptography needs to carefully be managed, with consideration of the required level of protection, key management, encryption of endpoint devices and how cryptography might impact content inspection (e.g.malware scanning). Key management requires a process generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys.

8.25 Secure development life cycle

Control
Rules for the secure development of software and systems should be established and applied.

The purpose of this control is to ensure information security is designed and implemented within the secure development life cycle of software and systems. Secure development covers the construction of services, architecture, software and systems. A key aspect is the separation of development, test (approval) and production environments with secure repositories for source code. Security should be a consideration right from the specification and design phase, with checkpoints built into the project plan and planned testing. The developers must also be aware of secure coding guidelines and be able to prevent, find and fix vulnerabilities.

8.26 Application security requirements

Control
Information security requirements should be identified, specified and approved when developing or acquiring applications.

The purpose of this control is to ensure all information security requirements are identified and addressed when developing or acquiring applications. Organisations need to identify and specify the security requirements for applications, then determine them using a risk assessment. The requirements are determined by the security classification level of the information passing through the application. Requirements can include access controls, protection level, encryption, input and output controls, logging, error message handling, resilience against attack and legal requirements. Security requires particular consideration if the application performs transactions of information or orders and payments.

8.27 Secure system architecture and engineering principles

Control
Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.

The purpose of this control is to ensure information systems are securely designed, implemented and operated within the development life cycle. Architectural and engineering principles ensure that systems are designed, implemented and operated securely throughout their development life cycle. Secure system principles analyse what security controls are needed and how they should be applied. Good practice, practical considerations about the cost and complexity and how new features can be integrated into existing systems should also be taken into account.

8.28 Secure coding

Control
Secure coding principles should be applied to software development.

The purpose of this control is to ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software. Practicing secure coding helps to ensure that code is written to minimize vulnerabilities. Secure coding principles can be used to promote best practice and set minimum standards in the organisation. These should take into account current real-world threats, the use of controlled environments for development and ensuring the competence of developers. Secure coding should also include management of updates and maintenance, particularly checking who is responsible for maintaining codes from external sources.

8.29 Security testing in development and acceptance

Control
Security testing processes should be defined and implemented in the development life cycle.

The purpose of this control is to validate if information security requirements are met when applications or code are deployed to the production environment. Security testing should be an integral part of development testing. This includes testing of secure configuration of operating systems (e.g. firewalls), secure coding and security functions (such as access). The tests need to be scheduled, documented and have criteria to determine acceptable results.

8.30 Outsourced development

Control
The organization should direct, monitor and review the activities related to outsourced system development.

The purpose of this control is to ensure information security measures required by the organization are implemented in outsourced system development. When development is outsourced, information security requirements need to be communicated to and agreed by the outsourced developer and monitored by the outsourcing organisation. Licensing and intellectual property ownership, testing and evidence of testing, and contractual rights to audit the development process are examples of security considerations that should be agreed between the parties.

8.31 Separation of development, test and production environments

Control
Development, testing and production environments should be separated and secured.

The purpose of this control is to protect the production environment and data from compromise by development and test activities. Testing and development activities can cause unwanted changes or system failure, which could compromise the production environment if it is not adequately protected. The degree of separation between testing and production will depend on the organisation, but environments need to be separated and clearly labelled, so that testing or actions such as compiling cannot take place in the production environment. Changes should be monitored, with careful control over who has access to each environment. No one should have the ability to make changes to both the testing and production environment without prior review and approval.

8.32 Change management

Control
Changes to information processing facilities and information systems should be subject to change management procedures.

The purpose of this control is to preserve information security when executing changes. The confidentiality, availability and integrity of information can all be compromised when introducing infrastructure or software or making major changes to an existing one. A formal process of documentation, testing, quality control and implementation can reduce the risks. Documentation of testing and contingency planning are important in the run-up to implementation, particularly to ensure that new software does not negatively impact the production environment. Operating guides and procedures may need to be altered after the changes have been made.

8.33 Test information

Control
Test information should be appropriately selected, protected and managed.

The purpose of this control is to ensure relevance of testing and protection of operational information used for testing. There are two key considerations for test information: it should be close enough to operational information to ensure the test results are reliable, but it should not contain any confidential operational information. If sensitive information must be used for testing, it should be protected, modified or anonymised before being used, and should be deleted immediately after testing.

8.34 Protection of information systems during audit and testing

Control
Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.

The purpose of this control is to minimize the impact of audit and other assurance activities on operational systems and business processes. The operational systems should not be unduly affected by audits or technical reviews. To prevent excessive disturbance, the audits should be planned with agreed timing and scope. Read-only access will prevent accidental changes to systems during an audit, and all access should be monitored.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

ISO 27001:2022 Consultant

The ISO 27001:2022  standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s information security management system. ISO 27001 was established by the International Organization for Standardization (ISO). It was first launched in 2005, as a replacement for BS 7799

What’s new in ISO 27001:2022 Compared to ISO 27001:2013?

Management system

The management system of ISO 27001:2022 will contain a few minor changes, aligning it to Annex SL.

These changes include:

  • Refinement of 4.2 Interested parties. You must now identify the “relevant” requirements of interested parties and determine which will be addressed through the ISMS (information security management system).
  • Refinement of 4.4 ISMS. The ISMS now explicitly includes the “processes needed and their interactions”.
  • Refinement of 6.1.3 Risk treatment. There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned.
  • Refinement of 6.2 Objectives. Information security objectives must now be monitored and made “available as documented information”.
  • Addition of 6.3 Change management.
  • Refinement of 7.4 Communication. The requirements to define who will communicate and the processes for effecting communication have been replaced by a requirement to define “how to communicate”.
  • Rewrite 8.1 Operational planning. The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria. Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.
  • Refinement of 9.1 Monitoring. Methods of monitoring, measuring, analyzing and evaluating the effectiveness of the ISMS now need to be comparable and reproducible.
  • The management review must now also consider changes in the needs and expectations of interested parties.
  • Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
  • Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output
  • 10.1 Improvement and 10.2 Nonconformity have switched numbers

ISO 27001 Controls

The controls now also have five types of ‘attributes’ to make them easier to categorise:

  • Control type (preventive, detective, corrective)
  • Information security properties (confidentiality, integrity, availability)
  • Cyber security concepts (identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, etc.)
  • Security domains (governance and ecosystem, protection, defence, resilience)

The completely new controls are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

A.5.23 Information security for use of cloud services

Description. This control requires you to set security requirements for cloud services to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.

Technology. In most cases, new technology will not be needed, because the majority of cloud services already have security features. In some cases, you might need to upgrade your service to a more secure one, while in some rare cases, you will need to change the cloud provider if it does not have security features. For the most part, the only change required will be using existing cloud security features more thoroughly.

Organization/processes. You should set up a process to determine security requirements for cloud services and for determining the criteria for selecting a cloud provider; further, you should define a process for determining acceptable use of the cloud, and also the security requirements when cancelling the use of a cloud service.

People. Make employees aware of the security risks of using cloud services, and train them on how to use the security features of cloud services.

Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about cloud services in the Supplier Security Policy. Larger companies might develop a separate policy that would focus specifically on security for cloud services.

A.5.30 ICT readiness for business continuity

Description. This control requires your information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.

Technology. If you did not invest in solutions that enable resilience and redundancy of your systems, you might need to introduce such technology – this might range from data backup to redundant communication links. These solutions need to be planned based on your risk assessment and how quickly you need your data and your systems to be recovered.

Organization/processes. Besides the planning process, which needs to take into account the risks and business needs for recovery, you should also set up the maintenance process for your technology, and the testing process for your disaster recovery and/or business continuity plans.

People. Make employees aware of potential disruptions that could happen, and train them on how to maintain IT and communication technology so that it is ready for a disruption.

Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include the ICT readiness in the following documents:

  • Disaster Recovery Plan – readiness planning, implementation, and maintenance
  • Internal Audit Report – readiness testing

If you are a larger organization, or if you implemented ISO 22301, then you should document readiness through the Business Impact Analysis, Business Continuity Strategy, Business Continuity Plan, and Business Continuity Testing Plan & Report.

A.7.4 Physical security monitoring

Description. This control requires you to monitor sensitive areas to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.

Technology. Depending on your risks, you might need to implement alarm systems or video monitoring; you might also decide to implement a non-tech solution like a person observing the area (e.g., a guard).

Organization/processes. You should define who is in charge of the monitoring of sensitive areas, and what communication channels to use to report an incident.

People. Make employees aware of the risks of unauthorized physical entry into sensitive areas, and train them how to use the monitoring technology.

Documentation. No documentation is required by ISO 27001; however, you might include physical security monitoring in the following documents:

  • Procedures that Regulate Physical Security – what is monitored, and who is in charge of monitoring
  • Incident Management Procedure – how to report and handle a physical security incident

A.8.9 Configuration Management

Description. This control requires you to manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.

Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.

Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.

People. Make employees aware of why strict control of security configuration is needed, and train them on how to define and implement security configurations.

Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your Security Operating Procedures. Larger companies will typically have a separate procedure that defines the configuration process. You will usually have separate specifications that define security configurations for each of your systems, to avoid frequent updates of the documents mentioned in the previous paragraph. Further, all changes to configurations need to be logged to enable an audit trail.

A.8.10 Information deletion

Description. This control requires you to delete data when no longer required, to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.

Technology. You should be using tools for secure deletion, according to regulatory or contractual requirements, or in line with your risk assessment.

Organization/processes. You should set up a process that will define which data need to be deleted and when, and define responsibilities and methods for deletion.

People. Make employees aware of why deleting sensitive information is important, and train them on how to do this properly.

Documentation. No documentation is required by ISO 27001; however, you might include rules about information deletion in the following documents:

  • Disposal and Destruction Policy – how the information on removable media is deleted
  • Acceptable Use Policy – how regular users need to delete the sensitive information on their computers and mobile devices
  • Security Operating Procedures – how system administrators need to delete the sensitive information on servers and networks

Larger organizations might also have a Data Retention Policy that defines how long each type of information is needed, and when it needs to be deleted.

A.8.11 Data masking

Description. This control requires you to use data masking together with access control to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.

Technology. Companies can use tools for pseudonymization or anonymization to mask data if this is required by privacy or other regulations. Other methods like encryption or obfuscation can also be used.

Organization/processes. You should set up processes that will determine which data needs to be masked, who can access which type of data, and which methods will be used to mask the data.

People. Make employees aware of why masking data is important, and train them on which data needs to be masked and how.

Documentation. No documentation is required by ISO 27001; however, you might include rules on data masking in the following documents:

  • Information Classification Policy – determine which data are sensitive and what categories of data need to be masked
  • Access Control Policy – defines who can access what type of masked or unmasked data
  • Secure Development Policy – defines the technology of masking the data

Larger companies, or companies that need to be compliant with the  Data Protection Regulation of their country of operation and similar privacy regulations, should also have the following documents:

  • Privacy Policy / Personal Data Protection Policy – overall responsibilities for data masking
  • Anonymization and Pseudonymization Policy – details on how data masking is implemented in the context of a privacy regulation

A.8.12 Data leakage prevention

Description. This control requires you to apply various data leakage measures to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them promptly. This includes information in IT systems, networks, or any devices.

Technology. For this purpose, you could use systems to monitor potential leakage channels, including emails, removable storage devices, mobile devices, etc., and systems that prevent information from leaking – e.g., disabling download to removable storage, email quarantine, restricting copy and paste of data, restricting upload of data to external systems, encryption, etc.

Organization/processes. You should set up processes that determine the sensitivity of data, assess the risks of various technologies (e.g., risks of taking photos of sensitive information with a smartphone), monitor channels with the potential of data leakage, and define which technology to use to block the exposure of sensitive data.

People. Make employees aware of what kind of sensitive data is handled in the company and why it is important to prevent leakages and train them on what is and what isn’t allowed when handling sensitive data.

Documentation. No documentation is required by ISO 27001; however, you might include rules on data leakage prevention in the following documents:

  • Information Classification Policy – the more sensitive the data are, the more prevention needs to be applied
  • Security Operating Procedures – which systems for monitoring and prevention should be used by administrators
  • Policy on Acceptable Use – what is and what isn’t allowed for regular users

A.8.16 Monitoring activities

Description. This control requires you to monitor your systems to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring your IT systems, networks, and applications.

Technology. For your networks, systems, and applications, you could monitor the following: security tool logs, event logs, who is accessing what, activities of your main administrators, inbound and outbound traffic, proper execution of the code, and how the system resources are performing.

Organization/processes. You should set up a process that defines which systems will be monitored; how the responsibilities for monitoring are determined; and the methods of monitoring, establishing a baseline for unusual activities, and reporting events and incidents.

People. Make employees aware that their activities will be monitored, and explain what is and what is not considered normal behaviour. Train IT administrators to use monitoring tools.

Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about monitoring in the Security Operating Procedures. Larger companies might develop a separate procedure that would describe how to monitor their systems. On top of this, it would be useful to keep records of monitoring activities.

A.8.23 Web filtering

Description. This control requires you to manage which websites your users are accessing, to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.

Technology. You could use tools that block access to particular IP addresses, which could include the usage of anti-malware software. You could also use non-tech methods like developing a list of forbidden websites and asking users not to visit them.

Organization/processes. You should set up processes that determine which types of websites are not allowed, and how the web filtering tools are maintained.

People. Make employees aware of the dangers of using the Internet and where to find guidelines for safe use, and train your system administrators on how to perform web filtering.

Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about web filtering in the following documents:

  • Security Operating Procedures – Define rules for system administrators on how to implement web filtering.
  • Acceptable Use Policy – Define rules for all users on what is acceptable usage of the Internet.

Larger companies might develop a separate procedure that would describe how the web filtering is performed.

A.8.28 Secure coding

Description. This control requires you to establish secure coding principles and apply them to your software development to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.

Technology. You might be using tools for maintaining an inventory of libraries, protecting the source code from tampering, logging errors and attacks, and testing; you could also use security components like authentication, encryption, etc.

Organization/processes. You should set up a process for defining the minimum baseline of secure coding – both for internal software development and for software components from third parties, a process for monitoring emerging threats and advice on secure coding, a process for deciding which external tools and libraries can be used, and a process that defines activities done before the coding, during the coding, after the coding (review and maintenance), and for software modification.

People. Make your software developers aware of the importance of using secure coding principles, and train them on methods and tools for secure coding.

Documentation. No documentation is required by ISO 27001; however if you are a smaller company, you might include rules about secure coding in the Secure Development Policy. Larger companies might develop separate procedures for secure coding for each of their software development projects.

Protecting your assets

The standard takes a comprehensive approach to information security. Assets that need protection range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Issues you have to address range from competence development of staff to technical protection against computer fraud.

ISO 27001 will help you protect your information in terms of the following principles:

  • Confidentiality ensures that information is accessible only to those authorized to have access.
  • Integrity safeguards the accuracy and completeness of information and processing methods.
  • Availability ensures that authorized users have access to information and associated assets when required.

ISO 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

ISO 27001:2022 is intended to be suitable for several different types of use, including the following:

  • Use within organizations to formulate security requirements and objectives;
  • use within organizations as a way to ensure that security risks are cost-effectively managed;
  • use within organizations to ensure compliance with laws and regulations;
  • use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
  • definition of new information security management processes;
  • identification and clarification of existing information security management processes;
  • use by the management of organizations to determine the status of information security management activities;
  • use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives, and standards adopted by an organization;
  • use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
  • implementation of business-enabling information security;
  • use by organizations to provide relevant information about information security to customers.

Benefits of ISO 27001:2022

The benefits of standardization, and implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.
The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.

  • Interoperability

    This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.

  • Assurance

    Management can be assured of the quality of a system, business unit, or other entity if a recognized framework or approach is followed.

  • Due Diligence

    Compliance with, or certification against, an international standard is often used by management to demonstrate due diligence.

  • Bench Marking

    Organizations often use a standard as a measure of their status within their peer community. It can be used as a benchmark for current position and progress.

  • Awareness

    Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.

  • Alignment

    Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often result.

  • Compliance

    It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply with various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it most efficiently.

  • Marketing edge

    In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.

  • Lowering the expenses

    Information security is usually considered a cost with no obvious financial gain. However, there is a financial gain if you lower your expenses caused by incidents. You probably do have an interruption in service, occasional data leakage, or disgruntled employees. Or disgruntled former employees. The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

  • Putting your business in order

    This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems, etc.

How to achieve ISO 27001 certification – ISO 27001 implementation / Certification steps

What I offer is a well-defined and globally proven implementation methodology for ISO 27001-2022 certification.

  • Gap Analysis
  • Awareness Training
  • Risk analysis
  • Documentation Design and finalization
  • Implementation
  • Internal Auditor Training and conduct of the internal audit
  • Management Review Meeting
  • Review of Implementation
  • Pre-assessment audit
  • Stage 1 – certification audit
  • Stage 2 – certification audit
  • Award of ISO 27001 certification
  • Continual improvement of the system through value-added consulting and training services

These practices form the framework within which you will establish an ISMS.

1 Purchase a copy of the ISO/IEC standards

Before establishing an ISMS and drafting the various documents for your ISMS, you should purchase copies of the pertinent ISO/IEC standards, namely:

a) The code of practice standard: ISO 27002. This standard can be used as a starting point for developing an ISMS. It guides planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.

b) The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS. It explains how to apply ISO 27002. It provides the standard against which certification is performed, including a list of required documents. An organization that seeks certification of its ISMS is examined against this standard.

2 Obtain management support

As described in ISO/IEC 27001, management plays an important role in the success of an ISMS.

What you need: Management responsibility section of ISO 27001. Management must commit to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency.

Results: Establishment of the following items demonstrates management commitment:

  • An information security policy: this policy can be a standalone document or part of an overall security manual that is used by an organization.
  • Information security objectives and plans: again this information can be a standalone document or part of an overall security manual that is used by an organization
  • Roles and responsibilities for information security: a list of the roles related to information security should be documented either in the organization’s job description documents or as part of the security manual or ISMS description documents.
  • Announcement or communication to the organization about the importance of adhering to the information security policy.
  • Sufficient resources to manage, develop, maintain, and implement the ISMS.

In addition, management will participate in the ISMS Plan-Do-Check-Act [PDCA] process, as described in ISO 27001 by:

  • Determining the acceptable level of risk. Evidence of this activity can be incorporated into the risk assessment documents, which are described later in this guide.
  • Conducting management reviews of the ISMS at planned intervals. Evidence of this activity can be part of the approval process for the documents in the ISMS.
  • Ensuring that personnel affected by the ISMS are provided with training, are competent for the roles and responsibilities they are assigned to fulfil, and are aware of those roles and responsibilities. Evidence of this activity can be through employee training records and employee review documents.

3 Determine the scope of the ISMS

When management has made the appropriate commitments, you can begin to establish your ISMS. In this step, you should determine the extent to which you want the ISMS to apply to your organization.

What you need: You can use several of the “result” documents that were created as part of step 2, such as:

  • The information security policy
  • The information security objectives and plans
  • The roles and responsibilities that are related to information security and were defined by the management

In addition, you will need:

  • Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS.
  • What areas of your organization will be covered by the ISMS?
  • What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS?
  • Will you require your suppliers to abide by your ISMS?
  • Are there dependencies on other organizations? Should they be considered?

Your goals will be to cover the following:

  • the processes used to establish the scope and context of the ISMS.
  • the strategic and organizational context

Important: Keep your scope manageable. Consider including only parts of the organization, such as a logical or physical grouping within the organization. Large organizations might need several Information Security Management Systems to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems.

Results: A documented scope for your ISMS. When you have determined the scope, you will need to document it, usually in a few statements or paragraphs. The documented scope often becomes one of the first sections of your organization’s Security Manual. Or, it might remain a standalone document in a set of ISMS documents that you plan to maintain. Often the scope, the security policy, and the security objectives are combined into one document.

4 Identify applicable legislation

After you have determined the scope, identify any regulatory or legislative standards that apply to the areas you plan to cover with the ISMS. Such standards might come from the industry in which your organization works or from state, local, or federal governments, or international regulatory bodies.

What you need: Up-to-date regulatory or legislative standards that might apply to your organization. You might find it helpful to have input and review from lawyers or specialists who are knowledgeable about the standards.

Results: Additional statements in the scope of the ISMS. If your ISMS will incorporate more than two or three legislative or regulatory standards, you might also create a separate document or appendix in the Security Manual that lists all of the applicable standards and details about the standards.

5 Define a method of risk assessment

Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. To meet the requirements of ISO 27001, you will need to define and document a method of risk assessment and then use it to assess the risk to your identified information assets, make decisions about which risks are intolerable and therefore need to be mitigated, and manage the residual risks through carefully considered policies, procedures, and controls. ISO does not specify the risk assessment method you should use; however, it does state that you must use a method that enables you to complete the following tasks:

  • Evaluate risk based on levels of confidentiality, integrity, and availability. Some risk assessment methods provide a matrix that defines levels of confidentiality, integrity, and availability and provides guidance as to when and how those levels should be applied,
  • Set objectives to reduce risk to an acceptable level
  • Determine criteria for accepting the risk
  • Evaluate risk treatment options.

There are many risk assessment methods you can choose from, such as those that are prevalent in your industry. For example, if your company is in the oil industry, you might find there are risk assessment methods related to that industry.

When you have completed this step, you should have a document that explains how your organization will assess risk, including:

  • the organization’s approach to information security risk management
  • criteria for information security risk evaluation and the degree of assurance required

6 Create an inventory of information assets to protect

To identify risks and the levels of risks associated with the information you want to protect, you first need to make a list of all of your information assets that are covered in the scope of the ISMS.

What you will need: You will need the scope that you defined in step 3 and input from the organization that is defined in your scope regarding its information assets.

Result: When you have completed this step, you should have a list of the information assets to be protected and an owner for each of those assets. You might also want to identify where the information is located and how critical or difficult it would be to replace it. This list should be part of the risk assessment methodology document that you created in the previous step. Because you will need this list to document your risk assessment, you might want to group the assets into categories and then make a table of all the assets with columns for assessment information and the controls you choose to apply. The following example shows an asset table.

7 Identify risks

Next, for each asset you defined in the previous step, you will need to identify risks and classify them according to their severity and vulnerability. In addition, you will need to identify the impact that loss of confidentiality, integrity, and availability may have on the assets. To begin identifying risks, you should start by identifying actual or potential threats and vulnerabilities for each asset. A threat is something that could cause harm. For example, a threat could be any of the following:

  • A declaration of the intent to inflict harm or misery
  • Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets
  • The intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami)

A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break-in). A risk is a combination of the likelihood and severity or frequency that a specific threat will occur.

What you will need:

  • The list of assets that you defined in the previous step
  • The risk assessment methodology you defined in Step 5

For each asset, you should identify vulnerabilities that might exist for that asset and threats that could result from those vulnerabilities. It is often helpful to think about threats and vulnerabilities in pairs, with at least one pair for each asset and possibly multiple pairs for each asset.

Results: For each asset, you will have a threat and vulnerability description and, using your Risk Assessment methodology, you will assign levels of confidentiality, integrity, and availability to that asset. If you used a table for step 6, you can add this information to that table, as shown in the following example.

8 Assess the risks

After you have identified the risks and the levels of confidentiality, integrity, and availability, you will need to assign values to the risks. The values will help you determine if the risk is tolerable or not and whether you need to implement a control to either eliminate or reduce the risk. To assign values to risks, you need to consider:

  • The value of the asset being protected
  • The frequency with which the threat or vulnerability might occur
  • The damage that the risk might inflict on the company or its customers or partners

For example, you might assign values of Low, Medium, and High to your risks. To determine which value to assign, you might decide that if the value of an asset is high and the damage from a specified risk is high, the value of the risk should also be high, even though the potential frequency is low. Your Risk Assessment Methodology document should tell you what values to use and might also specify the circumstances under which specific values should be assigned. Also, be sure to refer to your Risk Assessment Methodology document to determine the implication of a certain risk value. For example, to keep your ISMS manageable, your Risk Assessment Methodology might specify that only risks with a value of Medium or High will require control in your ISMS. Based on your business needs and industry standards, risk will be assigned appropriate values.

What you will need:

  • Lists of assets and their associated risks and CIA levels, which you created in the previous step.
  • Possibly input from management as to what level of risk they are willing to accept for specific assets.

Results: When you have completed your assessment, you will have identified which information assets have intolerable risk and therefore require controls. You should have a document (sometimes referred to as a Risk Assessment Report) that indicates the risk value for each asset. In the next step, you will identify which controls might be applicable for the assets that require control to reduce the risk to tolerable levels. This document can either be standalone or it can be part of an overall Risk Assessment document that contains your risk assessment methodology and this risk assessment.

9 Identify applicable objectives and controls

Next, for the risks that you’ve determined to be intolerable, you must take one of the following actions:

  • decide to accept the risk, for example, actions are not possible because they are out of your control (such as natural disaster or political uprising) or are too expensive.
  • transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc.
  • reduce the risk to an acceptable level through the use of controls.

To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO 27002  standard. (Note: An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis.”)

What you will need:

  • Annex A of ISO 27001. This appendix summarizes controls that you might want to choose from.
  • ISO 27002, which provides greater detail about the controls summarized in ISO 27001.
  • Procedures for existing corporate controls

Results: You should end up with two documents by completing this step:

  • A Risk Treatment Plan
  • A Statement of Applicability

The Risk Treatment Plan documents the following:

  • the method selected for treating each risk (accept, transfer, reduce)
  • which controls are already in place
  • what additional controls are proposed
  •  the time frame over which the proposed controls are to be implemented

The Statement of Applicability (SOA) documents the control objectives and controls selected from Annex A. The Statement of Applicability is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate whether that control was adopted by the organization, the justification for adopting or not adopting the control, and a reference to the location where the organization’s procedure for using that control is documented. The SOA can be part of the Risk Assessment document, but usually, it is a standalone document because it is lengthy and is listed as a required document in the standard.

10 Set up policy, procedures and Documented Information to control risks

For each control that you define, you must have corresponding statements of policy or in some cases a detailed procedure. The procedure and policies are used by affected personnel so they understand their roles and so that the control can be implemented consistently. The documentation of the policy and procedures is a requirement of ISO 27001.

What you will need: To help you identify which procedures you might need to document, refer to your Statement of Applicability. To help you write your procedures so that they are consistent in content and appearance, you might want to create some type of template for your procedure writers to use.

Results: Additional policy and documented Information. (The number of documents you produce will depend on the requirements of your organization.) Some of these procedures might also generate records. For example, if you have a procedure that all visitors to your facility must sign a visitor log, the log itself becomes a record providing evidence that the procedure has been followed.

11 Allocate resources and train the staff

Adequate resources (people, time, money) should be allocated to the operation of the ISMS and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. Therefore, in addition to the training program, you should also establish a plan for how you will determine the effectiveness of the training.

What you will need:

  • A list of the employees who will work within the ISMS
  • All of the ISMS procedures to use for identifying what type of training is needed and which members of the staff or interested parties will require training
  • Management agreement to the resource allocation and the training plans.

Results: Specific documentation is not required in the ISO/IEC standards. However, to provide evidence that resource planning and training have taken place, you should have some documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given. Also, you will probably have some type of procedure for determining how many people, how much money, and how much time needs to be allocated to the implementation and maintenance of your ISMS. It’s possible that this procedure already exists as part of your business operating procedures or that you will want to add an ISMS section to that existing documentation.

12 Monitor the implementation of the ISMS

To ensure that the ISMS is effective and remains current, suitable, adequate, and effective, ISO 27001 requires:

  • Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness.
  • Periodic internal audits. The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained.

What you will need: To perform management reviews, ISO 27001 requires the following input:

  • results of ISMS internal and external audits and reviews
  • feedback from interested parties
  • techniques, products, or procedures which could be used in the organization to improve the effectiveness of the ISMS
  • preventative and corrective actions (including those that might have been identified in previous reviews or audits)
  • incident reports, for example if there has been a security failure, a report that identifies what the failure was, when it occurred, and how it was handled and possibly corrected.
  • vulnerabilities or threats not adequately addressed in the previous risk assessment
  • follow-up actions from previous reviews
  • any organizational changes that could affect the ISMS
  • recommendations for improvement

To perform internal audits periodically, you need to define the scope, criteria, frequency, and methods. You also need the procedure (which should have been written as part of step 10) that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records.

Results: The results of a management review should include decisions and actions related to:

  • Improvements to the ISMS
  • Modification of procedures that affect information security at all levels within the organization
  • Resource needs
  • The results of an internal audit should result in the identification of nonconformity and their related corrective actions or preventative actions. ISO 27001 lists the activity and record requirements related to corrective and preventative actions.

13 Prepare for the certification audit

If you plan to have your ISMS certified, you will need to conduct a full cycle of internal audits, management reviews, and activities in the PDCA process. The external auditor will first examine your ISMS documents to determine the scope and content of your ISMS. Then the auditor will examine the necessary records and evidence that you implement and practice what is stated in your ISMS. What you will need:

  • All of the documents that you created in the preceding steps.
  • Records from at least one full cycle of management reviews, internal audits, and PDCA activities, and evidence of responses taken as the result of those reviews and audits.

Results: The results of this preparation should be a set of documents that you can send to an auditor for review and a set of records and evidence that will demonstrate how efficiently and completely you have implemented your ISMS.

14 Ask for help

As you can see, establishing, implementing, and maintaining an ISMS can require a lot of work—especially in its formative stages. If you are new to management systems or specifically information security management systems, you can consider hiring us to guide you through the process. Our familiarity with the requirements of an ISMS and the suggested controls.

What I offer in the field of ISO 27001 standard implementation and certification

I can provide unmatched expertise and technical competence to ensure that your ISO 27001 ISMS certification project adds value to your organization.

I provide consulting, training, internal audits, pre-assessment audits and facilitation during ISO 27001 certification audits.

I can offer the global knowledge moulded locally to bring in the best results for the clients and partner their journey of standardization, compliance, growth, success and continual improvements.

Contact now, to get your organization ISO 27001 certified most effectively and efficiently while realizing the true benefits of the certification using our specialized ISMS implementation methodology that is less time-consuming, fast, easy to understand and implement, result-oriented, time-bound and cost-effective. Get ISO 27001 certified now …