Tag: ISO 27001:2022

ISO 27001:2022 A 5.31 Legal, statutory, regulatory and contractual requirements

Organizations are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets. Understanding and maintaining compliance with these different requirements is sometimes a difficult road. Laws, regulations and contractual requirements form a large part of an organization’s information security responsibilities. Organizations should have a clear understanding of their obligations at any one time and be prepared to adapt their information security practices in accordance with their role as a responsible data handler. The path to establishing compliance takes a complete look at the areas in which your organization has responsibilities, whether legal, regulatory, contractual, or self-imposed. Important elements to consider when developing a plan for compliance include the following:

  • Awareness of relevant regulations/laws. (Do you know what you need to follow?)
  • Awareness of relevant policies. (Do you know what  policies apply to information use?)
  • Awareness of relevant contractual agreements. (Do you know what agreements your organization has made that impose conditions on the use of data?)
  • Awareness of relevant standards or best practices. (Do you know what standards or best practices your organization chooses to follow with respect to information use?)
  • Management of organizational records. (Do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your organization.
  • Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
  • Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)

Organizations should keep in mind their legal, statutory, regulatory and contractual requirements when:

  1. Drafting and/or amending their information security procedures and internal policy documents.
  2. Designing, amending or implementing information security controls.
  3. Categorising information when considering their broader information security requirements, either for organisational purposes or related to their relationships with a third party (suppliers etc.)
  4. Undergoing risk assessments relating to information security activities, including internal roles and responsibilities relating to an organisational structure.
  5. Establishing the nature of a supplier relationship, and their contractual obligations throughout the supply of products and services.

Control

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

Purpose

To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.

ISO 27002 Implementation Guidance

General
External requirements including legal, statutory, regulatory or contractual requirements should be taken into consideration when:
a) developing information security policies and procedures;
b) designing, implementing or changing information security controls;
c) classifying information and other associated assets as part of the process for setting information security requirements for internal needs or for supplier agreements.
d) performing information security risk assessments and determining information security risk treatment activities.
e) determining processes along with related roles and responsibilities relating to information security.
f) determining suppliers’ contractual requirements relevant to the organization and the scope of supply of products and services.

Legislation and regulations
The organization should:
a) identify all legislation and regulations relevant to the organization’s information security in order to be aware of the requirements for their type of business.
b) take into consideration compliance in all relevant countries, if the organization:

  • conducts business in other countries.
  • uses products and services from other countries where laws and regulations can affect the organization.
  • transfers information across jurisdictional borders where laws and regulations can affect the organization.

c) review the identified legislation and regulation regularly in order to keep up to date with the changes and identify new legislation.
d) define and document the specific processes and individual responsibilities to meet these requirements.

Cryptography
Cryptography is an area that often has specific legal requirements. Compliance with the relevant agreements, laws and regulations relating to the following items should be taken into consideration:
a) restrictions on import or export of computer hardware and software for performing cryptographic functions.
b) restrictions on import or export of computer hardware and software which is designed to have cryptographic functions added to it.
c) restrictions on the usage of cryptography.
d) mandatory or discretionary methods of access by the countries’ authorities to encrypted information.
e) validity of digital signatures, seals and certificates.
It is recommended to seek legal advice when ensuring compliance with relevant legislation and regulations, especially when encrypted information or cryptography tools are moved across jurisdictional borders.

Contracts
Contractual requirements related to information security should include those stated in:
a) contracts with clients.
b) contracts with suppliers.
c) insurance contracts.

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. The specific controls and individual responsibilities to meet these requirements should also be defined and documented. Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries. Organizations should “define and document” internal processes and responsibilities that allow them to:

  • Identify, analyze and understand their legislative and regulatory obligations relating to information security, including periodic reviews of legislation and regulations.
  • Ensure that they remain compliant across all legislative and regulatory environments in whatever countries they operate in. This extends to the use of products and services that originate outside of the country they usually operate in.

The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. It’s an important part of the information security management system (ISMS). The goal here is to help outline effective practices for identifying compliance obligations, as well as the roles and responsibilities, activities and controls needed to manage all of the organization’s legal, contractual, and records management requirements. A good control describes how all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. Put in simple terms, the organization needs to ensure that it is keeping up to date with and documenting legislation and regulation that affects the achievement of its business objectives and the outcomes of the ISMS. It is important that the organization understands the legislation, regulation and contractual requirements with which it must comply, and these should be centrally recorded in the register to allow for ease of management and coordination. The identification of what is relevant will largely depend on; Where the organization is located or operates; What the nature of the organization’s business is; and the nature of information being handled within the organization. The Identification of the relevant legislation, regulation and contractual requirements are likely to include engagement with legal experts, regulatory bodies and contract managers. This is an area that often catches organizations out as there is generally far more legislation and regulation impacting the organization than is first considered.  The auditor will be looking to see how the organization has identified and recorded its legal, regulatory and contractual obligations; the responsibilities for meeting such requirements and any necessary policies, procedures and other controls required for meeting the controls. Additionally, they will look to see that this register is maintained on a regular basis against any relevant change – especially in legislation across common areas that they would expect any organization to be impacted by.  Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements. To meet this part of compliance, controls should be developed which:

  1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements. Each state has breach laws, personal information protection laws, social security protections laws, or other laws related to technology furnished at the organization. Each state must be taken as its own legal island and an organization must know if any of the following impact or enhance security efforts.
  2. Identify the persons or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the organization or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Every contract that involves organizational data must be documented and any controls specified in that contract must also be documented. It is crucial to know what your contractual responsibilities are so that you can look at the physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability. In instances where contracting parties have access to organizational data, you want to be sure that you can audit the contractual controls and protections that the other party has agreed to follow.

The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to the organization. To that end, confer with your legal and/or audit departments, and review the most common federal and state data protection laws.
1. Identify key stakeholders and/or partners across the organization who regularly deal with organizational compliance issues (e.g., legal, risk management, privacy, audit). Key stakeholders may vary from campus to campus.
2. Perform a high-level gap analysis of each compliance requirement that is applicable to determine where progress needs to be made.
3. Develop a prioritized action plan that will help you organize your efforts (one section of your Information Security plan).
4. Develop a policy, standard, roles, and responsibilities, and/or procedures in collaboration with other key stakeholders at your organization.
5. Familiarize yourself with common standards and regulations that address specific requirements
6. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you with managing compliance.

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. A good control describes how cryptographic controls are used in compliance with all relevant agreements, legislation, and regulations. The use of cryptographic technologies is subject to legislation and regulation in many territories, and it is important that an organization understands those that are applicable and implements controls and awareness programs that ensure compliance with such requirements. This is especially true when cryptography is transported or used in territories other than the organizations or user’s normal place of residence or operation. Trans-border import/export laws may include requirements relating to cryptographic technologies or usage. The auditor will be looking to see that considerations for the appropriate regulation of cryptographic controls have been made and relevant controls and awareness program implemented to ensure compliance. In ICT, ‘cryptography’ is a method of protecting information and communications through the use of codes. As such, the whole concept of encryption and cryptography usually involves specific legal requirements and a considerable amount of topic-specific regulatory guidance that need to be adhered to. With that in mind, the following guidance needs to be taken into consideration:

  • Laws on the import and/or export of hardware or software which either carries out a dedicated cryptographic function, or has the ability to carry out said function.
  • Laws relating to the restriction of cryptographic functions.
  • Any access to encrypted information that authorities within a country or region have the right to request and enforce.
  • The validity and veracity of three key digital elements of encrypted information: a) Signatures b) Seals c) Certificates

ISO 27001:2022 A 5.7 Threat intelligence

Threat intelligence is information gathered from a range of sources about current or potential attacks against an organization.The purpose is to ensure that organisations are aware of their threat environment so that they can put in place a mechanism to collect and analyse these threats and determine the proper actions that can be taken to protect their information security. The information is analyzed, refined and organized and then used to minimize and mitigate Information security risks.Organizations embrace threat intelligence to ensure that a) they are properly prepared to deal with today’s threat landscape and b) their controls and other investments are well selected and performing as planned. Data is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.The main purpose of threat intelligence is to show organizations the various risks they face from external threats. Threat intelligence includes in-depth information and context about specific threats, such as who is attacking, their capabilities and motivation, and the indicators of compromise . With this information, organizations can make informed decisions about how to defend against the most damaging attacks. In a security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a part of a bigger security intelligence strategy. It includes information related to protecting an organization from external and inside threats, as well as the processes, policies and tools used to gather and analyze that information. Threat intelligence provides better insight into the threat landscape and threat actors, along with their latest tactics, techniques and procedures. It enables organizations to be proactive in configuring its security controls to detect and prevent advanced attacks and zero-day threats. Many of these adjustments can be automated so security stays aligned with the latest intelligence in real time.

Control

Information relating to information security threats should be collected and analysed to produce threat intelligence.

Purpose

To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.

ISO 27002 Implementation Guidance

Information about existing or emerging threats is collected and analysed in order to:

  1. facilitate informed actions to prevent the threats from causing harm to the organization;
  2. reduce the impact of such threats.

Threat intelligence can be divided into three layers, which should all be considered:

  1. strategic threat intelligence: exchange of high-level information about the changing threat landscape (e.g. types of attackers or types of attacks);
  2. tactical threat intelligence: information about attacker methodologies, tools and technologies involved;
  3. operational threat intelligence: details about specific attacks, including technical indicators.

Threat intelligence should be:

  1. relevant (i.e. related to the protection of the organization);
  2. insightful (i.e. providing the organization with an accurate and detailed understanding of the threat landscape);
  3. contextual, to provide situational awareness (i.e. adding context to the information based on the time of events, where they occur, previous experiences and prevalence in similar organizations);
  4. actionable (i.e. the organization can act on information quickly and effectively).

Threat intelligence activities should include:

  1. establishing objectives for threat intelligence production;
  2. identifying, vetting and selecting internal and external information sources that are necessary and appropriate to provide information required for the production of threat intelligence;
  3. collecting information from selected sources, which can be internal and external;
  4. processing information collected to prepare it for analysis (e.g. by translating, formatting or corroborating information);
  5. analyzing information to understand how it relates and is meaningful to the organization;
  6. communicating and sharing it to relevant individuals in a format that can be understood.

Threat intelligence should be analysed and later used:

  1. by implementing processes to include information gathered from threat intelligence sources into the organization’s information security risk management processes;
  2. as additional input to technical preventive and detective controls like firewalls, intrusion detection system, or anti malware solutions;
  3. as input to the information security test processes and techniques.

The organization should share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence.

Other information

Organizations can use threat intelligence to prevent, detect, or respond to threats. Organizations can produce threat intelligence, but more typically receive and make use of threat intelligence produced by other sources. Threat intelligence is often provided by independent providers or advisors, government agencies or collaborative threat intelligence groups. The effectiveness of controls such as 5.25, 8.7, 8.16 or 8.23, depends on the quality of available threat intelligence.

Threat intelligence is used to inform decisions and actions to present these threats causing harm to the organisation and reduce the impact of such threats. It requires an organisation to collect and analyse information relating to information security threats and use that information take mitigation action. Threat intelligence is used to prevent, detect or respond to threats. Organization can either produce their own threat intelligence or make use of threat intelligence produced by others. It is often provided by independent providers and advisors which can include government sources and more than likely products and services will spring up around this new control to offer it as a service, at a cost . The organization have to ensure that:

  • objectives for threat intelligence production are established
  • internal and external sources of information are identified, selected and vetted where necessary and appropriate
  • information is collected from selected sources
  • information is then prepared for analysis for example by formatting or translating it
  • information is analysed to understand how it relates to you
  • communication and sharing of information is done to relevant in people in a way they will understand it

When implementing threat intelligence they are analyzing and using information and including it in the risk management process. It can be used as input to inform how ti implement and configure technical controls and adapting information security tests and techniques based on it. An organisation must know what its threat environment is in order to ensure that it has the right controls in place; that it is able to respond and recover appropriately if something adverse were to happen; and that its security posture (controls, policies, etc.) is appropriate for its threat environment.

The main objective is to ensure that organisations have the ability to collect and analyse information about existing and emerging threats, so that the organisation can identify which threats are applicable to the organisation, and then develop appropriate defences for those identified threats. To meet the requirements organisations must:

  • Establish and document objectives for threat intelligence production
  • Identify, vet, list and document internal and external sources of information
  • Collect the information
  • Prepare the information for analysis for example by formatting or translating it
  • Communicate and share information to relevant people in a way they will understand it
  • Conduct periodic reviews of your threat environment (e.g., by reviewing reports from government agencies, other organisations and/or industry associations).
  • Analyse current events and past incidents to determine possible new attack vectors and trends.
  • And most of all, create defenses that can be used to mitigate the effect of threat to the organisation’s information security.

There are four varieties of threat intelligence: strategic, tactical, technical and operational. All four are essential to build a comprehensive threat assessment.

  1. Strategic threat intelligence. This analysis summarizes potential Security attacks and the possible consequences for nontechnical audiences and stakeholders, as well as decision-makers. It is presented in the form of white papers, reports and presentations, and is based on detailed analysis of emerging risks and trends from around the world. It is used to paint a high-level overview of an industry’s or organization’s threat landscape.
  2. Tactical threat intelligence. Tactical intelligence provides information about the tactics, techniques and procedures (TTPs) that threat actors use. It is intended for those directly involved with protecting IT and data resources. It provides details on how an organization might be attacked based on the latest methods being used and the best ways to defend against or mitigate the attacks.
  3. Technical threat intelligence. This information focuses on signs that indicate an attack is starting. These signs include reconnaissance, weaponization and delivery, such as spear phishing, baiting and social engineering. Technical intelligence plays an important role in blocking social engineering attacks. This type of intelligence is often grouped with operational threat intelligence; however, it adjusts quickly as hackers update their tactics to take advantage of new events and ruses
  4. Operational threat intelligence. With this approach, information is collected from a variety of sources, including chat rooms, social media, antivirus logs and past events. It is used to anticipate the nature and timing of future attacks. Data mining and machine learning are often used to automate the processing of hundreds of thousands of data points across multiple languages. Security and incident response teams use operational intelligence to change the configuration of certain controls, such as firewall rules, event detection rules and access controls. It can also improve response times as the information provides a clearer idea of what to look for.

Focusing on strategic, tactical, technical and operational threat intelligence will help organizations improve their awareness and visibility of the threat environment looming outside their organization. In doing so, it looks to encourage better collection and analysis of information surrounding outsider threats as it enables organizations to better understand what they are up against and take the appropriate steps to protect from and mitigate such threats.Threat intelligence is also used as an input for other controls, including 5.25, 8.7, 8.16 and 8.23, and will formulate how organizations respond to events, malware threats, networking monitoring and web filtering. The organizations should demonstrate that how they are:

  • Collecting and analyzing threat intelligence
  • Actioning insights derived from that analysis
  • Incorporating threat intelligence into their ISMS

Combined, these actions determine how effectively organizations are using threat intelligence while encouraging them to reach a certain standard that requires them to be more informed, better protected, and better equipped to adjust their security posture in line with threat insights.For example, when choosing a new intrusion detection system, organizations should consider how threats against them are likely to manifest. All implemented protections should detect and target those threats, including the tactics used by their likely adversaries. This way, threat intelligence adds to the risk understanding and allows businesses to choose solutions that actually resolve the problems they are likely to encounter.

There are numerous tools that can help organizations collect data and apply threat intelligence within existing security operations. Threat intelligence services also provide organizations with information related to potential attack sources relevant to their businesses; some also offer consultation services.

ISO 27001:2022 A 6.8 Information security event reporting

Information security event reporting can be defined as the process of documenting incidents, breaches and other events related to cyber threats that occur within an organisation for the purposes of analyzing them for future prevention and detection. Information security events should be reported through appropriate management channels as quickly as possible. In addition to recording these events, it’s also important to analyse them in order to develop strategies for preventing future incidents from happening. Information security event reporting is important because without it, you won’t have any way of knowing if your network has been hacked or if there are any other potential threats facing your organisation. Without this knowledge, you won’t know how to prevent future attacks from occurring again—or even if there have been previous attacks that need addressing. Information security events are a critical part of any organisation’s response to an incident. The speed with which you can respond to an incident is often critical for both protecting your business and limiting the impact on customers and other stakeholders.

Control

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Purpose

To support timely, consistent and effective reporting of information security events that can be identified by personnel.

ISO 27002 Implementation Guidance

All personnel and users should be made aware of their responsibility to report information security vents as quickly as possible in order to prevent or minimize the effect of information security incidents. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported. The reporting mechanism should be as easy, accessible and available as possible. Information security events include incidents, breaches and vulnerabilities. Situations to be considered for information security event reporting include:
a) ineffective information security controls;
b) breach of information confidentiality, integrity or availability expectations;
c) human errors;
d) non-compliance with the information security policy, topic-specific policies or applicable standards;
e) breaches of physical security measures;
f) system changes that have not gone through the change management process;
g) malfunctions or other anomalous system behavior of software or hardware;
h) access violations;
i) vulnerabilities;
j) suspected malware infection.
Personnel and users should be advised not to attempt to prove suspected information security vulnerabilities. Testing vulnerabilities can be interpreted as a potential misuse of the system and can also cause damage to the information system or service, and it can corrupt or obscure digital evidence. Ultimately, this can result in legal liability for the individual performing the testing.

Designing an effective means of the detection of incidents is also essential, using both trained users and trained system administrators, and various technical controls. All members of the community should be trained and comfortable regarding

  • procedures for reporting failures, weaknesses, and suspected incidents
  • methods to recognize and detect problems with security protections
  • how to escalate reporting appropriately

In addition, technical controls must be implemented for the automated detection of security events, coupled with as near real-time reporting as possible, to investigate and initiate immediate responses to problems. For new IT systems, often the best time to develop automated detection of security events is when the preventive security controls are being developed and implemented. The most fundamental approaches to detecting intrusions are to monitor server logs for signs of unauthorized access, to monitor firewall or router logs for abnormal events, and to monitor network performance for spikes in traffic. Since intruders can alter or destroy local logs, a best practice is to take the precaution of sending logs to a remote log server. This includes a combination of host-level and network-level detections, which when used together provide the most powerful system for detecting problems.The purpose of Information Security Event Reporting is to support timely, consistent and effective reporting of information security events that can be identified by personnel. This is to ensure that information security events are reported in a timely manner and that the information is recorded accurately to support incident response activities and other security management responsibilities.

Information security event reporting is the process of documenting and logging information security events that occur in an organisation. It recommends that organisations need to have an information security event reporting program, which will facilitate the process of receiving, assessing and responding to reports of incidents which have a potential impact on information security for the purposes of detecting incidents and mitigating adverse effects. This control is designed to:

  • Support timely, consistent and effective reporting of information security events that can be identified by personnel.
  • Proactively detect unauthorised access or misuse of information systems.
  • Facilitate incident response planning.
  • Provide a foundation for continuous monitoring activities.
  • Regular review of incidents and trends in order to identify problems before they become major incidents (for example, by monitoring the number of incidents or the time required for each incident)

The following are some of the basic requirements for Control 6.8:

All personnel and users should be made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimize the effect of information security incidents. The organisation shall have a documented point of contact for reporting information security incidents to appropriate parties. The reporting mechanism should be as easy, accessible and available as possible. The organisation shall maintain documentation of information security events, including incident reports, event logs, change requests, problem reports and system documentation.
Situations to be considered for information security event reporting include:

  • Ineffective information security controls.
  • Breach of information confidentiality, integrity or availability expectations.
  • Human errors.
  • Non-compliance with the information security policy, topic-specific policies or applicable standards.
  • Breaches of physical security measures.
  • System changes that have not gone through the change management process.
  • Malfunctions or other anomalous system behaviour of software or hardware.
  • Access violations.
  • Vulnerabilities.
  • Suspected malware infection.

It is also important to point out here that it is not the place of the personnel reporting to test the vulnerability or effectiveness of the information security event. This can lead to legal liabilities for the employee and so should be left for qualified personnel to handle.

Even if an organization installs a network intrusion detection system or other monitoring systems, the resulting alerts can quickly overload personnel. An effective approach is to use analysis tools to help manage intrusion detection systems and summarize the data. Even when log summarization is used, maintaining and monitoring intrusion detection systems can require resources and technical skills that are beyond some organization’s means. A less expensive alternative to developing your own IDS capabilities is to collaborate with other higher education institutions, helping each other deploy intrusion detection systems and even having a single person monitoring all systems, or to contract for the service with your ISP. Two major weaknesses of network IDS are that they cannot detect attacks in encrypted traffic and they cannot determine what is occurring within a targeted compromised host. Host-based intrusion detection systems (HIDS) can address both of these issues and can be used to monitor systems processes, file system changes, and log files for suspicious activities. Many commercial endpoint security offerings now include HIDS functionality, and servers can utilize open source monitoring tools. Communicating security alerts through an interface that system administrators use to monitor the status and performance of their systems increases the likelihood that they will notice problems quickly.


ISO 27001:2022 A 6.6 Confidentiality or non-disclosure agreements

A non-disclosure agreement (NDA), also known as a confidentiality agreement, is a legally binding contract in which one party usually the organization agrees to give a second party ( employees, vendors, contractors) confidential information about its business or products and the second party agrees not to share this information with anyone else for a specified period of time. NDAs are used to protect sensitive information and intellectual property (IP) by outlining in detail what information must remain private and what information can be shared or released to the public. NDAs are typically signed at the beginning of a business relationship. The information covered by a NDA can be unlimited, ranging from test results to system specifications to customer lists and sales figures. If the NDA is broken and information is leaked, it is considered a breach of contract.

Key elements of a NDA include:

  • Identification of the participants
  • Definition of what is considered to be confidential
  • Duration of the confidentiality commitment
  • Exclusions from confidential protection

Control

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

Purpose

To maintain confidentiality of information accessible by personnel or external parties.

ISO 27002 Implementation Guidance

Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to interested parties and personnel of the organization. Based on an organization’s information security requirements, the terms in the agreements should be determined by taking into consideration the type of information that will be handled, its classification level, its use and the permissible access by the other party. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) the expected duration of an agreement, including cases where it can be necessary to maintain confidentiality indefinitely or until the information becomes publicly available;
c) the required actions when an agreement is terminated;
d) the responsibilities and actions of signatories to avoid unauthorized information disclosure;
e) the ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use the information;
g) the right to audit and monitor activities that involve confidential information for highly sensitive circumstances;
h) the process for notification and reporting of unauthorized disclosure or confidential information leakage;
i) the terms for information to be returned or destroyed at agreement termination;
j) the expected actions to be taken in the case of non-compliance with the agreement.
The organization should take into consideration the compliance with confidentiality and non-disclosure agreements for the jurisdiction to which they apply .
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements.

Other information

Confidentiality and non-disclosure agreements protect the organization’s information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.

Confidentiality or non-disclosure agreements are legally enforceable documents designed to protect your organization’s confidential information and intellectual property. These agreements, signed by the organization and its employees and/or third parties, establish the responsibilities of all parties to ensure that no one discloses sensitive data in an unauthorized manner. These agreements can be used in a wide range of situations, including:

  1. Employment – A confidentiality agreement may be part of the employment contract for a new employee. The agreement ensures that the employee does not disclose any confidential information about the company, its products or services, employees or vendors. Non-disclosure agreements are also used by businesses to prevent their employees from disclosing sensitive information after they leave their jobs.
  2. Business transactions – Confidentiality agreements are often included in business transactions, such as purchasing a company, merging with another company or selling a business. The purpose of these agreements is to prevent both parties from disclosing any confidential information obtained during the transaction.
  3. Partnerships – Confidentiality agreements are often used in business transactions when one party wants to protect its existing relationships with customers or suppliers from being disclosed to a new partner. For example, if a company is seeking funding from venture capitalists, it may ask those investors to sign NDAs in order to protect proprietary information about the company’s products or services.
  4. Partnerships often include confidentiality clauses as part of their partnership agreement so each partner agrees not to disclose any confidential information obtained during their partnership.

Confidentiality agreements are entered into by individuals and businesses alike. They have many purposes, such as:

  • Protecting trade secrets and proprietary information from competitors who might otherwise use it against them;
  • Preventing an employee from sharing sensitive company information with another company; and
  • Protecting intellectual property (IP) rights like patents and copyrights.

A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organization’s needs for the protection of information must be identified, regularly reviewed and documented. As such the organization needs to ensure that any information that needs to be protected, is done so through the use of confidentiality and non-disclosure agreements. Agreements are usually specific to the organization and should be developed with its control needs in mind following the risk analysis work. Standard agreements for confidentiality and non-disclosure that may warrant consideration here include:

  1. General non-disclosure and mutual non-disclosure agreements e.g. when sharing sensitive information e.g. about new business ideas.
  2. Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complimentary services outlined in a related order form.
  3. Associate/supplier/partner agreements used for small suppliers and independent service providers who the organization use for delivery of services.
  4. Employment-related terms.
  5. Privacy policies e.g. from email footers.

Good non-disclosure agreements are usually no more than a few pages long. But there are a few basic important elements.

  • The names of the parties to the agreement
  • Definition of what is considered confidential information in the case
  • Any exceptions to confidentiality
  • A statement of the appropriate use of the information to be disclosed
  • Miscellaneous provisions
  • Term of the agreement
  • Consequences of violating a nondisclosure agreement

To make NDA

  1. First, it is necessary to identify the owner of confidential data, since the contract is concluded on his behalf. The contract must be concluded precisely by the right holder, otherwise, it will have no legal effect
  2. It is necessary to clarify what constitutes information disclosure. For example, selling the data, giving it to third parties, and so on
  3. It is better to conclude an NDA with outsourced employees who have access to important information for the company
  4. It is worth defining at once the ways of transferring confidential information
  5. Also, define a list of confidential information and that this data is the property of the company-owner, and indicate that the information is transmitted only for business purposes
  6. It must be specified that the recipient of the data must take all measures to protect it
  7. It is appropriate to set the term of the NDA so that even after the termination of cooperation the data will be confidential
  8. And it is desirable to specify the sanctions for violation of the nondisclosure agreement

ISO 27001:2022 A 6.3 Information security awareness, education and training

This control aims to ensure that employees, contractors, and third-party users are aware of information security threats and concerns, of their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error. It covers the need for employees of an organisation to receive appropriate information security awareness, education, and training, plus regular updates of the organisation’s information security policy, especially as it applies to their job function.Employee Orientation for new employees: All new employees should participate in new employee orientation workshops or be provided with pertinent information including security policies and procedures and potential disciplinary processes/actions for any security breaches. Additionally, new employees should be required to sign an acknowledgment indicating that they read and understand the organization’s acceptable use policy, the organization’s security policies, and any non-disclosures (if applicable). All managers and supervisors should be expected to emphasize the importance of security to their employees. Organizations should provide relevant information security information delivered on a defined schedule (annually, bi-annually, etc.) appropriate to the employee’s job roles and responsibilities. All employees should be required to take general training on basic information security practices and/or acknowledge their basic understanding of the organization’s security policies and procedures. The main benefit of Information Security awareness training is protection from attacks on digital systems or a data breach. Preventing such incidents is critical because a successful cyber attack can financially cripple an organization and significantly harm its brand reputation.

A 6.3 Information security awareness, education and training

Control

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

Purpose

To ensure personnel and relevant interested parties are aware of and fulfill their information security responsibilities.

ISO 27002 Implementation Guidance
General

An information security awareness, education and training programme should be established in line with the organization’s information security policy, topic-specific policies and relevant procedures on information security, taking into consideration the organization’s information to be protected and the information security controls that have been implemented to protect the information. Information security awareness, education and training should take place periodically. Initial awareness, education and training can apply to new personnel and to those who transfer to new positions or roles with substantially different information security requirements. Personnel’s understanding should be assessed at the end of an awareness, education or training activity to test knowledge transfer and the effectiveness of the awareness, education and training programme.

Awareness

An information security awareness programme should aim to make personnel aware of their responsibilities for information security and the means by which those responsibilities are discharged. The awareness programme should be planned taking into consideration the roles of personnel in the organization, including internal and external personnel (e.g. external consultants, supplier personnel). The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new personnel. It should also be built on lessons learnt from information security incidents.
The awareness programme should include a number of awareness-raising activities via appropriate physical or virtual channels such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules and e-mails.
Information security awareness should cover general aspects such as:
a) management’s commitment to information security throughout the organization;
b) familiarity and compliance needs concerning applicable information security rules and obligations, taking into account information security policy and topic-specific policies, standards, laws, statutes, regulations, contracts and agreements;
c) personal accountability for one’s own actions and inaction, and general responsibilities towards securing or protecting information belonging to the organization and interested parties;
d) basic information security procedures (e.g. information security event reporting) and baseline controls (e.g. password security)
e) contact points and resources for additional information and advice on information security matters, including further information security awareness materials.

Education and training

The organization should identify, prepare and implement an appropriate training plan for technical teams whose roles require specific skill sets and expertise. Technical teams should have the skills for configuring and maintaining the required security level for devices, systems, applications and services. If there are missing skills, the organization should take action and acquire them. The education and training programme should consider different forms [e.g. lectures or self-studies, being mentored by expert staff or consultants (on-the-job training), rotating staff members to follow different activities, recruiting already skilled people and hiring consultants]. It can use different means of delivery including classroom-based, distance learning, web-based, self-paced and others. Technical personnel should keep their knowledge up to date by subscribing to newsletters and magazines or by attending conferences and events aimed at technical and professional improvement.

Other information

When composing an awareness programme, it is important not only to focus on the ’what’ and ’how’, but also the ’why’, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negative, on the organization of their own behaviour. Information security awareness, education and training can be part of, or conducted in collaboration with, other activities, for example general information management, ICT, security, privacy or safety training.

All employees of the organization, and, where relevant, contractors and third party users, should receive appropriate awareness training in and regular updates of organizational policies and procedures relevant to their job functions. Information security awareness, education, and training (IT security awareness) is the process of informing users about the importance of information security and encouraging them to improve their own computer security habits.Users must be made aware of the security risks that can come from their activities and how they can protect themselves against these risks.Information security awareness, education, and training are critical components of any organisation’s success. It is critical that all employees understand the importance of information security and how it impacts everyone.The more employees understand how to protect themselves from cyber threats, the more secure your organisation will be. The organization must ensure that Information Security Awareness programs inform personnel of the existence and availability of current versions of the information security policy, standards, and procedures. The organization must ensure that employee information security awareness and procedures are reinforced by regular updates. Security reminder messages should be posted in secured areas and/or regularly communicated to personnel according to the intended audience and or classification of the notifications. A copy of the information security policies should be issued to all new personnel as they join and to all existing personnel. Personnel should be made aware of the security classifications of the information assets that they use, and that they handle them appropriately, Some of the control includes:

  • a formal induction process that includes information security training, prior to being granted access to information or information systems;
  • ongoing training in security control requirements, legal-regulatory-certificate responsibilities, and correct procedures generally, suitable to each person’s rules and responsibilities; and
  • periodic reminders that cover both general security topics and specific issues of relevance to the organization given its history of security incidents; and
  • other appropriate efforts to raise and maintain awareness of security issues.

In crafting a good security awareness training program, companies should emphasize to employees the criticality of protecting the organization and provide an overview of the corresponding corporate policies and procedures that cover how to work securely and who to contact if they discover a potential threat. They should also tailor the program to reach employees of all levels at different stages of their employment to keep Information security a top priority and prevent any employee, whether brand new or decades in, from endangering the company. An effective training program should reach workers with varying degrees of technical aptitude and knowledge with different learning styles. It should be multifaceted, with a collection of lessons and learning opportunities so it engages everyone in the company, regardless of their knowledge levels and learning styles. Additionally, a comprehensive program has role-based content, delivering instructional material tailored to the needs of an employee’s role and even material tailored to third-party stakeholders, such as business partners and contract workers, to ensure those individuals don’t put the organization at risk.

The training content should range from written material to interactive online learning to gamification sessions so workers can access information in formats they learn best, whether it’s audio, visual, etc. Content should include lessons with varying degrees of complexity so workers can access the most relevant information according to their roles. Follow-up and ongoing messaging reminds workers of the company’s security policies; delivers short refreshers on how to identify and avoid security risks and violations, as well as how to handle possible security problems; and alerts them to any emerging threats. Measuring and reporting worker involvement in training programs, as well as the effectiveness of the organization’s awareness training, help identify any weaknesses in the program and areas in need of strengthening. A good training program typically has a mix of the following:

  • formal education, such as structured lessons and mandatory instruction;
  • informational learning opportunities, such as weekly emails containing tips, policy updates and security news updates;
  • experiential sessions and even gamification, where workers are required to work through simulations and scenarios to test their understanding and reinforce their training so they’re better prepared to handle real-world security challenges; and
  • security champions, workers who have become particularly skilled at understanding security and are willing to teach and promote security best practices among their colleagues.

The security awareness training program should be comprehensive, starting with rudimentary lessons and moving up to advanced materials. It should also include an assessment process to help organizations identify a worker’s level of security awareness and subsequently create a learning pathway for them. Additionally, organizational leaders need to consider that different roles within the organization face different risks and threats while developing the training program. For example, an entry-level employee with limited access to sensitive data and core IT systems likely encounters fewer risky scenarios than a high-level executive who works with the organization’s proprietary information and financial systems or a senior IT employee who is authorized to work on the core technologies that enable the business. Larger organizations with significant HR departments may be able to develop and deliver their own awareness training program or at least supplement it with outside resources. Many organizations choose to outsource most or all of the training, however, considering this the most effective and efficient way to implement necessary education for its employees. Either way, organizational leaders should have mechanisms to measure whether the training is effective at both the enterprise level and at the individual employee level.

Experts agree awareness and training should be ongoing within the enterprise. Ongoing training helps workers build a security mindset, helping them stay diligent, and gives organizations opportunities to educate workers on new policies and procedures and alert them to the new and evolving threats and risks they may face. To best achieve this, organizations should establish a schedule to determine what training to deliver to what employees and how frequently training must occur. Security awareness training should ideally take place when a new employee joins the company as part of a mandatory onboarding process. When assessments, evaluations or testing indicate a lapse in best practices, organizations should consider mandatory training for the whole enterprise or for individual employees. Many organizations opt to use a learning management system to make training content easily and readily available to employees.

ISO 27001:2022 A 6.4 Disciplinary process

Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations. Information security violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers. Information security violations include but are not restricted to:

  • Browsing computer or paper records without appropriate authorization and a legitimate business reason
  • Information lost or compromised
  • Loss or theft of equipment containing organizational information
  • Repeated incidents of unattended or lost smart cards
  • Using unencrypted memory sticks
  • Using customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing computer passwords
  • Sending the information insecurely outside the organization
  • Sending sensitive personal data or identifiable personal information to the wrong person or customer
  • Unauthorized disclosure of organizational information to third parties e.g. the press.

This Disciplinary process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an violation. If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.

A 6.4 Disciplinary process

Control

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Purpose

To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

ISO 27002 Implementation Guidance

The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred .
The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:
a) the nature (who, what, when, how) and gravity of the breach and its consequences;
b) whether the offence was intentional (malicious) or unintentional (accidental);
c) whether or not this is a first or repeated offence;
d) whether or not the violator was properly trained.
The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

Other information

Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements. When individuals demonstrate excellent behavior with regard to information security, they can be rewarded to promote information security and encourage good behavior.

There should be a formal disciplinary process for employees who have committed a security breach. A security breach happen where there has been a deliberate attempt, whether successful or not, to compromise organizational assets such as information, people, IT, premises, or any accident resulting in loss of assets. A formal disciplinary process must be established by the organization in relation to employees who have violated the organization’s security policies and procedures and, for retention of evidence. Disciplinary processes should aim to be a deterrent to employees who might otherwise be inclined to disregard security policies and procedures. Where appropriate, discipline should be in line with the relevant employment act conditions. For employees not covered under this, discipline should be in line with contract terms and conditions. Where it is formally stated that some activity is not allowed, but informally action is not generally taken against the activity (e.g. banning the distribution of jokes via e-mail), any subsequent disciplinary action that is taken in this regard may be subject to legal challenge and may, therefore, be unenforceable. Disciplinary action should accurately reflect the nature of the breach of policy. Minor infringements are to be expected and should be dealt with through cautions and user security awareness education. Repeated minor infringements may be symptomatic of an inappropriate policy or control, and should entail a re-assessment of its suitability. Repeated minor infringements not due to an inappropriate policy or control, or a major breach of security, maybe more suitably dealt with by formal sanctions such as termination of access (temporary or permanent) or legal action. The nature of appropriate disciplinary action should be determined by the workforce management function, in consultation with security officers and with legal officers if legal action is contemplated. Control includes:

  • a reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred);
  • appropriate investigatory processes, including specification of roles and responsibilities, standards for the collection of evidence and chain of custody of evidence;
  • disciplinary proceedings that observe reasonable requirements for due process and quality of evidence;
  • a reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach;
  • sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offence, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence;
  • an overall process that functions both as deterrent and sanction.

ISO 27001:2022 A 6.2 Terms and conditions of employment

Security responsibilities must be addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment. Candidates must be adequately screened commensurate to the sensitivity of the information being handled. If necessary all employees and third-party users should sign a confidentiality (non-disclosure) agreement. Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the organization’s security policies. Careful attention should be paid to the validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract. Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire. The purpose of this section is to introduce the security controls for people who work for the organization (both the employees and other people who are contracted). These controls are really important because the statistics worldwide show that people working for the companies represent the biggest threat to information security. The most common ways of implementing these security controls are:

  • Documenting a human resource management procedure, although it is not a mandatory document.
  • Signing contracts with employees and other contractors that include information security clauses.
  • Regularly training people on security issues and continual awareness-raising campaigns.
  • Introducing a disciplinary process, for all employees who have committed information security breaches.

The objective of this category is to ensure that employees, contractors, and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud, or misuse of facilities. Security roles and responsibilities of employees, contractors, and third-party users should be defined and documented in accordance with the organization’s information security policy. Control includes requirements to:

act in accordance with the organization’s information security policy, including the execution of processes or activities particular to the indivi

A 6.2 Terms and conditions of employment

Control

The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

Purpose

To ensure personnel understand their information security responsibilities for the roles for which they are considered.

Guidance

The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:

a) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets
b) legal responsibilities and rights (e.g. regarding copyright laws or data protection legislation );
c) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel
d) responsibilities for the handling of information received from interested parties;
e) actions to be taken if personnel disregard the organization’s security requirements.

Information security roles and responsibilities should be communicated to candidates during the pre-employment process. The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change. Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment.

Other information

A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization. An external party, with which supplier personnel are associated, can be required to enter into contractual agreements on behalf of the contracted individual. If the organization is not a legal entity and does not have employees, the equivalent of contractual agreement and terms and conditions can be considered in line with the guidance of this control.

Employees, contractors, and third-party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security. The organization should define security roles and responsibilities in accordance with its information security policy. The organization must ensure that information security policies are readily accessible and formally communicated to all personnel on a periodic basis. All employees including contractors, temporary staff, board, and/or committee members should sign confidentiality or non-disclosure agreements as part of their initial terms and conditions of employment. Such agreements should give notice to users of the Organization’s policies, rights, obligations, and responsibilities in relation to access to information assets. This controls talks about the need for contractual agreement to inform any new employee about their responsibility as well as that of the organisation towards information security.What this means is that employees should know about the company’s information security policy, as well as the roles and responsibilities of people who work with information security in the company. This can be done by having personnel sign an employment contract or something similar. Such a contractual agreement will typically outline the general requirements for protecting information assets, including physical security, environmental controls, access controls and contingency planning as well as a confidentiality agreement if they’ll be working with PII. Information security obligations should be explicitly stated in contracts with both employees and contractors. Insist that all parties involved are aware of and familiar with NDAs, legal rights and duties, data processing, and the use of third-party information. It is critical that disciplinary measures are guided by certain policies within the organisation. The contractual agreement with employees and contractors must state their and the organisation’s responsibilities for information security. These agreements are a good place to put key information security general and individual responsibilities as they carry legal weight – meaning they are backed up by the law. This is also very important as regards to compliance obligation. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, IPR ownership, return of assets etc.

Confidentiality, non-disclosure, and/or contractual agreements should also be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts are due to expire. The organization should ensure that that all personnel employed are adequately bound to the confidentiality and non-disclosure requirements. Punitive and/or remedial action(s) to be taken if the employee disregards security requirements should also be clearly described in the terms and conditions. Such measures must be aligned with a formally documented disciplinary process. Casual staff and third-party users (such as volunteers) not already covered by an existing contract (containing the confidentiality agreement) should also be required to sign a confidentiality agreement prior to being given access to information processing facilities or information assets. The organization must establish agreements with equipment repairers to safeguard the confidentiality of information (and data) on equipment undergoing repair. Control includes, in the signed agreement:

  1. information about the scope of access and other privileges the person will have, with respect to the organization’s information and information processing facilities;
  2. information about the person’s responsibilities, under legal-regulatory-certificatory requirements and organizational policies, specified in that or other signed agreements
  3. as appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use;
  4. as appropriate, information about the handling of sensitive information, both internal to the organization and that received from or transferred to outside parties;
  5. information about responsibilities that extend outside the organization’s boundaries (e.g., for mobile devices and teleworking);
  6. information about the organization’s responsibilities for the handling of information related to the person him/herself, generated in the course of employment, contractor or other third party relationship;
  7. actions that can be anticipated, under the organization’s disciplinary process, as a consequence of failure to observe security requirements.

This control may also include the provision of an organizational code of conduct or code of ethics to the employee, contractor, or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate confidentiality or non-disclosure agreement; and/or acceptable use of assets agreement.

Code Of Conduct

Your firm could lose money if your workers casually share proprietary information with your competitors. Additionally, you could face lawsuits if employees fail to protect your client’s financial information. To avoid such issues, implement a company code of conduct. This HR document should include clear instructions for safeguarding sensitive information. Provide every employee with a copy of this policy and require every new hire to sign an agreement to abide by the code of conduct. Over time you might need to update or amend this document to accommodate the implementation of new processes or procedures. HR representatives are responsible for ensuring that employees are made aware of such changes.

ISO 27001:2022 A 6.1 Screening

Appropriate background verification checks — also known as “screening” or “clearance” — for all candidates for employment, contractor status, or third-party user status, should be carried out. Prior to employment screening is the process of verifying information that job candidates supply on their resumes and job applications. It may also be referred to by other names, such as:

  • Background Checks
  • Criminal Background Checks
  • Background Screening

This type of background check is usually initiated to see if a prospective employee is trustworthy enough to protect confidential or sensitive information, or manage the financial resources of a business. They may also be used to try to determine if job candidates have any criminal tendencies or character flaws that might limit their effectiveness or hurt the employer in other ways, such as endangering the staff or tarnishing the company’s reputation. Most employers conduct a prior to employment screening of job applicants. However, all or part of the screening process is usually outsourced to private third-party organizations that specialize in this type of background check. An employment background check verifies the employee’s past employment details, criminal records, and/or financial records. This is usually the final step in the recruitment cycle and it ensures that the hiring decision made by the employers is sound and appropriate.  Control includes checks that are:

  • commensurate with the organization’s business needs, and with relevant legal-regulatory-certificatory requirements;
  • take into account the classification/sensitivity of the information to be accessed, and the perceived risks;
  • take into account all privacy, protection of personal data and other relevant employment legislation; and
  • include, where appropriate, components such as identity verification, character references, CV verification, criminal and credit checks.

Control

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Purpose

To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.

ISO 27002 Implementation Guidance

A screening process should be performed for all personnel including full-time, part-time and temporary staff. Where these individuals are contracted through suppliers of services, screening requirements should be included in the contractual agreements between the organization and the suppliers. Information on all candidates being considered for positions within the organization should be collected and handled taking into consideration any appropriate legislation existing in the relevant jurisdiction. In some jurisdictions, the organization can be legally required to inform the candidates beforehand about the screening activities. Verification should take into consideration all relevant privacy, PII protection and employment-based legislation and should, where permitted, include the following:

  1. availability of satisfactory references (e.g. business and personal references).
  2. a verification (for completeness and accuracy) of the applicant’s curriculum vitae.
  3. confirmation of claimed academic and professional qualifications.
  4. independent identity verification (e.g. passport or other acceptable document issued by appropriate authorities).
  5. more detailed verification, such as credit review or review of criminal records if the candidate takes on a critical role.

When an individual is hired for a specific information security role, the organization should make sure the candidate:

  1. has the necessary competence to perform the security role;
  2. can be trusted to take on the role, especially if the role is critical for the organization.

Where a job, either on initial appointment or on promotion, involves the person having access to information processing facilities and, in particular, if these involve handling confidential information (e.g. financial information, personal information or health care information) the organization should also consider further, more detailed verification’s. Procedures should define criteria and limitations for verification reviews (e.g. who is eligible to screen people and how, when and why verification reviews are carried out). In situations where verification cannot be completed in a timely manner, mitigating controls should be implemented until the review has been finished, for example:

  1. delayed on boarding;
  2. delayed deployment of corporate assets;
  3. on boarding with reduced access;
  4. termination of employment.

Verification checks should be repeated periodically to confirm ongoing suitability of personnel, depending on the criticality of a person’s role.

Prior to employment screening involves gathering all the information required to make a good hire. This includes identifying candidates that meet predetermined job qualifications and verifying the information they provide. The prior to employment screening process spans from application review to the final hiring decision. Throughout that time, candidates are screened for the following items:

  • Relevant skills and abilities required to be successful in the position
  • Personality traits
  • Cultural fit
  • Educational experience
  • Professional experience
  • History of drug abuse
  • Criminal history

When the time comes to make an offer, thorough prior to employment screening leaves you confident that you’ve selected the most qualified candidate and the best fit for the organization. Employment background verification involves reviewing a potential candidate’s past employment records, personal information (identity, address, etc.), and financial data to confirm the authenticity of their claims.  The verification ensures that the candidate can be trusted with sensitive information and will be able to execute their tasks responsibly. Hence, you will be able to make an informed decision based on the background verification. Employee background screenings in add a layer of security in the hiring process, filtering the most dependable candidates from the lot. Additionally, these checks offer the following benefits:

  • Improvement in staff quality
  • Lower risk of workplace violence
  • Reduction employee attrition
  • Identifying qualified employees for the technical work
  • Better organization culture and environment

Employers must be mindful of the following things when conducting employment background screening :

  • Identify the legislation and laws that require you to conduct the background verification
  • Inform the candidate that their candidature in the organization is subject to police verification
  • Seek the candidate’s approval for the background check
  • Keep the candidate’s information and background check results private and confidential

The employment background screening is a tedious process involving the following steps:

  1. Selection of the applicant by the hiring department
  2. Contingent offer made to the applicant by the hiring department
  3. Acceptance of the offer letter by the applicant
  4. The hiring department submits an employment background check request
  5. The human resource department approves the request
  6.  Instructions are sent to the employment background check agency or are done in house
  7. The agency/HR conducts the background check and submits the results

Types of Prior to Employment Screening

There are actually a number of different types of pre-employment screening, and employers will often use more than one.

Criminal Records Checks

Criminal record checks will often include a combination of records derived from multiple sources. They can be done at county, state, federal, or even international levels. Companies can commonly access this data from just online databases. Using those databases to check criminal records is referred to as screen-scraping. This process can sometimes turn up charges against job applicants that are very old or have been dismissed. The general consensus is that the most effective method of getting an accurate picture of a job candidate is to have real people looking through hard copies of records, in order to ensure that they are getting information about the correct person and the true outcome of all criminal cases. Prior to employment screening services are offered by government agencies to employers who want information about driving or criminal records. It’s possible that checking criminal records will protect a company in any negligent hiring lawsuits.

Drug Testing

Drug testing is probably one of the most common screenings that employers use to ensure that job candidates will be productive employees and as a preventative measure against injuries in the workplace. Drug tests identify illegal substances potential employees may have ingested or been exposed to. It must be done in strict compliance with laws of the state where the business is located.

Motor Vehicle Records Screening

Records of license suspensions, accidents, convictions, violation or any disciplinary actions may be verified. Companies whose employees operate motor vehicles in the course of their work, such as trucking, delivery or sales, are most likely to require this type of prior to employment screening.

Employment Verification

Employers verify previous employment listed on resumes and job applications using this type of prior to employment screening. It is also used to check the accuracy of dates of employment, job title, and other related details. However, some of the employers which job candidates list on their resume or application may have policies which limit what type of information they will provide about a former employee. Another important screening element is to verify that a job applicant is eligible to work in the said country.

Supervisor/Reference Interviews

Employers will sometimes want to interview references or former supervisors, in order to evaluate the ability of a candidate to perform the job in question. In these cases, the employers will usually be required to provide written permission from the applicant before anyone will speak with them.

Education Verification

Particularly for entry-level employees, employers like to verify a job applicant’s degree, academic performance or major. These reports will verify the dates students attended the academic institution, which fields were studied, the degree earned, grade point averages, and the date of graduation.

Licensing and Professional Certification Verification

Companies will always want to verify that their employees have any licenses that are required for their work. This would include attorneys, medical personnel, engineers, accountants, real estate agents, and more. The pre-employment screening will reveal whether a license is valid, the expiration date, and whether the applicant has been the subject of any type of disciplinary action.

Should Social Media Be Utilized for Prior to employment Screening?

Using social media as a form or prior to employment screening is a controversial issue. While you may be able to tell a lot about a potential employee by looking at their Instagram, Twitter, or Facebook account, doing so may result in legal issues for a company.There are pros and cons to a business considering social media checks, but it is not yet typically included in standard background screening.

A firm’s screening procedures for the appointment or employment of officers and employees must ensure that an individual is not appointed or employed unless:

  1. for a higher-impact individual — the firm is satisfied that the individual has the appropriate character, knowledge, skills and abilities to act honestly, reasonably and independently; or
  2. for any other individual — the firm is satisfied about the individual’s integrity.

The procedures must, as a minimum, provide that, before appointing or employing a higher-impact individual, the firm must:

(a) obtain references about the individual;
(b) obtain information about the individual’s employment history and qualifications;
(c) obtain details of any regulatory action taken in relation to the individual;
(d) obtain details of any criminal convictions of the individual; and
(e) take reasonable steps to confirm the accuracy and completeness of information that it has obtained about the individual.

ISO 27001:2022 A 5.4 Management responsibilities

Management Responsibilities covers the need for management to ensure that all personnel stick to all the information security topic-specific policies and procedures as defined in the established information security policy of the organization. An effective information security policy should be tailored to the specific needs of an organization and supported by senior management to ensure appropriate allocation of resources. It communicates the overarching principles on how management would like employees to handle sensitive data and how the company will protect its information assets. IT is often derived from laws, regulations and best practices that must be adhered to by the organization. Information security policies are usually created by an organization’s senior management, with input from its IT security staff. Policies should also include a framework for defining roles and responsibilities and a timeline for periodic review.

A 5.4 Management responsibilities

Control

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Purpose

To ensure management understand their role in information security and undertake actions aiming to ensure all personnel are aware of and fulfil their information security responsibilities.

ISO 27002 Implementation Guidance

Management should demonstrate support of the information security policy, topic-specific policies, procedures and information security controls. Management responsibilities should include ensuring that personnel:

  1. are properly briefed on their information security roles and responsibilities prior to being granted access to the organization’s information and other associated assets.
  2. are provided with guidelines which state the information security expectations of their role within the organization.
  3. are mandated to fulfil the information security policy and topic-specific policies of the organization.
  4. achieve a level of awareness of information security relevant to their roles and responsibilities within the organization.
  5. compliance with the terms and conditions of employment, contract or agreement, including the organization’s information security policy and appropriate methods of working.
  6. continue to have the appropriate information security skills and qualifications through ongoing professional education.
  7. where practicable, are provided with a confidential channel for reporting violations of information security policy, topic-specific policies or procedures for information security (“whistleblowing”). This can allow for anonymous reporting or have provisions to ensure that knowledge of the identity of the reporter is known only to those who need to deal with such reports.
  8. are provided with adequate resources and project planning time for implementing the organization’s security-related processes and controls

Management should require employees, contractors and third-party users to apply security controls in accordance with established policies and procedures of the organization. Managers and Supervisors, or those acting in supervisory capacities must ensure that personnel under their direction and control, including contractors and temporary staff, apply security practices in accordance with the organization’s established policies and procedures. Management should define responsibilities for general personnel, including contractors and volunteers, in relation to implementing or maintaining security in line with the organization’s policies. It must also specific responsibilities for the protection of particular assets, including critical infrastructure, or for the execution of particular security processes or activities. They must also communicate the requirement for personnel to report security events and incidents (actual or perceived) and uphold the requirement to report other security risks that are identified. Management may note that the personal circumstances of personnel such as financial problems, changes in their behavior or lifestyle, recurring absences and evidence of stressful situations or illness may give rise to security implications in the workplace. Control includes:

  • appropriately informing all employees, contractors, and third-party users of their information security roles and responsibilities, prior to granting access to sensitive information or information systems.
  • providing all employees, contractors, and third parties with guidelines/rules that state the security control expectations of their roles within the organization.
  • achieving an appropriate level of awareness of security controls among all employees, contractors, and third parties, relevant to their roles and responsibilities, and an appropriate level of skills and qualifications, sufficient to execute those security controls.
  • assuring the conformity to the terms and conditions of employment related to security.
  • motivating adherence to the security policies of the organization, such as with an appropriate sanctions policy; and
  • mitigating the risks of a failure to adhere to policies, by ensuring that all persons have appropriately limited access to the organization’s information and information facilities.

The Information Security Management (ISM) is responsible for establishing and maintaining a corporate wide information security management program to ensure that information assets are adequately protected. The management must be responsible for identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. The ISM must have a visionary leader with sound knowledge of business management and a working knowledge of information security technologies. The ISM must work with business units to implement practices that meet defined policies and standards for information security. They must oversee a variety of IT-related risk management activities.

The ISM serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the organization’s information security policies. A key element of the ISM’s role is to determine acceptable levels of risk for the organization. The ISM must be highly knowledgeable about the business environment and ensure that information systems are maintained in a fully functional, secure mode.
The ISM’s role is to act as an interface between the Management’s strategic and process-based activities and the work of the technology-focused analysts, engineers and administrators in the IT organization. The ISM must be able to translate the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as report on ongoing performance. The ISM coordinates the IT organization’s technical activities to implement and manage security infrastructure, and to provide regular status and service-level reports to management.
ISM is a thought leader, a consensus builder, and an integrator of people and processes. While the ISM is the leader of the security program, he or she must also be able to coordinate disparate drivers, constraints and personalities, while maintaining objectivity and a strong understanding that security is just one of the business’s activities. It cannot be undertaken at the expense of the enterprise’s ability to deliver on its goals and objectives. Expertise in leading project teams and developing and managing projects is essential for success in this role. The ISM must be able to prioritize work efforts — balancing operational tasks with longer-term strategic security efforts. Other project management tasks will include resource balancing across multiple IT and security teams, task prioritizing and project reporting. Vendor relationship management — ensuring that service levels and vendor obligations are met — is also an important aspect of the position. ISMs are responsible for managing highly technical staff as they work to accomplish company and personal development goals and must, therefore, have proven leadership skills. Documentation and presentation skills, analytical and critical thinking skills, and the ability to identify needs and take initiative are key requirements of the ISM’s position.

The ISM’s responsibilities are composed of a variety of activities, including very tactical, operational and strategic activities in support of the ISM’s program initiatives, such as:

1) Strategic Support and Management

  1. Develop, implement and monitor a strategic, comprehensive enterprise information security and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
  2. Manage the enterprise’s information security organization, consisting of direct reports and indirect reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
  3. Facilitate information security governance through the implementation of a hierarchical governance program, including the formation of an information security steering committee or advisory board.
  4. Develop, maintain and publish up-to-date information security policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
  5. Create, communicate and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants and other service providers.
  6. Develop and manage information security budgets and monitor them for variances.
  7. Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
  8. Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
  9. Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program.
  10. Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
  11. Develop and enhance an information security management framework based on the National Information Assurance Policy
  12. Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
  13. Liaise with the enterprise architecture team to ensure alignment between the security and enterprise architectures, thus coordinating the strategic planning implicit in these architectures.
  14. Coordinate information security and risk management projects with resources from the IT organization and business unit teams.
  15. Ensure that security programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
  16. Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
  17. Manage security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company’s reputation.
  18. Monitor the external threat environment for emerging threats and advise relevant stakeholders on the appropriate courses of action.
  19. Develop and oversee effective disaster recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
  20. Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
  21. Understand and interact with related disciplines through committees to ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.

2) Security Liaison

  1. Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required.
  2. Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
  3. Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
  4. Work as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements.
  5. Manage security issues and incidents and participate in problem and change management forums. Ensuring timely reporting and adequate participation in investigation for ICT security incidents, with Q-CERT and / or Law Enforcement agencies as applicable.
  6. Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
  7. Work with the IT and business stakeholders to define metrics and reporting strategies that effectively communicate successes and progress of the security program.

3) Architecture/Engineering Support

  1. Consult with IT and security staff to ensure that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software.
  2. Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
  3. Research, evaluate, design, test, recommend or plan the implementation of new or updated information security hardware or software, and analyze its impact on the existing environment; provide technical and managerial expertise for the administration of security tools.
  4. Work with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
  5. Develop a strong working relationship with the security engineering team to develop and implement controls and configurations aligned with security policies and legal, regulatory and audit requirements.

4) Operational Support

  1. Coordinate measure and report on the technical aspects of security management.
  2. Manage outsourced vendors that provide information security functions for compliance with contracted service-level agreements.
  3. Manage and coordinate operational components of incident management, including detection, response and reporting.
  4. Maintain a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
  5. Manage the day-to-day activities of threat and vulnerability management, identify risk tolerances, recommend treatment plans and communicate information about residual risk.
  6. Ensure audit trails, system logs and other monitoring data sources are reviewed periodically and comply with policies and audit requirements.
  7. Design, coordinate and oversee security-testing procedures to verify the security of systems, networks and applications, and manage the remediation of identified risks.

ISO 27001:2022 A 5.6 Contact with special interest groups

Most organizations today have some sort of relationship with special interest groups. They may be a customer group, supplier group, or a group that has some influence in the organization. The purpose is to ensure appropriate flow of information takes place with respect to information security among these special interest groups. A special interest group may be defined as an association of persons or organizations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security. You must identify and document any professional associations, forums or interest groups you are part of or can be part of. Specialist forums, professional groups and even the government are examples of a special interest group. You are involved in getting knowledge about best practice, you are up to date with current best practices, that you get early warnings of alerts, advisories and patches being a part of special interest group. It can show that you got specialist information security advice and share and exchange information.

A 5.6 Contact with special interest groups

Control

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Purpose

To ensure appropriate flow of information takes place with respect to information security.

Implementation guidance

Membership in special interest groups or forums should be considered as a means to:

  • improve knowledge about best practices and stay up to date with relevant security information;
  • ensure the understanding of the information security environment is current;
  • receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities;
  • gain access to specialist information security advice;
  • share and exchange information about new technologies, products, services, threats or vulnerabilities;
  • provide suitable liaison points when dealing with information security incidents

Other Information

Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

An Information Security Management System (ISMS) is only as good as its ability to keep up with the requirements of the business and provide adequate protection against the risks the organization is exposed to. To accomplish this, information about the environment must be evaluated constantly, but who will do this? Moreover, where can this information be found? The truth is that no one in your organization, not even dedicated teams, can do that by themselves. With the use of critical information getting broader and broader (e.g., by the use of teleworking, virtual teams, etc.), IT demands became more complex, and ISMS and security needs along with it. This means that the level of effort required to cover information related to every single security aspect of your organization would make the costs prohibitive. But, you still have to monitor this information. So, how to do it? Fortunately, ISO 27001 suggests an alternative: contact with special interest groups, control A.5.6 of Annex A of the standard.
In a general way, you can define a special interest group as an association of individuals or organizations with interest in, or acting in a specific area of knowledge, where members cooperate/work to solve problems, produce solutions, and develop knowledge. In our case, this area of knowledge would be information security. examples are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.These organisations will be able to identify security dangers that you may have ignored. As a partnership, both sides may benefit from each other’s knowledge in terms of new ideas and best practices, which is a win-win scenario. In addition, these groups may be able to provide useful suggestions or recommendations regarding security practices, procedures, or technologies that can make your system more secure while still achieving your business objectives.
An organization’s ISMS needs to keep up with business requirements and organizational risks. To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you:

  • Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs.
  • Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with.
  • News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it?
  • News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort?
  • Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you?
  • Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?
  • membership of special interest groups or forums should be a means to improve knowledge about best practices and stay up to date with relevant security information.
  • ensure the understanding of the information security environment is current.
  • receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities.
  • gain access to specialist information security advice.
  • share and exchange information about new technologies, products, services, threats or vulnerabilities.
  • provide suitable liaison points when dealing with information security incidents.

The government as a special interest group is a unique case, because of its access to additional resources (like police, emergency services, firefighters, etc.), and, depending on the legal requirements of each country, its involvement is mandatory. Some of these issues you can identify for free (accessing the public content on the Internet, signing up for a regular newsletter, or identifying the person/job title to be in contact with a professional association or state agency), and some you have to pay for (consultant or support services). However, in the latter case, it would be recommended to establish contact with potential suppliers through your procurement process (it is always better to have a previous relationship than to call only in an emergency).
Since the information you will be working with could have a great impact on your ISMS (over management and/or security controls), you should be careful about which special interest groups you interact with, considering:

  • The quality of the information provided: Not all of them have precise or updated information (some only repost news or information from other sources).
  • The availability of the information: what is the update frequency of the information? If the source you use takes too much time to update its info, your organization could be exposed to a problem or risk for a longer period.
  • The legitimacy of the source: Not all of them are authorized representatives of the one responsible for the information (e.g., manufacturers have specific forums to communicate with their clients or to provide patches). Another case is if security peers recognize the group as a reliable source of information.

In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected. Appropriate contacts with special interest groups or other specialist security forums and professional associations must be maintained. Some of these issues may be available for free (accessing public content on the Internet, signing up for a regular newsletter, or identifying the person / job title to be in contact with a professional association or state agency), and some may require payment (consultant or support services). However, in the latter case it is recommended to establish contact with potential suppliers through the procurement process (it is always better to have a previous relationship than to call only in an emergency) and identify this as a Key Supplier rather than a SIG. IS owners can keep appropriate contacts with Special Interest Groups (SIGs) or other specialist security forums and professional associations maintained. Contact details, business cards, membership certificates, diaries of meetings etc. can provide evidence of professional contacts, particularly for information risk, security and compliance specialists. Valid contact details embedded within incident response, business continuity and disaster recovery plans provide further evidence of this control, along with notes or reports from previous incidents concerning the contacts made. In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected.