Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001 Annex A.6: Organisation of Information Security

A.6.1: Internal Organisation

Annex six reiterates the importance of top management in the implementation and control of the ISMS as there must be some form of order and structure in the system operations and the assuring of its effectiveness.

A.6.1.1: Information security roles and responsibilities

All personnel who have roles and responsibilities relating to the ISMS operations must be listed or defined in some manner within your documentation.

Some roles, for example, may be broad and do not require intricate tasks Others, especially the roles of department heads, will require more detailed work. Small businesses are excused from having major roles allocated as double positions within their organisation. The small-scale IT technician might fall in charge of digital information security while the manager runs human resource affairs. Larger organisations, however, are more likely to hire designated individuals to run their significant roles.

A.6.1.2: Segregation of duties

Although ISO 27001 allows for mixed roles within smaller organisations it recommends that employees do not end up with mixed roles as this is a matter of reducing conflict of interest and mitigating the possibilities of fraud and unauthorised access.

A.6.1.3: Contact with authorities

This documents the relevant authorities who will need to have contact with based on different circumstances. This includes different contexts such as the police or commissioner’s office.

There should be a clear split between what kinds of information is disseminated to the respective governing bodies. In addition clear roles and permission should be granted to specific staff to hand out such data.

A.6.1.4: Contact with interested groups

Sometimes liaising with other special interest groups can benefit your overall information security. It’s worth maintaining a record of relevant organisations, professional forums or discussion boards that may come in handy.

Pay attention to the nature of these groups as well, some relationships are purely commercial. Others may be interested in engaging as partners where both parties can learn innovative techniques and best practices from one another. These groups may also be able to suggest security threats that you perhaps overlooked.

A.6.1.5: Information security in project management

All tasks and projects associated with your company should have some integration of information security practices within them. This will strengthen your ISMS on an institutional level as it helps maintain a standard throughout the organisation.

Information security must be a part of internal and external education programs conducted by your firm. There must be a sense of data protection throughout the organisation and your human resource management will set the tone for this aspect. The ISMS auditor will be looking for consistency in your procedures.

A.6.2 Mobile devices and teleworking

The ISMS must manage data protection at all levels, including the use of communication channels, mobile devices and teleworking as they are part of our everyday activities. The majority of attempts to steal data often occur electronically these days.

A.6.2.1: Mobile device policy

With the increase in technological advancements, the use of mobile devices is becoming more and more convenient. The older phones can access the Internet and perform similar tasks to a conventional computer.

Bring Your Own Device (BYOD) policies at companies can bring reduced costs and increased productivity of workers using personal devices but also raises the risk of data breaches.

Recent updates to cloud storage and online libraries make this even more challenging to maintain. Your company should construct methods to guarantee that clients using either business WIFI or BYOD protect confidential information.

Your mobile device policy should include the following:

  • Device registration;
  • Physical protection;
  • Software installation restrictions;
  • software versions and patch applications;
  • Constraints to access any data services;
  • Access controls;
  • Cryptography;
  • Malware and antivirus coverage;
  • Remote, disabling, erasure out and log on requirements;
  • Backups and storage methods;
  • Separation of shared personal accounts for BYOD policies;
  • Public networks and web services;
  • Open connectivity

A.6.2.2: Teleworking

Teleworking, remote, working or telecommuting poses one of the greatest internal threats to a company’s data. This is especially problematic in today’s age where digital business is becoming increasingly prevalent. Auditors will be looking to see if you have included procedures to manage the risk of data loss or damage while teleworking.

The section is also critical when applying for certification linking many policies indicated in annexure 6 through 13. A sound coverage of these areas together will protect your company from gaps in data protection.