4. Context of the organisation
4.1 Understanding the organisation and its context
“The organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.”
As an organisation, you need to understand all internal and external issues that may be relevant to your business goals and the achievement of the information security management system (ISMS) objectives.
Internal issues include organisational structure, policies and guidelines, roles and responsibilities of inter alia staff, management and stakeholders.
External issues include the political environment, laws and regulations, technological advancements, economic trends etc.
Understanding the organisations context and related issues will give you a clearer view of the organisation, allowing you to properly define the scope of the ISMS and effectively implement.
4.2 Understanding the needs and expectations of interested parties
“The organisation shall determine:
- Interested parties that are relevant to the information security management system; and
- The requirements of these interested parties relevant to information security.”
An interested party can be an individual or a group of people that are affected by the organisation’s activities. An interested party may include employees, partners, suppliers, customers etc.
According to the standard, the organisation must determine the interested parties in terms of its ISMS. The number of interested parties depends upon the size and type of the organisation. Each of these interested party may have different needs and expectations, for example, customers want their data to be secured at all times, whilst on the other hand employees wants their data to be secured while resources are available to support their job roles.
The organisation must then determine the requirements of the individual interested parties whether its legal and regulatory requirements , contractual obligations or any other related requirement while balancing the organisations needs.
4.3 Determining the scope of the information security management system
“The organisation shall determine the boundaries and applicability of the information security management system to establish its scope.
When determining this scope, the organisation shall consider:
- The external and internal issues referred to in 4.1.
- The requirements referred to in 4.2; and
- Interfaces and dependency between activities performed by the organisation, and those that are performed by the other organisation.
The scope shall be available as documented information.”
Setting up a scope is the most crucial part of the ISMS, as it is a mandatory document that shall be available as documented information. The main purpose of defining the scope is to understand which information the organisation intends to protect.
According to the standard an organisation while setting up of scope must consider these factors:
- Internal and external issues are defined within the context of the organisation,
- The requirements of the interested parties, and
- Dependencies – Dependencies are the processes or elements which are outside the scope of ISMS. For example if the organisation is outsourcing legal services from a law firm.
- Interfaces – Interfaces are the like boundary wall of you ISMS scope, it defines what processes and elements are within the scope of ISMS or out of it. It’s also important to understand the inputs and outputs using these interfaces.
The point is you must protect the intended information no matter where, how and by whom this information is accessed.
4.4 Information security management system
“The organisation shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.”
In the sections above we defined what is needed for an ISMS and the final step in setting up an ISMS plainly mandates the organisation to establish, implement, maintain and continually improve its ISMS. Its critical to understand that the ISMS is an ongoing program which needs constant proactive management and updating.
5.1 Leadership and commitment
This clause requires top management to design and document policies, explicitly support and assign the ISMS roles and responsibilities. The involvement of top management regarding the ISMS is a core aspect of the ISO 27001 standard. The top management of a company includes chief officers of the company including the CEO, CFO, CTO etc., board of directors and other senior stakeholders. The standard requires that top management must show ISMS leadership and commitment. This includes Management:
- Ensuring that the information security policies and objectives are in line with the organisational goals and strategies;
- Integrating the ISMS into the organisational processes on every level to reach its optimum efficiency;
- Ensuring the availability of the proper resources for the implementation of ISMS;
- The management must communicate the importance of the ISMS so that the employees can understand it properly and adhere to its requirements;
- Achieving the intended outcomes which were decided when setting up the ISMS scope. This is what the organisation wants to achieve through the ISMS;
- Guiding and supporting the personnel affecting the ISMS so to increase efficiency and achieve the intended outcome(s) of the ISMS;
- Promoting continual improvement of the ISMS;
- Supporting other managerial roles to demonstrate their leadership.
Effective and involved leadership is needed to achieve the full potential of the organisations ISMS.
An information security policy is the foundation of any ISMS.
The policy must ensure the organisation’s objectives for security and provides for supporting documents (I.e. procedures and guidelines) to achieve it. From providing the best route for achieving the ISMS goals to resolve any dispute that may occur during the implementation of the ISMS, a policy can be drafted to cover everything from A to Z related to information security. The requirements for policy making can differ depending upon the size and operation of the organisation.
According to the standard, top management must establish the policy in a way that aligns with organisational goals, provides the objectives and framework for the information security, provisions to satisfy the requirements for information security and constant improvement of the ISMS. The standard also requires the organisation to keep the policy in a document form, which is communicated within the organisation and available for interested parties.
5.3 Organisational roles, responsibilities and authorities
The involvement of the organisations top management is an essential part of the standard and critical for information security. Top management must establish and communicate clear roles and responsibilities for the ISMS to carry out the functions of information security to appropriate people. The standard requires the top management to assign the responsibility and authority to ensure all the requirements of the ISMS are met and to report the performance of ISMS. The successful implementation of clause 5 will provide accuracy, support and guidance from top management.
6.1 Actions to address risk and opportunity
This clause requires the organisation to plan a course of action to tackle the risk and opportunities discussed in clause 4.1 the context of the organisation and clause 4.2 needs and expectations of interested parties in a way that the ISMS:
- can achieve its intended outcomes.
- reduces the chance of undesirable events; and
- continually improves
The organisation must plan an action to identify and treat these risks and opportunities and integrate these actions in the ISMS and evaluate the results over time.
6.1.2 Information security risk assessment
Risk assessment is done by determining threats and vulnerabilities in the organisation and assigning a level of impact of each risk. The organisation must come up with a process to assess information security risk and apply that process in a way that establishes criteria for the assessment. These criteria broadly include the overall risk acceptance criteria the specific information security risk assessment. Risk assessment is the most complex as well as most important part of the standard, as it provides a foundation for the information security policy of the organisation. The risk assessment process must be conducted at planned intervals to produce consistent, valid and comparable results.
When such process is approved by the management, the process shall be applied to identify threats and associated vulnerabilities that can lead to loss of confidentiality, integrity or availability of the information that needs to be secured in the context of ISMS. The organisation must identify risk owners related to these risks. Risk owners are the individual or authorities appointed by the management to manage a particular risk. These persons are interested in managing that risk and have authority to do something about that.
Analysis of the identified risks is the next step in the assessment. This analysis attempts to determine the potential consequences of the identified risks if they materialize, for example, risk can impact the financial position or the reputation of the company. This assessment can be quantitative and/or qualitative depending upon the type of risks. The organisation must assess the realistic possibility of occurrence of these risks (probability). For example, a data leak can occur regularly, but a natural calamity has a low probability of happening.
These risks must be scaled to different levels according to their probability and must be ranked according to the level of the risk determined by the organisation as per the organisational impact.
After the identification and assessment of the different risks, the results must be compared with the criteria defined earlier by the organisation. The organisation has then prioritized these risks for risk treatment depending upon the level assigned to the risk and urgency for treatment. There may be several high rated risks which the organisation must prioritise and decide the order in which these risks should be treated.
The organisation must keep all the information regarding the information security risk assessment process, all the steps company has taken during the process, in a documented form.
6.1.2 Information security risk treatment
Risk assessment is done to determine threats and vulnerabilities in information security and to find the best possible treatment for the identified risks to guide the organisation to allocate optimum resources for the treatment. For each risk assessment report, a strategy must be constructed to enable each risk individually to deal with the risks at affordable cost.
These treatment processes need to be implemented ideally by implementing at least controls provided in the Annexure A of the ISO standard. The organisation must decide which controls are needed to properly implement these treatment options and can design their own set of controls or can adopt from any other source as required by the treatment.
The third step is to compare the controls implemented for the treatment and the controls provided in the Annexure A of the standard. Annex A comes with a comprehensive list of controls but in general, all the controls are not needed to be implemented but only those required by the treatment. This step determines if any necessary control is overlooked or omitted in the process. The controls in Annex A are not exhaustive, any control or control objective required by the treatment can be added.
The next step requires a statement of applicability. The statement of applicability must contain all the controls whether they are implemented or not with a justification for inclusion or exclusion from the process. The controls for the statement of applicability relies mainly on Annex A but if there is a custom control implemented in the process it should be included in the statement of applicability.
With the information gathered from the above steps, the organisation must formulate the most suitable information security risk treatment plan. Successful formulation of the plan can increase the chances of success of the risk treatment. The newly formulated plan must be approved by the risk owner and an acceptance of residual information security risks.
6.2 Information security objectives and planning to achieve them
The information security objectives can be different for different levels of the organisation. These objectives must be established by the organisation according to the functions and at what level they are applicable. These objectives should be consistent with the information security policy and measurable (if practicable). These objectives must be formed considering the information security requirements, and results from risk assessment and treatment. This acceptance will justify the risk acceptance criteria discussed above. These objectives must be updated regularly and communicated with the organisation’s members and be kept in documented form.
Now the organisation has to plan a course of action to achieve its objectives. Planning a course of action include what to be done and how. For example, an organisation’s objective is to secure servers within the organisation, the course of action will be securing its physical location and installing security software to protect it from cyber-attacks (internally or externally).
Another thing which to plan is what resources need the availability of resources required. The planning phase will also include who will be responsible for achieving the security objectives. The final phase of the planning will include how much time needed to achieve these objectives and how the results will be evaluated.
This clause of the standard requires the organisation to decide and allocate the correct and sufficient resources to implement and operate the ISMS. The organisation must ensure that the required amount of resources should be available to establish, implement, maintain and continual improvement of the ISMS.
The competence of a person to fulfil their roles and responsibility is important when it comes to the implementation of ISMS. To ensure the successful implementation of the ISMS this clause requires the organisation to determine the competence of personnel working for the organisation on ISMS that can affect its performance. Their competence will be based on their education, training, or experience. If they are not seen as competent after these steps then solutions such as changing their roles and responsibilities can be considered.
The organisation if required takes appropriate actions to ensure the competence of the personnel by conducting training, and then evaluating the difference in their performance. Training workshops can be very helpful in bridging the gap in their competency or in gaining a new skill. The organisation also needs to retain documented information as evidence of competence.
Awareness can be linked to competence in the standard, as a person cannot be competent if he is not aware of his ISMS roles and responsibilities. As per the standard, any person working in the organisation must be aware of the information security policy that is in force at the time or a new one (must be communicated as per clause 5.2 f). They must know how much they are contributing to the effectiveness of the ISMS and what this improved efficiency will bring to the information security performance.
Also, the person working under the organisation's control must be aware of the consequences if they are not conforming to the ISMS requirements.
In the implementation of the ISMS, communication plays an important role in supporting the programme in different ways and can be useful for both internal and external purposes. According to the standard, the organisation is required to determine what to communicate, when to communicate and whom to communicate. For example, Information security policies can be communicated internally and externally (like to interested parties), when it needs to be communicated and what information can be communicated with whom is important.
In addition who can communicate and how this is done (what process) are also important questions. These communications can be in a general meeting or a documented form depending on the requirements.
7.5 Documented information
This clause requires the organisation to include documented information required by the standard as well as any other documented information required by the organisation for the effectiveness of the ISMS. It should also be noted that the extent of the documented information may vary from organisation to organisation. It depends on the size, type of activities, products, complexity of processes and their interactions etc.
7.5.2 Creating and updating
This documented information may need a change or an update as a result of the continual improvement nature of the ISMS. The standard requires the organisation to ensure that the newly created or updated document must have proper identification and description (i.e. title, date, author or reference number etc.), appropriate format and media (paper or electronic).
All the new or updated documents must go through proper review and approval procedures to ensure that they are ready to be implemented in the organisation.
7.5.3 Control of documented information
According to this clause, all the documented information required by the ISMS and the standard itself must be available in a proper format where and when needed. The organisation must ensure that all the documented information must be protected so that the integrity and confidentiality of the information cannot be negatively affected.
For effective control of documented information, the organisation must consider activities like distribution, access, retrieval and use of the documented information, storage and preservation. This includes the preservation of legibility, control of changes (e.g. version control) and retention and disposition.
Mandatory Documented Information
- ISMS Scope(Documents) 4.3
- High-level information security policy(Documents) 5.2
- Risk Assessment Methodology (Documents) 6.1.2
- Risk Assessment Report and Risk Treatments(Record) 6.1.2,6.13, 8.2,8.3
- Statement of Applicability(Documents) 6.1.3 d)
- information security objectives (Documents)6.2
- Evidence of competencies (Record) 7.2
- Documented information as required by the ISMS (Documents and Record)7.5.1 b)
- Documents and records required by ISO 27001(Documents and Record) 7.5.1 a)
- Monitoring and measurement results. (Record) 9.1
- Internal audit program aid results. (Record) 9.2
- Results of management review(Record) 9.3
- Non-conformances and results and corrective action (Record)10.1
8.1 Operational planning and control
The organisation is now in the implementation stage. The purpose of this section is to ensure that all the risks assessed in clause 6.1 i.e., Actions to address risks and opportunities, are treated according to the information security risk treatment. All the objectives planned in clause 6.2 (information security objectives and planning to achieve them) must be implemented to achieve the planned results. The organisation must keep documented evidence in the form of records to have confidence that the process was implemented according to the plans to satisfy the ISMS objectives.
The organisation must monitor planned changes in the ISMS as well as understanding the impact of unplanned changes so that their adverse effects can be contained if necessary. While implementing the plans within the organisation, the organisation must ensure that the outsourced processes are also determined and controlled within the ISMS scope.
8.2 Information security risk assessment
Organisations must conduct these information security risk assessments as determined in clause 6.1.2 at planned intervals or when any significant change is proposed in the ISMS. The information security risk assessment is done to assess threats and vulnerabilities to the organisation. This step helps the organisation to factually assess the organisation’s situation. and treat the risks optimally. The organisation must keep these information security risk assessment reports in a documented form.
8.3 Information security risk treatment
Information security risk treatment is a process to minimise the risk impact and find the best suitable treatment for the risks. The information security risk treatment process is determined in clause 6.1.3. All results from the risk treatment process are to be kept in a documented form by the organisation.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
The organisation role in this clause is to evaluate the information security performance by monitoring and measuring data security activities, and the efficiency of the ISMS of the organisation.
For evaluation of these processes, procedures, and functions that are protecting the intended information, the organisation must decide which processes and activities must be monitored and measured including the information security processes and controls established within the scope of ISMS. Methods must be determined by the organisation to monitor, measurement, evaluation and analysis to ensure the outcome will be valid. The selected method should give reliable and comparable results every time.
The organisation must decide when this monitoring and measuring happen. It can be performed at different intervals determined by the organisation. These intervals are different for every organisation as they depend upon the size or type of organisation. Who will be monitoring and measuring should also be determined by the organisation. After the monitoring and measuring, the organisation must determine how these results can be evaluated or by whom they will be evaluated and analysed.
All the related documents must be kept in a documentation form.
9.2 Internal Audit
Internal audit is a fantastic tool to evaluate the organisations ISMS processes and functions. When performing internal audits the organisation must ensure that, (I) audits are conducted at planned intervals, and (ii) the auditor must be objective and impartial.
According to this clause, the internal audits must occur at planned intervals to conform that the ISMS is fulfilling its own system requirements and the requirements of this international standard. The organisation must ensure the effective implementation of these audits.
The organisation shall plan, establish, implement and maintain audit programmes that are performed at planned intervals considering the importance of the processes and the previous audit reports. The criteria and the scope for the audit must be determined before each audit and the auditor selected e by the organisation to conduct such audits impartially in order to ensure the objectivity of the auditing process.
The results of such an audit should be reported to relevant management and must be kept in a documented form.
9.3 Management review
The purpose of the management review is ensure that the ISMS is suitable, effective and adequate to support information security. A management review consists of the status of actions from the previous management reviews, any changes in the internal or external issues that are relevant to the ISMS. It also includes the management feedback related to information security performance including trends in nonconformities and corrective actions, monitoring and measurement results, audit results and fulfilment of information security objectives. The review includes feedback from the interested parties and the results from the risk assessment process and risk treatment process.
Management reviews are one of the key elements of the ISMS because of the top management role in the organisation. So, for instance, if information security needs more budget urgently due to an unplanned risk, the top management can make this possible
10.1 Non-conformity and corrective actions
Non-conformity means that a certain requirement is not complied with. In the context of ISO 27001, the requirements might be ISO27001 requirements , relevant legislation, the ISMS documentation as well as requirements of interested parties.
Non-conformity and corrective actions are important because they enable companies to identify oversight errors and mistakes timeously and deal with them effectively. Nonconformities can be identified by anyone in the organisation at any time (during everyday operations in the monitoring processes et cetera). However, most of the nonconformities are usually identified by conducting an internal audit.
Corrective actions are formal way for a company to resolve non-conformities and the standard requires companies to keep records as evidence of the nature of the non-conformity, the actions that are taken and the results of the implemented corrective actions.
It is not enough to implement the corrective action as the company should attempt to ensure that it has resolved the root cause of the non-conformity through a detailed analysis to assess whether the reoccurrence of the non-conformity has been prevented.
Corrective actions are significant in terms of showing improvements of the ISMS and therefore the standard requires that you document a corrective action procedure This procedure defines the steps for analysing the non-conformity, initiating corrective actions, assigning responsibilities for implementing the corrective actions, how to document the corrective actions, how to evaluate the effectiveness of the corrective actions and so on.
ISO27001 requires the company to take actions when a non-conformity occurs to correct the nonconformity and deal with the consequences. As an example when the non-conformity is that the internal audit was conducted by untrained auditors the company should ensure that the internal auditors are trained and then understand how this occurred to prevent recurrence, this could involve correctly understanding the audit process or assigning competent resources..
10.2 Continual Improvement
Continual improvement is a key aspect of the ISMS in the effort to achieve and maintain the suitability, adequacy, and effectiveness of the information security as it relates to the organisations’ objectives. Organisations with operational ISMS’ must continually strive to improve their management system. This is fundamental to all management systems and the ISMS is no exception.
Annex A: Reference control objectives and controls
A.5 Information Security policies
A.5.1: Management direction for information security
The first section of the annexure is dedicated to providing guidance and support to manage information security and all actions must apply to the scope of the business and comply with any laws governing the company’s jurisdiction.
A.5.1.1: Policies for information security
AS per ISO 27001 all companies must ensure transparent behaviour with its employees, stakeholders, associates and clients. All interested parties must be aware of the relevant policies being implemented within the firm to protect their data.
Any policies drafted by the organisation must first be reviewed, approved and then published to staff and external parties as these policies play a fundamental role in the entire information security process. They must also be included in the education and training programs implemented in A.7 and all staff must abide by them.
A.5.1.2: Review of the policies for information security
The company’s ISMS policies must be updated regularly to keep up with any changes whether internal or external. These changes can be management adjustments, governing laws, corporate standards or technology. An information security breach may also result in policy revision and improvement,, the documents should always reflect sound procedures to protect the confidentiality, integrity and availability of files.
A.6 Organisation of information security
A.6.1: Internal organisation
Annex six reiterates the importance of top management in the implementation and control of the ISMS as there must be some form of order and structure in the system operations and the assuring of its effectiveness.
A.6.1.1: Information security roles and responsibilities
All personnel who have roles and responsibilities relating to the ISMS operations must be listed or defined in some manner within your documentation.
Some roles, for example, may be broad and do not require intricate tasks Others, especially the roles of department heads, will require more detailed work. Small businesses are excused from having major roles allocated as double positions within their organisation. The small-scale IT technician might fall in charge of digital information security while the manager runs human resource affairs. Larger organisations, however, are more likely to hire designated individuals to run their significant roles.
A.6.1.2: Segregation of duties
Although ISO27001 allows for mixed roles within smaller organisations it recommends that employees do not end up with mixed roles as this is a matter of reducing conflict of interest and mitigating the possibilities of fraud and unauthorised access .
A.6.1.3: Contact with authorities
This documents the relevant authorities who will need to have contact with based on different circumstances. This includes different contexts such as the police or commissioner’s office.
There should be a clear split between what kinds of information is disseminated to the respective governing bodies. In addition clear roles and permission should be granted to specific staff to hand out such data.
A.6.1.4: Contact with interested groups
Sometimes liaising with other special interest groups can benefit your overall information security. It’s worth maintaining a record of relevant organisations, professional forums or discussion boards that may come in handy.
Pay attention to the nature of these groups as well, some relationships are purely commercial. Others may be interested in engaging as partners where both parties can learn innovative techniques and best practices from one another. These groups may also be able to suggest security threats that you perhaps overlooked.
A.6.1.5: Information security in project management
All tasks and projects associated with your company should have some integration of information security practices within them. This will strengthen your ISMS on an institutional level as it helps maintain a standard throughout the organisation.
Information security must be a part of internal and external education programs conducted by your firm. There must be a sense of data protection throughout the organisation and your human resource management will set the tone for this aspect. The ISMS auditor will be looking for consistency in your procedures.
A.6.2 Mobile devices and teleworking
The ISMS must manage data protection at all levels, including the use of communication channels, mobile devices and teleworking as they are part of our everyday activities. The majority of attempts to steal data often occur electronically these days.
A.6.2.1: Mobile device policy
With the increase in technological advancements, the use of mobile devices is becoming more and more convenient. The older phones can access the Internet and perform similar tasks to a conventional computer.
Bring Your Own Device (BYOD) policies at companies can bring reduced costs and increased productivity of workers using personal devices but also raises the risk of data breaches.
Recent updates to cloud storage and online libraries make this even more challenging to maintain. Your company should construct methods to guarantee that clients using either business WIFI or BYOD protect confidential information.
Your mobile device policy should include the following:
- Device registration;
- Physical protection;
- Software installation restrictions;
- software versions and patch applications;
- Constraints to access any data services;
- Access controls;
- Malware and antivirus coverage;
- Remote, disabling, erasure out and log on requirements;
- Backups and storage methods;
- Separation of shared personal accounts for BYOB policies;
- Public networks and web services;
- Open connectivity
Teleworking, remote, working or telecommuting poses one of the greatest internal threats to a company’s data. This is especially problematic in today’s age where digital business is becoming increasingly prevalent. Auditors will be looking to see if you have included procedures to manage the risk of data loss or damage while teleworking.
The section is also critical when applying for certification linking many policies indicated in annexure 6 through 13. A sound coverage of these areas together will protect your company from gaps in data protection.
A.7 Human resource security
A.7.1 ISO 27001 requires that specific measures be taken before, during and after a person’s employment at your firm. These procedures aim to protect your organisation’s data at all three stages.
A.7.1 Before employment
Background checks and identity verifications must be processed for prospective candidates before they access company data. The extent of the check will depend on their possible role in the company, high risk data workers will need to be thoroughly researched and verified before handling the firm’s most sensitive information. Entry-level jobs require less work, though you may opt to do complete checks for all roles. Independent contractors must go through the verification process to confirm their history.
If you use external interested parties or associates, you can either perform the screening yourself or request screening evidence. This will assist with reducing the threat incidence to your business. The auditor will review the screening policies and procedures.
A.7.1.2: Terms and Conditions of employment
The agreement that you signed with your new employee must clearly state the responsibilities you both side have for maintaining information security with what laws support your contract. So, mention important details about what laws, regulations and compliance requirements involve your staff.
Be sure to have the employee sign a nondisclosure agreement and emphasis this when employees join as well as the importance of data security the company policies for information breaches.
A.7.2 During Employment
A.7.2.1: Management responsibilities
Managers are all members of the leadership of an organisation, with some of them making up part of the executive board It is the job of management to ensure that all staff under their authority understand the business assets, threats and vulnerabilities. There must also be made aware of their duties and expectations related to the ISMS.
Overall data protection training and Information security must be managed across the business. Management must also monitor these employees’ activities to confirm their adherence to all your ISMS standards.
A.7.2.2: information security awareness, education and training
Current employees must also be educated and updated on best practices for protecting information, this should extend to contractors and applicable third parties handling confidential files from your company.
It’s best to partner with the human resource department to convey the appropriate coursework and methods to staff, with HR evaluating and keeping evidence of the training.
As some staff may learn differently from others you must consider various learning styles that can improve and even accelerate the training process. Staff should be continually tested on policies, procedures and laws used within their work setting.
Ensure that the training is regular and last minute Don’t wait for your auditor to set a date for a visit to start sending information into your workforce. Employee education matters outside of audits, consider holding sessions at least quarterly as the more your workers know, the better they can protect your data.
A.7.2.3: Disciplinary process
It would be best if you were transparent with your workers, discuss your expectations and the consequences if they betray the company’s trust. Management needs to come up with a disciplinary policy suitable for different cases including smaller-scale incidents or accidents through to direct breaches of your data.
Ensure that information security disciplinary policies are aligned to your human resources policies.
A.7.3 Termination and change of employment
A.7.3.1: Termination or change of employment responsibilities
When an employee leaves, you need to safeguard your company from loss of data on their part, sometimes workers leave based on difficult situations or acts of misconduct which often have issues related to company confidentiality.
How will you reduce the risk of staff leaking your data? You must include terms and conditions that protect data after employment in your initial contract with workers agreeing to post-employment confidentiality. This legally binds them to maintain their discretion even after they leave the business.
If the employee used company assets during employment, they must return all property upon departure, and you must present proof of this during your internal audit. On another note, if a worker changes their position within the firm, they must understand what their new role mentions with regards to both new and former roles. Management needs to update the employee’s records to reflect these new changes.
A.8 Asset management
Asset management in the Section ISO 27001 aims to identify relevant company assets and assign roles to manage their security, the designated person must also know how to handle these assets based on predefined guidelines.
A.8.1 Responsibility of asset
The aim here is to identify appropriate information assets related to the ISMS and assign various responsibilities to ensure their protection.
A.8.1.1: Inventory of assets
An inventory of all the assets associated with information and information facilities in your organisation must be recorded. The assets should be considered throughout their life cycle. In other words, an asset is recorded from its moment of creation while it is being processed, stored, passed on, deleted and then destroyed.
Remember that computers, hardware brandmarks, staff, client details, and intellectual property are all relevant assets for information security with each asset having an owner, confirming its inventory classification, revision and protection.
Assets need to be assessed in terms of its usefulness to your company. Understand how this item important and group asset is according to their nature. They may be physical, digital, intangible etc. It must also have a category that should be done based on their legal and financial value and the level of threats involved with their use.
Ensure that your inventory is well labelled, updated, free of errors and compliant with other records available. Asset inventories are also valuable for those interested in the general data protection regulation (GDPR) as the standard requires a record of all personally identifiable assets and the risks associated with them. These are all included in the asset inventory and risk management section of your ISMS.
A.8.1.2.: Ownership of assets
As stated before, the asset owners are the person deemed responsible for maintaining its good standing. Some assets have departmental owners while others are more specific items and have individual ownership. Though the owner may change throughout the life cycle, the responsibilities will be the same. The beauty of team effort is that the work gets shared so while the asset owners is responsible for monitoring its status, they can appoint others to take care of some of those tasks.
A.8.1.3: Acceptable use of assets
Not all employees, contractors or third parties should have access to every piece of company information. In. An acceptable use policy defines the terms for each of these individuals to gain access to specific information assets and the rues related to the use of these assets. The details of this regulation should be spread across the board so that all associates receive a copy.
A.8.1.4: Return of assets
This section coincides with terms implemented in A.7.3, A.13.2.4 and A.15.All assets formally under the possession of an employee, contractor or third party must be returned to the company upon termination of their contract. This must be formally documented to show details and if an asset has not returned, the owner must record it as a security incident, which will be addressed using A.16(incident management).
Sadly, this is a common issue with the return of assets policies, hence the need for constant revisions and audits to improve the information security system.
All forms of information should receive an adequate level of protection based on their value to your organisation.
A.8.2.1: Classification of information
Information assets should be classified according to at least the following criteria:
- Financial value
- Legal obligation
- Sensitivity or risk level?
- What would the implication of its disclosure mean to you?
Management can opt to add more categories to the criteria to make classification easier, all conditions, however, should refer back to the importance of the asset for your business needs. The asset owner will use this checklist and the threat or vulnerability information gathered from your risk assessment to classify the item.
Different firms have different classification standards generally, they follow the top-down structure. 1. Confidential, 2. Restricted, 3. Internal use, 4. Public. If your company works with multiple third-party sectors, you may perform an individual classification for each scenario.
A.8.2.2: Labelling of information
Typically, asset owners will also be responsible for correctly labelling their items. You should create a system of labelling that goes hand-in-hand with your classification guidelines, for example, the owner of specific medical documentation will then list it as confidential.
Decide upon a standard for labelling assets as well. You could opt to have all owners insert their listings at a particular position on all items. You could also add specifications for all items under a particular category to use a de facto label, for example, all legal assets, regardless of their nature, will automatically be considered restricted. Other assets will need a labelling criterion to identify their correct classification and label.
A.8.2.3: Handling of assets
This is the part that takes the most time when dealing with assets, your ISMS must contain guidelines on how to protect and preserve company information. They must have assigned different conditions to store specific data types, for example, internal use paper files can be kept in locked airtight cabinets within their departments.
Consider setting restrictions for persons allowed to handle these records and there should also be regulations in place for those who are authorized to transfer this kind of information.
- What is the safest way to have these data transmitted from one party to another?
- How will you safeguard that transmission?
If your data transfer involves a transaction, say, via a postage service, a good idea would be to request a receipt. Document all these stipulations in your company’s information classification policy.
A.8.3 Media Handling
As the owner of confidential data, it is your duty to ensure that all media is protected from unauthorized disclosures, changes, deletion, or destruction.
A.8.3.1: Management of removable media
People only get rid of things that are worthless, right?
Not quite. You’ve probably heard of the saying one man’s trash is another man’s treasure. It’s common for companies to deem equipment and other assets not useful once they have been a few years on the shelf or a new update arrives.
But have you ever wondered if your files were wiped from that old system?
How can you guarantee that your data is still safe and only within the bounds of your organisation, carelessness can cost you your reputation and the lives of thousands of others?
Working in conjunction with control A.11.2.7, which states that every piece of stored media must be examined to confirm that it is rid of any delicate information before disposal or reuse.
An appropriate disposal and destruction policy will cover the bases for rendering media reusable for the business. All media, including those recovered, should be stored safely and securely as directed by their respective manufacturers, if it is no longer viable, it must be securely removed, deleted and permanently erased.
A.8.3.2: Disposal of media
The following guidelines should be included in the disposal and destruction policy of every company to reduce the risk of unauthorized parties gaining access to confidential data.:
- Adequate procedures should be documented by management on how to identify items needing proper disposal. The more confidential the data, the more urgent the need to dispose of it securely.
- In some circumstances, it might be simpler to collectively destroy different media than to single out each kind for disposal.
- All media containing confidential data must be appropriately destroyed using a shredder or incinerator. If the media is to be reused by the organisation, the data must first be erased from its memory.
- Some companies offer to handle media disposal for external firms, if this interests you, be very cautious when choosing an experienced company to deal with your confidential data records.
- You must take inventory of all disposed of confidential records, especially for regulatory and audit purposes.
A.8.3.3: Physical Media transfer
All media storage devices containing delicate information must be protected against unauthorised access, misuse or corruption when being transferred.
Consider the following:
- Only experienced couriers with a track record for reliability should be used and a list of authorized couriers and transports should be documented for reference.
- . Packaging should provide media with enough protection to safeguard them against damage during transportation facilitated in compliance with the regulations indicated by their manufacturers.
- A log should be kept of all media, in-transit or transferred.
A.9 Access Control
ISO 27001 restricts employees to view only the information relevant to their role. This reduces the chance of data reaching unauthorised hands and risking leakage.
A.9.1 Business requirements of access control
As part of this control, ISO standards restrict access to certain information and information facilities from all involved parties.
A.9.1.1: Access control policy
The access control policy defines who has permission to use various data with those allowed to access information still limited to how much they can obtain depending on their user profile with only specific roles having exposure to confidential files.
The same goes for all other data classifications. The higher you are in the system, the more access you receive. In addition, further security measures can apply, for instance, asset owners may need to sign off on any data passed on to other employees.
This aspect can slow down the process of data retrieval, but the two-step process regulates the number of users with access to passwords, encryptions and other essential data forms. And lowers risks.
The policy must keep the following in mind:
- Security requirements for business applications.
- Information, authorisation, procedures and responsibilities.
- Management processes to maintain, review and remove access rights.
- Standards for privileged access.
A.9.1.2: Access to networks and network services
Access permissions in terms of networks must be formalised and controlled with the company having strong network controls in places (i.e., VPN networks, encrypted transmissions, network segmentations) that facilitates transfers.
Access will be on a need-to-know basis with all other individuals being restricted from these areas, using public networks instead. Human resources should ensure that all workers and contractors are educated on these restrictions.
A.9.2 User access management
To control access to data all users must meet authorisation standards,
A.9.2.1: User registration and de-registration
This process helps regulate permission to access company files and services and ensures that there is a formal process governing how users are given access and how their access is revoked.
Some staff will have privileged access to certain files as their position grants them this authority. Executives often need to use confidential company records to complete reports and strategic documents.
Workers who are terminating their contract must relinquish their access to all company services which should be implemented as a mandatory aspect of de-registration.
For each scenario to work effectively, your system must be updated to support authentication techniques with software solutions helping accelerate and improve the process.
A.9.2.2: User access provisioning
There must be a system, preferably automated, to assign and revoke access rights which is consistently applied throughout the entire organisation. The system operators or asset owners must authorize users to verify if the person has a legitimate reason position or purpose to request this access. Protective measures also come into play here to avoid access being granted to users before their review process is complete.
A.9.2.3: Management of privileged access rights
Privileged access rights often grant system administrators and those with authority the keys to sensitive information that could have a big impact if unauthorised access and/or loss occurred using these keys so the controls for these privileges need to be strict.
Those with special access should not abuse their rights and must be made aware of the importance of the controls and their behaviour. Privileges are granted separately from normal access to avoid conflicts of interest and ensure data protection in alignment with the access control policy.
There must be regular review of administrator accounts and a log for all privileged rights to serve as a history for the control.
A.9.2.4: Management of secret authentication information of users
Secret authentication information needs to be highly encrypted and use additional mechanisms to support the security (i.e., Multi Factor authentication, tokens).
These authentication systems must be efficiently managed and remain confidential, or significant legal, financial or medical information run the risk of being leaked.
A.9.2.5: Review of user access rights
Asset owners need to review their list of authorized personnel on a regular basis and maintain updated records for reference due to changes occurring which can impact on access rights (i.e. role changes, restructures or merges).
This is even more important for persons with privileged access rights as sensitive data needs constant protection. ISO recommends reviewing thee accounts more regularly, at least quarterly.
A.9.2.6: Removal or adjustment of access rights
All exiting employees and interested parties must have their rights removed upon termination. Implementing an exit policy here will help outline all the necessary procedures involved in termination
For adjustments such as changing positions within the firm rights must be removed and correctly assigned to prevent access issues.
A.9.3 User responsibilities
Every user is responsible for safeguarding their credentials and authentication data and the company policy should be written and security awareness training aimed at ensuring this.
A.9.3.1: Use of secret authentication information
Human Resources is encouraged to work together with management to conduct education and training on best practices to maintain valid authentication identities.
A solid IT security policy will highlight all the essential guidelines for this control which should include implementing controls to promote password confidentiality and advise users about unsecured storage of this type of information.
A.9.4 System and application access control
These controls aim to prevent all unauthorized access to software applications and systems by following access control policy standards.
A.9.4.1: information access restriction
The access control policy must apply to all systems within the company, measures must be set to reflect different levels of access restrictions across the organisation.
Consider features like:
- role-based access control,
- tiered levels of access,
- specially designed application menu systems,
- Permissions for read-only, write, edit and delete options,
- Limits for displayed information, and
- systematic access, controls for sensitive information.
These small steps will come together to help enforce access controls for users based on their background, duties and objectives in the system.
A.9.4.2: Secure log-on procedures
Log on procedures, help verify the identities of all users on any company database or application. Passwords are only one option in the process, but other biometrics and encryption methods can be used as reinforcement. End to end, encryption is becoming increasingly popular to secure the data shared with users on the system at any point, with both passwords and data output protected in this manner.
Any system access point should also include a notice indicating that only authorized personnel will be allowed entry. The standard has been designed to comply with various cyber security laws that may apply within your country or jurisdiction.
For a more secure log on, policy access can be denied to users depending on their time or location when attempting to enter. Some systems can restrict access to only company working hours to ensure the data is only released within the business setting. This may not be possible or fit in with your business objectives but should be considered for high-risk environments.
As part of your reports, all successful and failed login attempts should be recorded in the event of security breach. These reports will help narrow down the offenders and investigate the events of the incident in a timely manner.
A.9.4.3: Password management system
Password management systems are helpful for both the company and users.
- Firstly, they help generate and enforce strong codes that reduce the likelihood of your accounts getting hacked.
- They also assist in recovery procedures, like if users forget their password or need to change it suddenly.
A.9.4.4: Use of privileged utility programs
How often do you get pop up ads on the latest software to clean up your computer or repair broken entry codes? The Internet is bombarded with different utility programs, all seeking to help you stay organised. Yet many of these software programs are viruses and malware that hacker’s prey on to get into your system and even target your antivirus software and before you know it, they have access to confidential files.
ISO 27001 warns against downloading random utility programs to your system. Those you used must be verified by competent staff and checked for any possible spyware, malware or insecure code. If the program is required, then only a small group of personnel should have privileged access rights to the software and its use monitored.
A.9.4.5: Access control to program source code
Program source codes are another risk which hackers target to steal, sell and. or use to try to get into company systems as they often contain critical information to databases, designs and plans. It’s then easy for unauthorized users to manipulate them to access major files.
Access control to program source code should therefore be restricted in the following manner:
- Limiting access to only a few skilled company personnel,
- Including only compiled codes in operational systems,
- Restricting source code access as much as possible,
- Logging all access to source codes,
- Frequently reviewing access logs,
- Implementing strict change control procedures,
- Frequently conducting internal audits and reviews.
A.10.1 Cryptographic controls
Those control aims to ensure the efficient use of cryptography to promote data confidentiality and integrity.
A.10.1.1: Policy on the use of cryptographic controls
Cryptography (Including encryption) can be used for both storage (data at rest) and transmission (data in transit) also help secure information stored or transferred through i.e., databases, unstructured folders, employee hard drives and digital devices like flash drives and mobile phones.
Think of how cryptography can benefit your business model as like many other things, this will depend on the size and functions of your company and what best solution works for your products and risk tolerance. When constructing an encryption policy, it is important to list and assess all possible risks associated such as the possibility of corrupted or missing keys. And then focus on applying controls to mitigate those threats and achieve your goals.
A.10.1.2: Key Management
A sound cryptographic policy will consider safe practices for maintaining encryption keys throughout their entire life cycle, the cycle is from creating the key through its distribution, storage, backup and destruction. Implementing strong keys is one thing but maintaining them is another. Attackers identify flaws in keys and then use these flaws to gain access.
Your policy needs to account for protocols and procedures regarding:
- key generation
- encryption algorithms,
- cryptographic applications,
- public-key certificates and authentications
- key activation and disabling.
- User access approvals,
- key adjustments and upgrades,
- missing, damaged or corrupted keys,
- recovery processes,
- archives and
- key logs for auditing and management purposes.
A.11 Physical and Environmental Security
Controls in this section aimed to restrict unauthorized access to physical boundaries and to protect equipment from the effects of human and environmental or natural occurrences.
A.11.1 Secure areas
The first control intends to protect all company data and equipment from unauthorized user access and resulting damage. This is about identifying secure areas that need to be protected and ensuring that the controls are adequately applied in these areas (includes data centres, offices and remote locations)
A.11.1.1: Physical security perimeter
Consider the perimeter by reviewing the plan of your building and review the security controls in place, identify gaps and implement improvements where necessary. Boundaries encompass physical boundaries and also equipment, computers, fax machines, etc. These areas may include data centres and help desks and office headquarters.
It will also have any data accessed by teleworkers, those who work from home, or a travel site will also be defined within the scope of your physical security perimeter.
A.11.1.2: Physical entry controls
Entry controls must be organised to guarantee that only authorized personnel have access to offices and sensitive business information within.
Any entry control can be as simple as the key for a locked door or digital passcode, but it must only be for designated employees who themselves have no right to pass on secure data.
High-risk organisations may implement more technical and strict entry codes like digital scanning or biometric controls. And will differ on a case-by-case basis, for example, low-risk access points will have less daunting security checks than those for facilities, housing critical data.
Your policy needs to highlight the criteria and procedures for gaining different levels of entry controls within the organisation. Anyone granted permission must have their access logged to manage the system. Visitors should be restricted in all areas containing essential company files, but particular emphasis must be placed on high-risk facilities. The auditor will be looking for all these details.
A.11.1.3: Securing officers, rooms and facilities
Your security team must maintain a constant watch on persons who have access to specific company files through keeping access logs.
Certain staff only need data for a restricted period and this needs to be enforced. This doesn’t refer solely to employees with direct data access as other people (i.e., strangers, maintenance staff) can slip through the system in a fast-paced environment. Users should be trained to keep an eye out to spot strangers and watch out for people listening in or reading material, including whiteboards, documents, and screens.
A.11.1.4: Protecting against external and environmental threats
Some threats are beyond the cyber realm with man-made and natural disasters are real issues faced by thousands of companies each year. Protests, poor plumbing, hurricanes, and tornadoes can all strike havoc on your organisation.
Your company can prepare for certain incidents, and it is a good idea to have an emergency weather plan to secure paper-based documentation and safeguard your equipment.
Natural acts like floods and earthquakes are more challenging to avoid some of the solutions should have been taken long before, like, during the construction of your physical building, e.g., foundations near low lying riverbanks are more susceptible to getting drowned out by floodwaters. But we don’t always get to choose where to build.
During your internal audit, the assessor will ask to see your risk evaluation records. You should seek expert advice on methods to mitigate certain manmade and natural threats with specialist solutions that might identify the risks effectively.
A.11.1.5: Working in secure areas
Now that you’ve designated the secure areas within your facility, it’s time to define the standards to regulate the activities permitted within these boundaries. Consider Including signs to indicate designated security areas, restricting the use of media devices like cameras and video recorders and prohibiting workers from using secure areas while unsupervised.
A.11.1.6: Delivery and loading areas
Physical delivery and loading areas are key points for unauthorized persons to enter your organisation unnoticed. These access points must be controlled at all times by access controls, guards, cameras or other security measures.
If you work for a digital workplace, then these areas may not exist for your company. This should be noted and excluded from your statement of applicability.
This control area is based on protecting company equipment and preventing lasting damage, corruption, or company assets theft.
A.11.2.1: Equipment siting and protection
All equipment must be sited and secured against the risk of unauthorized tampering and environmental threats.
Machinery siting depends on its size, nature, use and environmental requirements with equipment being susceptible to damage and should be kept elevated in the event of a flood. Others could be radioactive to have electromagnetic issues and require isolation from other more frequently used apparatus.
Risk assessments must be done for all equipment with different risk levels.
- Data output equipment like desktop computers should always be positioned to restrict unauthorized onlookers from viewing sensitive data.
- Storage facilities should be secured with locks and managed by authorized key holders.
- Food and beverages should be restricted from facilities containing ICT equipment.
- Shared devices like wireless routers and printers should be set to reduce the need for users to leave their workspace unattended to tend to accessibility issues.
- Laptops should be properly sited, encrypted and stored after each use.
- Telecommuters should follow similar guidelines to protect their data from unauthorized users (i.e., friends, family or guests).
A.11.2.2: Supporting utilities
Your equipment needs to be safeguarded against threats relating to utility failures including power outages from fallen lines or blown transformers or loss of wireless connectivity.
These include power outages from fallen lines and blown transformers or loss of wireless connectivity. Most of these incidents will affect the temporary availability of your information systems. Although some threats are genuinely unforeseeable. Consider having a backup plan that involves a generator or dual routing access and power supplies.
A.11.2.3: Cabling security
Cabling security needs to be considered to reduce risks related to eavesdropping and data theft which is increased if your company uses a cable supplier. Attackers can tap into the cables, interfere with operations or steal data
Controls such as hiding the cables, protecting them in covers, monitoring for interference or using multiple lines for specific high-risk departments.
A.11.2.4: Equipment maintenance
Your new equipment might be great, but you should not neglect maintenance and the frequency of your servicing and updates depends solely on the nature and use of each piece of equipment., Heavily used and high-risk equipment requires frequent maintenance to avoid unexpected problems in the system.
A well recorded maintenance schedule (including date of servicing, contacts of maintenance personnel, asset owner authorization) is vital to present during the audit as evidence of effective upkeep.
A.11.2.5: Removal of assets
Any assets removed from the primary business site will remain under the responsibility of the employee using them and should be protected against theft or damage. These assets still require regular monitoring, maintenance and updating.
Your company should have teleworking regulations limiting how assets can be removed, how long they can stay off site with certain high-risk assets being prohibited from leaving the site…
A log also needs to be kept of all equipment and other items taken away from their offices or data centres Both departure and return dates must be documented and authorised where applicable.
A.11.2.6: Security of equipment and assets off-premises
Controls need to be implemented to secure data from assets held offsite from the company, perhaps by telecommuters with policies regarding access point controls, password management and data encryption applying.
These factors must be included in your risk assessment and treatment plan.
A.11.2.7: Secure Disposal or Re-use of Equipment.
This controls aims to prevent data being lost and potentially being seen by unauthorised parties through securely disposing of the device or in the case of reuse securely removing the data and software on the device.
All unwanted media devices and equipment containing company information must be adequately wiped before disposal or reuse within the organisation. Highlight the methods you intend to use to dispose of information (i.e., Secure wipe, destruction, shredding, etc.), and also how you plan on verifying the destruction of your data.
A.11.2.8: Unattended user equipment
All unattended user equipment needs to be secured with access controls, hard drive encryption and screens locked to protect breaches Devices could be stolen or accessed by authorised id this is not applied with data lost or tampered with.
Education and training extend to all company employees regardless of their roles related to these controls This is even more crucial for high-risk security information.
A.11.2.9 Clear desk and screen policy
Clear desk and clear screen policies should be implemented for any devices, especially those used by administrative staff or top management because both internal and external parties can use exposed data to their advantage.
Guidelines will vary based on the nature of the department and, of course, the data risk level. `The auditor will observe which risks you identified for clear desk and screen policy procedures and testing and request evidence on how you did this.
A.12 Operations security
The operations clause ensures that your information processing operations are well controlled and well managed.
A.12.1 Operational procedures and responsibilities
The operations and procedures conducted within any data processing group must follow accurate, secure standards with clear responsibilities to produce quality results.
A.12.1.1: Documented operating procedures
All operating procedures used within your company must be documented and passed on to employees and relevant stakeholders to ensure a standard, uniformity in departmental tasks and results . Consistency is crucial for effective operations, business continuity with smooth recovery in the event of a disaster.
Document integrity must be maintained within safe storage boundaries, taking into account changes such as cloud usage for storing and backing up data which help to automate these processes.
A.12.1.2: Change management
Change management procedures assure that all updates to information facilities and processes is relevant, effective, authorized and processed to reduce risks of malicious attacks. Changes could entail revisions, amendments, reprogramming, etc with change management logs reflecting if the systems, networks and applications followed the ISO27001 Change management standards.
A.12.1.3: Capacity management
Overall and after changes to software and equipment you should monitor your current system’s capacity and performance. Effective capacity management with quality outputs allow for meeting business goals,
Managed the following areas:
(a) data storage,
(b) processing power, and
(c) computational power or bandwidth.
Your capacity management system should be optimized to operate within its capabilities and send signals before space or efficiency is running low.
A.12.1.4: Separation of development, testing and operational environment
Tests, changes and developments in business systems should be separated from live operational environments. (i.e. development, testing, production)
Testing personnel should not access live environments and should not hold the same position as production developers. However, small businesses often find this a challenge to maintain with so few staff so controls about checks being in place to control access, monitor and reduce these risks should be in place.
These procedures are implemented to reduce conflicts of interest and decrease the chances of unauthorised access, changes and data leakage.
A.12.2 Malware protection
A.12.2.1: Controls against malware
Your firm must consider controls to identify, prevent and recover from malware attacks including ransomware. This includes updated antivirus software, download restrictions and limiting the use of removable media to reduce the risks, damage and effects of this kind of security incident.
A.12.3.1: Information Backup
A backup policy will define how to make copies of data, software and systems in order to ensure that data is not lost due to operational issues, mistakes or security incidents.
Your backup policy defines the rules related to backup and links to the risk assessment (Business impact Analysis) result for your company.
Many companies try and do backups of all data. Which is common practice but special attention must be put into storing high risk/sensitive data.. As backups are copies both backups and the live data should contain the same information in similar formats, and have processes defined to make sure that the information is updated regularly enough.
You should have your back up media and procedures tested at regular intervals to ensure that all your files are indeed being stored and effectively preserved if a backup fails to function, you should record this and indicate the steps you performed to resolve this issue.
Backup logs need to account for the:
- type of data,
- siting of the original copy,
- siting and storage of the new backed-up copies,
- date of copying,(v) and the authorizing personnel or asset owner involved in the verification process.
A.12.4 Logging and monitoring
A.12.4.1: Event Logging
Logs are the basis of most audits and management reviews, they offer forensic assistance when evidence is required to resolve a security breach incident. Most policies and company affairs will demand records of all the activities, amendments, faults and exceptions that occur within the scope of the organisation and require a level of logging which will satisfy those requirements.
With logging and monitoring we need to start with an event, take note of its details, log and then analyse our findings.
A.12.4.2: Protection of log information
Logs are critical for audit purposes, investigations and for operations, in addition your logs may contain personally identifiable (PII) data.
Attackers will attempt to delete or modify logs if they can access them to hide their trails and could also try and steal the PI contained in them so all logs need to be adequately protected against tampering and possible data breaches.
Your aim of this control is avoiding unauthorized user access, tampering of logs and information loss while being able to prove the processes followed during your investigation are forensically sound as the logs are protected and accurate..
A.12.4.3: Administrator and operator log’s
System administrators typically manage systems and databases within their departments and logs of their activities ae critical to protect for operational and security reasons. Procedures must be implemented to enforce and protect the logging of all administrator and operator activities.
A.12.4.4: Clock synchronization
All clocks within the system must remain synched to a specific reference time source as this is another critical state of uniformity within the organisation.
In the event of a break in different security, asset logs can be used to compare timestamps and help track the source of the threat.
A.12.5 Operational software control
A.12.5.1: Installation of software on operational systems
All software installations must be closely controlled to maintain the integrity and security of company information as unsupervised downloads can result in malware infections, system corruption or file damage. This is the perfect opportunity for unauthorized persons to swoop in and install covert hacking tools.
Formal change management policy should be applied in this area to ensure that only necessary and verifiable installations are made to any company operating systems and evidence of this process needs to be kept..
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities
Technical vulnerabilities are at the core of most information security breaches so there must be a continuous process and mechanism identifying technical vulnerabilities
All technical vulnerabilities identified must be documented and brought to the attention of the technical team system who will devise a plan to reduce the probability of these incidents occurring. This should be handled as an urgent matter and your team must strive to rectify it promptly.
Any suggested security patches must first go through testing before being applied to live company equipment and systems as ultimately, quality output is the most important aspect of the mitigation process.
Education is paramount here as users need to know how their actions can impact certain technical vulnerabilities and how they can help mitigate these risks.
A.12.6.2 Restrictions on software installation
In alliance with A.12.5, your organisation should have rules for installing software on company systems and devices to stop unauthorized or inexperienced staff introducing harmful software into workspaces.
All downloads need to be authorized before being allowed, .If you work in a small company and think this will be difficult to achieve then you can create a white list of all acceptable software downloads. Share this information among staff and relevant personnel in terms of awareness of the dangers and the reasons why.
As evidence suggest you should ensure that your company run regular software audits for the auditors.
A.12.7 Information systems and audit considerations
A.12.7.1 Information systems audit controls
Audits are necessary, but all these verifications and system checks can disrupt normal business activities. Your firm should create a formal audit schedule that considers different business activities customarily held on given days
he audit must not negatively impact system operations or slow down business for an extended period. You must define the scope and depth of your audit and plan out the best times to perform these testing. In addition the controls around sharing evidence and how audit conduct their testing must be defined and managed to not impact information security controls.
A.13 Communications Security
A.13.1 Network security management
This area addresses issues with network security management and involves matters concerning data transfers, to ensure that conditions that preserve data confidentiality, integrity and availability are in place.
A.13.1.1 Network controls
Data stored and transferred through company networks needs protection against access, interception, corruption and other possible threats You should understand all the business needs, risks and assets associated with networking
Permitting outsiders to access your networks will increase the number of threats to the company. Your plan should account for both internal and external access risks.
Relevant controls include but are not limited to
- Firewalls and prevention systems
- Access control lists
- Connection controls
- End point verifications
- Network segregation
A.13.1.2 Security of network services
Based on the risk assessment, you should implement security measures to safeguard the data transmitted using network service. Network service agreements must consider business requirements, security requirement and possible threats to have controls to reduce your vulnerabilities.
A.13.1.3 Segregation in networks
Different users and information networks should be segregated across the system. Having separate domains for public access, departmental use, critical systems and management use. This is a much safer method than having all services share the same operations.
A.13.2 information transfer
A.13.2.1 Information transfer policies and procedures
Policies are required to support the safe transfer of data between parties across your network. Your standards should support the different types and ensure that there are transfer policies and procedures in place to manage these risks. .
A.13.2.2 Agreements on information transfer
Agreements between your company and third-party representatives must clearly communicate the need to maintain the confidentiality and integrity of all data sent or received on either end.
Both physical and digital copies of information should be protected against loss or viability and align to the requirements included in the agreements based on their classification..
A.13.2.3 Electronic messaging
Any data transferred via digital messaging systems needs to be safeguarded against online threats and aligned to the policy requirements around acceptable forms of e-messaging for different types of information.
High risk or confidential financial information should never be transferred through electronic communication channels unless strong protection is applied as they are at risk of identity theft or fraud.
This protection includes end to end encryption, masking and monitoring of the transmission.
A.13.2.4 Confidentiality or non-disclosure agreements
Non-disclosure agreements are must haves for any institution serious about data protection. Be sure to explain the needs and rights of your company to preserve all forms of data confidentiality. Your contract should be drafted and approved by management and the terms regularly reviewed, amended and updated
Standard forms of nondisclosure agreements may fall under the following categories:
- general or mutual non-disclosure
- terms and conditions of customer use
- associate supplier or partner agreements
- employment contracts
- privacy policies.
A.14 System acquisition, development and maintenance
These controls aim to maintain information security as the foundation of all development processes within the organisation.
A.14.1 Information security system requirements
A.14.1.1 Information security requirements, analysis and specification
Information security requirements should be factored into all new information systems from inception within the organisation. It’s a good idea to run a risk assessment analysis to determine the threat you will be facing with all security requirements documented and used as references for the subsequent system implementation and reviews.
A.14.1.2 Securing application services on public networks
Application services are often facilitated over digital communication channels and through the use of public networks. These activities may involve the dissemination of individual identification data and financial information.
Without effective security controls your company runs the risk of data loss or corruption of sensitive data being transferred across these open networks. .Any sensitive information transmitted through these media must be protected by strong transmission controls and procedures. Your systems will also need to be monitored for possible issues and attacks.
A.14.1.3 Protecting application services transactions
Both financial and non-monetary transactions are involved in online application processes. While the financial process may incorporate bank cards and e-commerce credentials, non-financial information assets like e-signature and encryption codes also come into play. Your organisation’s responsibility is to secure all forms of confidential data, transacting in your system from illegal interceptions, availability attacks or unauthorized disclosure, etc..
A.14.2 Development and support processes
A.14.2.1 Secure development policy
Regulations must be implemented to ensure the safe development of software and related systems within the organisation. A secure development policy highlight standards that foster secure standards for companies to facilitate in-house digital productions.
Best practices and specific crypto language techniques will be enforced to support secure coding within the data security perimeters, security checkpoints and version controls Software and system developers will need to attend training on these policies related to:
- Secure coding principles
- Pair programming and peer reviews,
- independent quality assurance tests and
- Encryption reviews and assessments.
A.14.2.2 System changes control procedures
Any changes to the systems throughout their development cycles need to be managed by formal change management procedures and monitored and verified by authorized staff. This is done to ensure the best quality outcomes from all processes and reduce the chances of introducing new vulnerabilities to the system. All changes performed must be documented and kept for future reference.
A.14.2.3 Technical review of applications after operating platform changes
Changes to systems will likely produce some errors or incompatibility but developers must commit to first testing these changes before applying them to live company operations. This testing will assist with identifying issues in the prototype can be identified, rectified and refined without causing considerable complications with the live environment.
A.14.2.4 Restrictions on changing to software packages
Companies are advised against making changes to off the shelf software packages as most of these products were created for mass commercial distribution and you lack permissions to alter their settings.
Although open-source software might allow such changes, there still lies a risk of damaging the product and connected company files in the process. Tso in essence the integrity of all purchased software should be respected and maintained by all means.
A.14.2.5 Secure system, engineering principles
Principles and guidelines should be established for ensuring secure engineering processes among internal software developers. These principles should resonate at all levels of the organisation where they apply to minimize the incidence of resulting discrepancies. All proposals for new engineering practices must first be presented for approval and then carried out as per the ISO27001 requirements.
A.14.2.6 Secure development environment
Your organisation must create development environments where developers can securely work on projects. This means that access controls most be segmented between environments and the development environments are protected by secure practices and developers monitored and prevented from following insecure practices.
A.14.2.7 Outsourced development
All outsourced development should be managed to ensure that your security standards or better are applied. Contracts should include clear security requirements, ownership and nondisclosure terms. These parties should also be included in your company’s training and awareness programs.
A.14.2.8 System security testing
Security functions integrated into the development process must all have a well-defined formal testing process and be tested by experienced and authorized parties.
You should record the results you expect to receive from these procedures before testing begins. Your auditor will also want proof that you carried out the security testing so be sure to include some form of documentation.
A.14.2.9 System acceptance testing
There should be an acceptance testing program and approval criteria established for all new information systems and projects requiring updates and version changes. The criteria for acceptance testing should be based on your business requirements and how you expect these changes to help achieve company goals.
A.14.3 Test data
A.14.3.1 Protection of test data
Tests allow us to produce results that we can use to compare real life situations with system testing helping developers assess the number of vulnerabilities associated with their models. The outcomes are then used to improve the system and reduce possible threats.
Test data is usually simulated as much as possible to mimic natural test environments because realistic tests generate reliable results. ISO 27001 recommends that all tests are to be selected using specific guidelines with samples needing to be protected and controlled.
The problem is, test data isn’t always sufficient and sometimes live information needs to be used under an anonymous identity to conduct accurate testing. Using actual data increases the risk associated with the process so to reduce the severity of the procedure, developers can opt to:
- Use security policies (including access control, encryption and monitoring) to protect live testing data.
- Securely delete the live data after testing. Any time Live data is considered its use must be reauthorized, monitored and logged.
A.15 Supplier relationships
These controls aim to protect your company and its assets within third party agreements with suppliers.
A.15.1 Information security and supplier relationships
A.15.1.1 Information security policy for supplier relationships
Suppliers are great for handling work that you are either unable to do or prefer passing on to another party to do, but you have to be careful whenever you involve external sources in your business.
Some of your suppliers will be more critical to your company than others and may be more actively involved in your firm. Your supplier selection policy should reflect these differences such as what conditions deemed the supplier more valuable than the other.
The critical suppliers and partners here you might partially follow their policies are to be focused on in terms of risk and how the relationships are managed. Stick with partners who add value to your information assets or bring quality to your risk environment.. A management system will enhance how you regulate what kinds of assets your agreement will involve and the level of engagement with your suppliers.
A.15.1.2 Addressing security within supplier agreements
Pay attention to businesses that are mature in terms of governance and compliance and may already be certified in ISO27001 as you could learn from them. .Supplier agreements then need to have specific security and data protection components integrated into them. This includes:
- Incident management
- Legal bindings and regulations
- Supplier staff screening. Non-disclosure (A.13.2.4)
- Report requirements and reviews
- Other third parties that may get involved, e.g., company subcontractors
As part of an agreement, try to find some common ground with your associate, depending on the scope of your agreement, some factors listed above may be reduced or excluded from your contract. Use your discretion but make sure everything is ethical and legal.
A.15.1.3 Information and communication technology supply chain
Most of the precautions included for physical supply chains will apply to digital ones. your agreement’s terms will depend on your company size and the nature of the work you wish to complete with your partner. Always assess the risks of doing business with external parties with a focus on suppliers who handles confidential or high-risk data and align with what is documented in your policy.
A.15.2 Supply a service development management
A.15.2.1 Monitoring and review of supplier services
You will be required to describe how your company plans to monitor, assess and audit suppliers, service deliveries, these assessments will be conducted in light of the risks posed by involving your information assets. Thus, the audits and reviews will focus primarily on information security protocols. Therefore a process to show you monitor and review the supplier services on a continuous basis is critical.
A.15.2.2 Managing changes to supplier services
This control is about managing changes to supplier services to that these changes do not have an adverse effect on the ISMS. Any changes need to be managed and reviewed and the risks understood.
The steps involving the reassessment of your risks and analyse any systems and processes affected by those changes will then be documented
A.16 Information Security Incident Management
The objective of this main control is to implement a process to manage security incidents effectively
A.16.1 Managing infosec incidents, events and weaknesses
A.16.1.1 Responsibilities and procedures
We’d all like to go along believing that we’re completely covered against threats but the bad news is that no one is immune to security incidents. Organisations are prone to experience at least a few security violations throughout their tenure.
Therefore it’s only wise to create a strategy to detect system weaknesses and soften the blow of an incident when it hits.
We recommend the following type of approach:
- Detect a threat, An employee may notice a weakness or impeding threat within the ISMS and they will notify authorized personnel of the issue in different manners (i.e. Helpdesk, emails or personally informing them)
- Classify the incident, upon notification, the authorized administrator will evaluate the threat and classify it based on criteria already established by the company risk management policies.
- Treat the incident, authorised staff (technical and/or management) will use incident classification criteria to rate the incidents risk level, and propose a solution to the impeding threat.
- Close the incident, all details of the incident must be logged and stored and a company records the resolution and possible lessons learned and notify the party who informed you that the incident is closed.
A.16.1.2 Reporting information security events
All employees and interested parties can report any security incidents or events to authorized personnel in the system and there should be a clear process as to how this is done and what the responses will involve.
As part of your training and awareness program you should define and give examples of possible weaknesses, events or incidents that are cause for concern as well as how the process works. Weaknesses could be a sign of ineffective policy controls, issues with system availability or data breaches and therefore must be reported and dealt with urgently before their impact grows.
A.16.1.3 Reporting information security weaknesses
AIl employees find a weakness then they should report it internal contacts and .not verify the weakness using the defined process as to how this is done and what the responses will involve.
As part of your training and awareness program you should define and give examples of possible weaknesses, events or incidents that are cause for concern as well as how the process works. Weaknesses could be a sign of ineffective policy controls, issues with system availability or data breaches and therefore must be reported and dealt with urgently before their impact grows.
A.16.1.4 Assessment of and decision on information security events
The relevant incident responder will examine any reported issues and then decide whether they can be classified as a weakness event or incident and then the team can decide on an incident plan.
he plan should aim to resolve the issue without as little impact on the company’s activities as possible.
A.16.1.5 Response to information security incidents
The incident responder in charge of resolving the information security incident will also be required to:
- Gather evidence of the incident in a timely manner
- Determine the root cause of the issue and the individuals directly involved
- Inform authorised regulators if necessary
- Verify that all incident data is appropriately logged in the system
- Notify top management of the incident, who will then pass on the message to other interested parties
- Rectify the information security weakness that signalled the incident.
A.16.1.6 learning from information security incidents
Your policy and process must reflect that your incident analysis results will be used to improve the ISMS and prevent a repetition of the incident learning from the incident.
Every incident offers a lesson in disguise, smart companies will carry their experiences under their belt for the future. After recovery, the incident is logged for review and a learning exercise conducted, such as the team will make suggestions to remediate vulnerabilities, amend the ISMS policies and strengthen its data security. Once the amendments have been approved, staff may need to be retrained to keep up to date with their new policies.
A.16.7 Collection of evidence
Some incidents render the need to exercise criminal or civil action and resolution so company policy should reflect best practices for safe identification retrieval and preservation of evidence from the scene. These processes will ensure that management and staff understand how to implement these practices and preserve evidence that can be in these actions.
A.17 Information security aspects of business continuity management
The controls in this section aim to configure an efficient system that can handle business disruptions with a focus on information security threats and controls. How can you guarantee that your business will survive after facing and resolving a threat?
A.17.1 Security continuity
A.17.1.1 Planning information security continuity
The most successful businesses are those which plan for disaster and have clear alignment to information security threats and response scenarios. You’re not negative but, rather are covering your bases and ensuring that your company has a Plan B for when the unexpected happens.
Amid crisis, what are some of the services you’ll still need and expect your ISMS to deliver? What would happen if a significant data source from your system is affected and what would your response be?
Consider all possibilities in terms of the worst threats that could happen? Do you have an emergency plan in place to address such incidents to ensure that good planning will save your business from the negative effects of an information security breach.
A.17.1.2 Implementing information security continuity
Once you’ve plotted possible threat outcomes, it’s time to strategize. And your continuity policy must have documentation related to:
- Trigger points that will signal if an incident is about to escalate and steps to sustain information security controls during an incident
- Recovery procedures that you’ll implement after the start of a crisis
- Processes you’ll use to maintain conditions that favour business continuity after the recovery phase. Descriptions of all additional roles, activities, owners and risk reduction techniques that will assignat each stage of the policy.
- Proposed duration for the information security or business continuity plan. Estimated time frames within when business will return to normal.
A.17.1.3 Verify, review and evaluate information security continuity
All continuity controls will need to be monitored and reviewed during the recovery phase to gauge the company’s progress. Testing of these controls should have recurring schedules and the results will be used to determine if the controls need adjusting to match the system’s current recovery state.
As risk levels change, so should your processes, otherwise your procedures will no longer benefit the system. During your internal audit, you’ll be asked to present logs of all recovery controls implemented during the process. Documents of the events that followed recovery, setbacks and developments will also come into play as the recovery phase as a learning process for your firm. Make sure you take notes of those lessons.
A.17.2.1 Availability of information processing facilities
Redundancy helps your stored copies to maintain the availability of your information systems. In simple terms if one of your originals fails, you’ll have a backup copy available to replace it.
You should conduct regular tests to confirm the viability of your redundancies as It would be a major disappointment if your backup also failed. Since redundant items are of such great value to your system continuity, they must be stored either at the same level or better than your originals. Most companies these days use cloud storage to preserve their redundancies, if you have a supplier relationship, you should discuss the status of your redundancies in the cloud. They should be well informed of the risks you face related to data security. Transparency is key.
As an international standard, ISO 27001 enforces that organisations identify relevant laws and regulations that apply to their scope.
A.18.1 External compliance
A.18.1.1 identification of applicable legislation and contractual requirements
Your organisation must maintain adequate documentation of all legislation and regulatory measures that affect its business and ISMS scope. Part of that maintenance involves staying current with recent updates to these abiding laws and requirements.
You should speak with the legal department or legal consultant to confirm which laws apply to your firm. The criteria for identifying applicable legislation and terms for your business include:
- the location of your company, you’re expected to adhere to the laws governing your jurisdiction
- the nature of your organisation, whether you are a non-profit institution, medical centre, financial firm, government owned, etc.
- the type of information processed in your organisation., medical centres operate under doctor patient confidentiality clauses. Those terms would not apply to a bank.
A.18.1.2 Intellectual property rights
An organisation must comply with all standards and legal rights associated with intellectual property and software products used in its activities. All licensed software used within your firm’s parameters must be continually audited and reviewed for IPR compliance.
Apart from respecting the rights of other entities, your firm should see to it that third parties adhere to the laws protecting your intellectual property. This is where you can implement confidentiality agreements between your business and prospective clients, employees and stakeholders. Your auditor will ask you to submit logs of all the licenses, permitting you to use various software and products for your work.
A.18.1.3 Protection of records
The nature of your records will determine which methods are best for protecting them against loss, damage, corruption, unauthorized user access and unsolicited disclosure. The method you choose must comply with the terms of appropriate legislation or contractual requirements.
Always keep an eye out for terms that specify how long you can retain certain records. Poor handling and storage of files can also result in their damage or destruction and all record particulars should be understood so that authorized personnel can implement the correct measures.
A.18.1.4 Privacy and protection of personally identifiable information
All personally identifiable information is considered highly confidential on many levels of legislation with ISO requirements respecting these stipulations (e.g. GDPR).
As such, ISO 27001 requires you to apply relevant controls to protect the sensitive data and each staff member and stakeholder are individually responsible for protecting the information of persons engaged in the business with their company so keep evidence of this process for your audits..
A.18.1.5 Regulation of cryptographic controls
Cryptographic laws and regulations apply to all devices and networks operating via encryptions, transporting regulations may apply in cases where keys are used in locations outside of the company’s actual jurisdiction. Provisions for applicable regulatory requirements as well as transport requirements must be made and documented by your firm.
A.18.2 Internal Compliance
A.18.2.1 Independent review of information security
Best practices encourage companies to carry out regular or annual independent reviews of all information security policies and controls to improve their systems with independent assessments mandatory.
Reviews must have formal schedules and consider the current risks and vulnerabilities relevant to the organisation and seek to target any new ways of mitigation. A report of every review and its findings must be included in your list of documentation during an audit.
A.18.2.2 Compliance with security policies and standards
They should also be orders performed on a departmental scale. The CISO and respective heads of department should perform planned checks of their system performance. This ensures that the staff still comply with the policies and standards expected of them in the ISMS. If the review reveals any non-compliance issues with the system, the head must log their results and suggest relevant corrective actions to improve these areas.
To address the noncompliance issue, responsible parties needs to deduce the root cause and frequency of the problem before resolving it. In most cases, this can be corrected with appropriate documentation updates and training forums to educate or re-educate users on
A.18.2.3 Technical compliance review
Information systems and networks must all be assessed for compliance with its ISMS standards and policies. The most convenient method of performing these reviews is the use of automated systems. Only authorized personnel will be granted access to these compliance testing systems and this includes vulnerability scanning and Penetration testing.