isms policies

Indicative List of Policies to be framed for ISO 27001:2013

The organization should define information security related policies which is approved by management and sets the organization’s approach to managing its information security objectives.
a) Business Strategy, b) contracts, regulations and legislations and c) security threat environment are the source of requirements which “information security policies” should address.

What should “Information Security Policy” cover?

a) Definition of Information security, objectives and principles to direct all activities related to information security
b) Assignment of responsibilities of Information Security management to defined roles
c) Processes of handling non-conformities and exceptions

Indicative List of policies:

1) Information Security
2) Access control
3) Information classification and handling
4) Physical and environmental security
5) Acceptable use of assets
6) Clear Desk and clear screen
7) Information Transfer
8) Mobile device and teleworking
9) Restriction on software installations and use
10) Back-up
11) Protection from malware
12) Management of technical vulnerabilities
13) Cryptographic controls
14) Communication security
15) Privacy and protection of personally identifiable information
16) Supplier relationships
These policies should be communicated to relevant internal and stakeholders in the context of awareness of information security.

iso 27001

Structure of ISO 27001:2013

Controls (Annex A)

A.5: Information Security Policies – Controlling how policies are written and revised

A.6: Information Security Organization – Controls on how responsibilities are assigned; also includes controls for mobile devices

A.7: Human Resources Security – Pre-employment, during and after employment controls

A.8: Asset management – Asset inventory and acceptable use controls; also for information classification and media management

A.9: Access control – Access control policy, user access management, system and application access control

A.10: Cryptography – Encryption and Key Management Controls

A.11: Physical and environmental security – Controls defining secure areas, entry controls, protection against threats, security of the equipment, secure removal, clear desk and clear screen policy, etc.

A.12: Operational security – Procedures and responsibilities, malware, backup, logging, monitoring, installation, vulnerability etc.

A.13: Communications Security – Network security, information transfer, e-mail security checks etc.

A.14: Acquisition, development and maintenance of the system – Controls defining security requirements and security in the development and support processes

A.15: Vendor Relations – Controls on what to include in agreements and how to monitor suppliers

A.16: Information Security Incident Management – Controls to signal events and weaknesses, define responsibilities, assessment of events, response and learn from incidents and collection of evidences.

A.17: Aspects of information security in the management of continuity of operations – Controlling the planning, implementation and review of the continuity of information security operations.

A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information

One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves various aspects as mentioned above in Annexure.

Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an organization can decide the applicability of the controls with valid rationale.

ISO 27001

What is ISO 27001?

ISO 27001 is a standard which helps organizations manage information security. It was published by International Standardization Organization (ISO). The latest revised version is ISO 27001:2013. First version was published in 2005. This standard was developed on British Standards BS 7799-2.

Which type of organizations can get certified for ISO 27001?

ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. ISO 27001 establishes framework for the implementation of information security management in an organization. Organizations can also get certified for ISO 27001. The independent certification bodies perform the audit and upon compliance with the standard, it issues the certificate to organizations.

What are the benefits of ISO 27001?

  1. New client acquisition and retention of old clients
  2. Avoid losses and penalties for data breaches
  3. Comply with business, legal and regulatory requirements
  4. Protect and enhance organization’s reputation
  5. Provide competitive advantage
  6. Consistency in the delivery of service or product
  7. Builds a culture of security

How ISO 27001 standard is structured?

ISO 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

How to implement ISO 27001?

Steps involved are:

  1. Get Sponsorship for the project
  2. Define the scope for ISO 27001
  3. Conduct ISO 27001 Awareness Training
  4. Establish top-level Information security policy
  5. Prepare the asset list
  6. Perform the risk assessment and risk treatment
  7. Write the Statement of Applicability
  8. Prepare Risk treatment plan
  9. Implement all applicable controls and procedures
  10. Conduct Internal Auditor Training
  11. Perform internal audit
  12. Perform management review
  13. Implement corrective actions
  14. Conduct Certification Audits
Work place

Identify Risk At Early Stage To Mitigate The Legal Risks For Your Business

Every entrepreneur seeks business success. Since you want the same thing, act now to help your business manage its risks. Risk management is part of business planning. The process of managing risk is meant to reduce or do away with the events that could have a negative impact on your business. It entails identification, assessment and prioritizing of different kinds of risks. As soon as the risks are detected, the risk manager can create a plan to reduce or get rid of the impact of the negative circumstances. Risk management strategies are many, including the use of the best enterprise risk-management standards developed by ISO (International Organization for Standardization).

Understanding the types of risks you face

Different sorts of risks exist and you need various risk management plans to mitigate or eliminate them. Common risks include fire or accidents on your business premises and catastrophic events triggered by nature. As well, your business risk can be legal: sexual harassment lawsuits, accounting frauds, and theft. Additionally, risks can arise from your normal business practices, volatile nature of the money markets, poor data handling and storage, unpaid loans, and project failures. If you want to be in control always, take the time to understand your business risks.

What are the goals of risk management?

After you have identified your business threats and risks, and decide to manage them, the next big action to take is to come up with goals. The biggest goal you should aim at is to protect your enterprise from being at risk. Other small goals should include protection of your employees and customers’ welfare. Furthermore, you should aim to shield general public from negative events that may affect your business premises and them. Proper risk management practices are also about the conservation of your physical facility, data, and records storage systems and physical assets like business vehicles and equipment. Although all business risks can be costly, you don’t want persistent legal battles. Hence, your main goal when developing risk management strategies should be to protect your business from legal consequences.

The best solution – ISO31000:2009

The risk management principles and guidelines provided by ISO31000:2009 are the best solutions you have. They entail a framework, a set of principles and a logical process of managing risk. With this solution, you can do the most effective enterprise risk management in India. It will be an effective way of identifying opportunities and threats and allocate your resources wisely. The ISO31000 is easy to install if you consult an expert like cunixinfotech.com. It entails only eight steps that you won’t have to carry out yourself.

CUNIX will be happy to do this task for you in exchange for a manageable fee. The company offers a Risk Management workshop. This workshop is conducted to create awareness to the targeted audience. It includes a lot of training via several case studies to boost the participants’ level of understanding and to assist them to develop a habit of managing risk in their businesses. Second, CUNIX offers Risk Management Consulting. This entails help and guidance on how to implement ISO31000:2009 steps. By – cunixinfotech.

Know How of CMMI #1

This is a weblog series. You are reading first (#1) log of the series. Please follow us regularly to know more about CMMI and to not miss any links in between. We would love to hear your valuable comments and suggestions.

  • CMMI stands for Capability Maturity Model Integration.
  • CMMI is a framework for business process improvement.
  • CMMI is NOT an engineering development standard or a development life cycle.
  • CMMI is meant to help organizations improve their performance of and capability to consistently and predictably deliver the products, services, and sourced goods their customers want, when they want them and at a price they’re willing to pay. From a purely inwardly-facing perspective, CMMI helps companies improve operational performance by lowering the cost of production, delivery, and sourcing.
  • CMMI’s a place to start, not a final destination. CMMI can’t tell an organization what is or isn’t important to them. CMMI, however, can provide a path for an organization to achieve its performance goals.
  • CMMI doesn’t have its own context; every organization has its own unique one to implement CMMI.
  • What CMMI practices are, are practices that improve existing work practices, but do not define what those work practices must be for any given activity or organization.

Next log of this series will be focussing on “what CMMI can be useful for”. Watch out the space for next updates and post your queries if any at veer@cunixinfotech.com

CUNIX is a Management Consulting Organization. One of the Top 10 CMMI InstitutePartners worldwide providing CMMI Consulting Services & CMMI Certification in India & Internationally along with ISMS Consulting, Project Management and Risk Management.

Vision to Activities Lets make implementation simple

Vision to Activities Lets make implementation simple

The organizations worldwide have these two common concerns:

  1. The strategy formulated by the top management is far from the changing realities of the market
  2. And if the strategy formulated is in accordance with market realities, it is becoming difficult to translate it to the operational level and hence they remain only in the strategy documents of the company

The strategy formulation has these standard steps:

  • Defining Vision
  • Mission
  • Core Values and Objectives for the organization.

The difficult part is to convert objectives into workable units i.e. strategy implementation becomes a challenge for the Senior Management. Balanced Score Card is one good tool in this direction. I am sharing my experience of maintaining Balanced Score Card at my organization.

  1. Convert Objectives into SMART Goals: The objectives direct towards the goal definition. The goals should have the below elements: Specific, Measurable, Attainable, Realistic and Time bound.
  2. Percentage contribution of different Goals to a particular objective: The % contribution of the goals to the particular objective needs to be analyzed by the Senior Management in accordance with their past experience.
  3. Conduct Synergy meets to get Ideas: The people at the operations level face the ground level challenge related to different functions in the organization. Ideas from them will be vital to the success of the organization. Conducting Synergy meets at regular intervals and gathering ideas from them will lead to a priceless repository of potential future initiatives.
  4. Map Ideas to Goals:Map the ideas to the goals it intends to satisfy and rate them majorly on two factors (These factors can be different for different businesses):a) Effectiveness of the Idea to achieve Goal, b) Impact of the Idea on the Goal
  5. Qualify Idea to Initiatives: After rating Ideas on the above two parameters, discuss and make some rules (on the basis of your organizational preference) to qualify these ideas to the initiatives.
  6. Choose among initiatives:Previous step will give handful of ideas which have potential to become initiatives. Rate those ideas on the different parameters derived from the focus on customers, finance, internal processes and people.
  7. Prepare a Work Breakdown Structure: Afterthe initiative qualifies, break it down to the activities to be performed with the Responsibilities, End Date, Duration, Completion Status etc. mentioned.

This 7 step process has converted the broad level vision into the doable activities with clear-cut responsibilities to perform.

Balanced_ScoreCard

Understanding Balanced Scorecard Design and Implement

  • Balanced Scorecard is a tool. In this particular post we will be focussing more on the issues this tool resolves in the organization. In later posts we will be exploring the tool itself.
  • Balanced Scorecard as a tool drives below systems:
    1. Communication System
    2. Performance Management System
    3. Strategic Management System
  • Factors affecting organizations in todays dynamic environment:
    1. Too much focus on financial measures of performance, to measure organizations success
    2. In this era of Information Technology, the intangible assets which are creating far more value for customers are less understood and evaluated
    3. Difficulty in percolation of formulated strategy to all the levels of the organization and hence challenges in strategy execution
  • Balanced Scorecard helps organization in overcoming above mentioned factors affecting the organization, by addressing them as below:
    1. Introducing other measure also to ensure effective Organizational Performance Measurement
    2. Taking into account the value creation aspects of intangible assets
    3. Cascading it to the different levels in the organization to address the challenges in Strategy implementation
  • The next blog of this series will be focussing on “Financial measures and their limitations”. Stay tuned to this space and post your queries if any at rajendra@cunixinfotech.com
Project Management

How Software Development Organizations Get Various Benefits From A CMMI Certification

The software industry is one of the fastest growing industries in the world today . As such, you can expect a very stiff competition between the industry players. For you to be able to survive this industry your organization needs to be at their very best when it comes to delivering the goods when it matters most.

The different departments of any software development organization need to communicate effectively with one another so as to enhance optimal performance during the course of executing any project. This post will be intimating you with the various benefits a software organization stands to gain when they implement the CMMI as part of their work culture.

Read carefully and find out how we can help improve the management structure of other software development organizations.

Industry Standards

This is one very good way your organization will get to benefit from this certification. When people are certified in this regards they tend to carry out every task with industry standards in mind. Employing industry standards in the various roles of a software development organization will only help to make the various processes in the organization link up nicely with each other.

Lets take coding for instance, when this model is implemented during the course of code development, the developer ensures that every detail about his code is comprehensively documented.

This way, it will not be difficult for any other developer who will be coming on board to continue from where he or she has stopped. In other words, with this model in place, you can expect easy maintenance of any application.

Quick Turnaround

Another thing you can benefit from such a model is getting your projects finished way ahead of time. Doing what has to be done will help to save a great deal of time. There will be more projects to handle because clients trust you can deliver on your promises. This is simply one of the secrets of success in this industry.

Better Communication

For projects to move smoothly when there is an improved workflow, employees and senior team members will need to understand the need for seamless communication within a project team. They need to understand the significance of giving feedback as at when appropriate. This is very important that it cannot be overemphasized.

During the course of any project, there should be proper communication every step of the way between members. This will go a long way to improving the way projects are being executed in the workplace.

Process Analysis

This model does not only benefit the software development organization from an internal perspective. It also helps to make them more effective before their clients. What this means is that your organization will have the expertise needed to study and analyze other processes so that they can suggest various improvement techniques that will bring about improved productivity.

Are you a software development organization in India or Mumbai and you are looking for a consulting company that can render this type of service? Well, look no further because we do not only provide CMMI Certification in Mumbai but we also provide CMMI Certification In philippines, United Kingdom(UK), ArgentinaEgypt.

CMMI Consulting and Appraisal

5 Ways To Achieve CMMI Level 3 Certification For Any Organization

Gaining a CMMI Certification is like conducting a fitness check for an organization to figure out any impairments in its processes, workflows, procedures, and practices that affect productivity and hamper growth. Various best practices and processes are included at different maturity levels of a CMMI Certification. These CMMI process areas target the identification, effective management, and continuous improvement of various business processes by applying generic practices under every process area. CMMI Maturity Level 1 targets reactive unpredictable processes that are poorly controlled and inefficiently managed. CMMI Maturity Level 2 targets reactive project-specific processes. CMMI Maturity Level 3 targets proactive organizational-level processes. CMMI Maturity Level 4 targets properly measurable controlled processes. CMMI Maturity Level 5 is the optimization phase that focuses majorly on process improvement.

Any organization can achieve CMMI Level 3 Certification in India by following certain steps. There are various renowned consultancy firms in cities like Delhi, Mumbai, Ahmedabad, Bangalore, Chennai, and Pune that facilitate consulting services for CMMI Certification. 5 ways to achieve CMMI Level 3 Certification are as follows:

1- Gap Analysis: The first and foremost step is to find any gaps in the specified process areas defined under CMMI Model for that level. The insights gained at this step form the basis for any future decisions that greatly impact an organization.

2- Training: This phase involves learning industry standards, best practices, methodologies, and organizational procedures that comply with the CMMI process areas for that level. In other words, this phase teaches process engineering for designing and developing business processes.

3- Tune-up: This phase helps the organizations in applying the cognizance gained in the previous step onto their business processes. This involves the implementation of a plan that includes identification of required tuning up as well as the development of processes to fill in the gaps identified in the first phase.

4- SCAMPI B: This step provides a formal appraisal to serve as a tool for facilitating the necessary information required to understand the current state of an organization with respect to the CMMI. It gives an indication of successful completion of the CMMI Maturity Level 3.

5- SCAMPI A: This phase marks the successful completion of the appraisal to the next level.

With an increasing demand for streamlined procedures and global standards across all software development industries, CMMI Certification In India is gradually gaining attention. But the wave is not limited to the native boundaries. Even countries like the USA are showing increased inclination towards standardized procedures with CMMI Certification. Many renowned organizations have undertaken CMMI Certification in Washington to gain a valuable insight into the industry procedures and best practices and applied the same to improve processes, assess risks, and devise strategies for continuous improvement of operational procedures. Many organizations in Washington have embraced growth, productivity, and success with CMMI Certification.

Although there are various organizations that provide CMMI Certification, CUNIX infotech is a reliable name known worldwide for its imperative analysis, in-depth research, knowledge across various industrial domains, and years-long industry experience.

Business Management Advisory

Role of a CMMI Consulting Services in a Business Organization

Businesses in the 21st century are nicely shaping up in order to be able to meet up with the challenges that confront them on a regular basis. Some businesses are even going as far as employing the help of professionals to help steer them into a comfortable position in their respective industry. It is all about adopting various business models that can be used to achieve better and more efficient results. One of such models is the Capability Maturity Model Integration is also known as CMMI.

Are you in India and you are looking for ways to employ outfits that specialize in CMMI Consulting Services ? Or your interest is just to get a certification in this regards? Perhaps, you just need someone to put you through regarding the subject matter. Whatever you are looking for, as long as it relates to the above-mentioned business model we can provide you with such services.

You have come to the right place because this post will be doing justice to the subject matter. After going through this post, you will discover the benefits of applying such a model in your business organization. Highlighted below with brief explanations will be some of the outstanding benefits of having such model in place:

Improvement of Processes

Having such a model nicely integrated into any business organization will certainly standardize the processes of such a firm. The overall business performance of any organization is simply a collection of all the activities that take place in that organization. If these processes are not optimized then it will equally lead to a drop in overall business performance. Hence, one of the ways of taking care of such challenge is to make sure that this model is rightly applied in the organization.

Better Performance

Sounds like the previous point but they are not the same. This has to do with the performance as it relates to service delivery. Employing such models will only lead to introducing industry best practices to the organization. Following standard procedures will only cause any firm to be consistent in their service delivery. These are some of the things that help to distinguish certain business organizations from the rest of the crowd. Applying the model and making it a business culture can only bring about good results.

Encourages self-development

Employee skill and knowledge base is what determines the position of any business in the marketplace. If employees are not bent on having self-development as one of their personal objectives, then it is right for you to say that there is a misalignment of goals somewhere. This is what having such model in place can do for you. This is because this model will help enable them to focus on self-development as a tool to help in increasing the chances of that business organization in the marketplace.

The usefulness of such model for any business organization cannot be overemphasized. Are you in Mumbai and you don’t know how to get the model applied to your business organization? Well, you don’t have to bother any more because we will provide you with all the help you want in this regards. Not only are we into providing advisory assistance with respect to the subject, but we are also into conducting appraisals that will make your CMMI Certification in Mumbai  and CMMI Certification in Australia and UAE a reality.