isms policies

Indicative List of Policies to be framed for ISO 27001:2013

The organization should define information security related policies which is approved by management and sets the organization’s approach to managing its information security objectives.
a) Business Strategy, b) contracts, regulations and legislations and c) security threat environment are the source of requirements which “information security policies” should address.

What should “Information Security Policy” cover?

a) Definition of Information security, objectives and principles to direct all activities related to information security
b) Assignment of responsibilities of Information Security management to defined roles
c) Processes of handling non-conformities and exceptions

Indicative List of policies:

1) Information Security
2) Access control
3) Information classification and handling
4) Physical and environmental security
5) Acceptable use of assets
6) Clear Desk and clear screen
7) Information Transfer
8) Mobile device and teleworking
9) Restriction on software installations and use
10) Back-up
11) Protection from malware
12) Management of technical vulnerabilities
13) Cryptographic controls
14) Communication security
15) Privacy and protection of personally identifiable information
16) Supplier relationships
These policies should be communicated to relevant internal and stakeholders in the context of awareness of information security.

iso 27001

Structure of ISO 27001:2013

Controls (Annex A)

A.5: Information Security Policies – Controlling how policies are written and revised

A.6: Information Security Organization – Controls on how responsibilities are assigned; also includes controls for mobile devices

A.7: Human Resources Security – Pre-employment, during and after employment controls

A.8: Asset management – Asset inventory and acceptable use controls; also for information classification and media management

A.9: Access control – Access control policy, user access management, system and application access control

A.10: Cryptography – Encryption and Key Management Controls

A.11: Physical and environmental security – Controls defining secure areas, entry controls, protection against threats, security of the equipment, secure removal, clear desk and clear screen policy, etc.

A.12: Operational security – Procedures and responsibilities, malware, backup, logging, monitoring, installation, vulnerability etc.

A.13: Communications Security – Network security, information transfer, e-mail security checks etc.

A.14: Acquisition, development and maintenance of the system – Controls defining security requirements and security in the development and support processes

A.15: Vendor Relations – Controls on what to include in agreements and how to monitor suppliers

A.16: Information Security Incident Management – Controls to signal events and weaknesses, define responsibilities, assessment of events, response and learn from incidents and collection of evidences.

A.17: Aspects of information security in the management of continuity of operations – Controlling the planning, implementation and review of the continuity of information security operations.

A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information

One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves various aspects as mentioned above in Annexure.

Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an organization can decide the applicability of the controls with valid rationale.

ISO 27001

What is ISO 27001?

ISO 27001 is a standard which helps organizations manage information security. It was published by International Standardization Organization (ISO). The latest revised version is ISO 27001:2013. First version was published in 2005. This standard was developed on British Standards BS 7799-2.

Which type of organizations can get certified for ISO 27001?

ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. ISO 27001 establishes framework for the implementation of information security management in an organization. Organizations can also get certified for ISO 27001. The independent certification bodies perform the audit and upon compliance with the standard, it issues the certificate to organizations.

What are the benefits of ISO 27001?

  1. New client acquisition and retention of old clients
  2. Avoid losses and penalties for data breaches
  3. Comply with business, legal and regulatory requirements
  4. Protect and enhance organization’s reputation
  5. Provide competitive advantage
  6. Consistency in the delivery of service or product
  7. Builds a culture of security

How ISO 27001 standard is structured?

ISO 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

How to implement ISO 27001?

Steps involved are:

  1. Get Sponsorship for the project
  2. Define the scope for ISO 27001
  3. Conduct ISO 27001 Awareness Training
  4. Establish top-level Information security policy
  5. Prepare the asset list
  6. Perform the risk assessment and risk treatment
  7. Write the Statement of Applicability
  8. Prepare Risk treatment plan
  9. Implement all applicable controls and procedures
  10. Conduct Internal Auditor Training
  11. Perform internal audit
  12. Perform management review
  13. Implement corrective actions
  14. Conduct Certification Audits