ISO 27001 Annex : A.6 Organization of Information Security


6.1 Internal Organization

ISO 27001 Annex : A.6 Organization of Information Security its object is to establish a management framework for initiating and controlling the implementation and functioning of information security within the organization.
6.1.1 Information Security Roles and Responsibilities
Control- All responsibilities related to information security should be well defined and assigned.
Implementation Guidance- Allocation of information security responsibilities should be carried out in compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual assets and the implementation of specific information security procedures should be defined. Responsibilities for information security risk management activities and, in particular, for the acceptance of residual risks should be defined. When necessary, further guidance should be provided for specific sites and information processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for the protection of assets and for the implementation of specific security processes. Individuals with assigned responsibility for information security can delegate security tasks to others. But they remain responsible and must decide whether any delegated tasks are conducted correctly or not
Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:
1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details describing the responsibility should be documented;3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of supplier relations.
Other Information- Many organizations assign an information security officer to take ultimate responsibility for information security development and implementation, and to help access recognition. However, individual management will often remain responsible for the resourcing and implementation of the controls. It is common practice to appoint an owner for all assets which are then responsible for their regular security.
6.1.2  Segregation of Duties
Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.
Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of collusion in should be considered while designing the controls. Small organizations may find it impossible to accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If segregation is challenging, other measures such as task reporting, audit trails and management supervision should be considered.
Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional abuse of the assets of the organization.
6.1.3  Contact with Authorities
Control- It is necessary to maintain proper communications with the relevant authorities.
Implementation Guidance- Organizations should have processes in place that determine when and by whom officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have been violated).
Other Information- Internet-assaulted organizations may require authorities to take measures against the attack. Holding these connections may also be a necessity to support incident management  or business continuity and contingency planning processes in information security. Contacts with regulatory bodies are also useful when anticipating and preparing potential changes in the laws or regulations that the organization needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and safety , and protection such as fire departments, telecommunication (routing and availability) suppliers, and water (equipment cooling).
6.1.4  Contact with Interest groups
Control- Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.
 Implementation Guidance
  •  Membership of community groups or forums  should be considered as a way to:
    1. Improve skills and keep up to date on appropriate safety details about the best practices;
    2. Ensuring an up-to – date and complete understanding of information security;3. Receive early warnings about threats and vulnerabilities, updates and patches;
    4. Enable expert information security advice;
    5. Share and exchange information on new technology, products, threats or vulnerabilities;  
    6. provide correct liaison points for events relevant to information security

--------------------------------------------------------------------------------------------------------------------------

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

Post a Comment

Popular posts from this blog

Top 5 Key Elements of an Information Security

ISO 27001 Annex : A.5 Information Security Policies

Types of Vulnerability Assessment