Information Security

Implementation Guide
Presidio Information
Information Security Implementation Guide PAGE 2

Summary
Information assets, including data and information systems, need to be protected from
security threats. To protect their information assets & facilities need to design, implement,
and maintain an information security program.
The guidance provided in this document is based on international standards, best practices,
and the experience of the information security, cyber security, and physical security experts
on the document writing team.
It provides recommendations on best practices for information security and high-value
security controls & Information Security Management System Planning for any organisation
focuses on information security planning. It describes a risk-based approach for planning
information security programs based on the sensitivity of the data developed, processed,
communicated, and stored on facility information systems.
Information Security Implementation Guide PAGE 3

This document is designed to assist organisation facilities in developing a comprehensive set

of security controls to support the implementation of a risk-based, cost-effective
information security program. A security control is a “safeguard or
countermeasure…designed to protect the confidentiality, integrity, and availability” of an
information asset or system and “meet a set of defined security requirements.”
Security controls cover management, operational, and technical actions that are designed
to deter, delay, detect, deny, or mitigate malicious attacks and other threats to information
systems. The protection of information involves the application of a comprehensive set of
security controls that addresses cyber security (i.e., computer security), physical security,
and personnel security. It also involves protecting infrastructure resources upon which
information security systems rely (e.g., electrical power, telecommunications, and
environmental controls). The application of security controls is at the heart of an
information security management system (ISMS). The selection and application of specific
security controls is guided by a facility’s information security plans and associated policies.
Not all facilities can afford to purchase, install, operate, and maintain expensive security
controls and related systems; therefore, decisions on the application of security controls
have to balance considerations of security risk and resource constraints. When resources
are limited, investments in security controls should focus on implementing a set of controls
that provide the greatest overall risk reduction given the Management System Planning for
organization facilities.
In this document, security controls are proposed for the following information
security planning topic areas:
• Risk Assessment
• Risk Response
• Risk Monitoring
• Business Environment
• Asset Management
• Security Control Implementation
• Configuration Management
• Contingency Planning and Disaster Recovery
• Incident Response
• Monitoring and Auditing
• Awareness and Training.
For each topic area, security controls are presented along with the minimum risk level for
the
information system at which the listed security control should be applied. Also provided for
each security control are a summary rationale and its publicly available source. The major
sources used are the Guide to Developing a Cyber Security and Risk Mitigation and Critical
Security Controls for Effective
After reviewing the various security control options, a facility should select and implement
an appropriate set of security controls based on risk levels and resource constraint. These
security controls should then be tracked to ensure they are appropriately used and
maintained, and that the associated responsibilities, assignments, deliverables, and
deadlines are documented.
Information Security Implementation Guide PAGE 4

IMPLEMENTATION GUIDANCE

INDEX
ISO 27001 Requirements

1 Understanding the organization and its context

2 Understanding the needs and expectations of interested parties
3 Information security management system
4 Determining the scope of the information security management system
5 Leadership and commitment
6 Policy
7 Organizational roles, responsibilities and authorities
8 Actions to address risks and opportunities
9 Information security risk assessment process
10 Information security risk treatment
11 Information security objectives & planning
12 Resources
13 Competence
14 Awareness
15 Communication
16 Documented information Implementation Guideline
17 Operational planning & control
18 Information security risk assessment
19 Information security risk treatment
20 Performance evaluation Monitoring, measurement, analysis & evaluation
21 Internal audits
22 Management review
23 non-conformity and corrective action
24 Continual Improvement
 Information Security Implementation Guide PAGE 5

Understanding the organization and its context

Required activity

The organization determines external and internal issues relevant to its purpose and affecting its ability to
realize the intended outcome(s) of the knowledge security management system (ISMS).

Explanation
As an integral function of the ISMS, the organization continually analyses itself and therefore the world
surrounding it. This analysis cares with external and internal issues that in how affect information security and
the way information security are often managed, which are relevant to the organization’s objectives.

Analysis of those issues has three purposes:

— Understanding the context so as to make a decision the scope of the ISMS;
— Analyzing the context so as to work out risks and opportunities;
— Ensuring that the ISMS is tailored to changing external and internal issues.
External issues are those outside of the organization’s control. this is often mentioned because the
organization’s environment.

Analyzing this environment can include the subsequent aspects:

a) Social and cultural;
b) Political, legal, normative and regulatory;
c) Financial and macroeconomic;
d) Technological;
e) Natural;
f) Competitive.
These aspects of the organization’s environment continually present issues that affect information security
and the way information security are often managed. The relevant external issues depend upon the
organization’s specific priorities and situation.

For example, external issues for a selected organization can include:

a) The legal implications of using an outsourced IT service (legal aspect);
b) Characteristics of the character in terms of possibility of disasters like fire, flood and earthquakes (natural
aspect);
c) technical advances of hacking tools and use of cryptography (technological aspect); and
d) The overall demand for the organization’s services (social, cultural or financial aspects).
e) Internal issues are subject to the organization’s control.

Analyzing the interior issues can include the following aspects:

a) The organization’s culture;
b) Policies, objectives, and therefore the strategies to realize them;
c) Governance, organizational structure, roles and responsibilities;
d) Standards, guidelines and models adopted by the organization;
e) Contractual relationships which will directly affect the organization’s processes included within the scope of
the ISMS;
f) Processes and procedures;
 Information Security Implementation Guide PAGE 6

g) The capabilities, in terms of resources and knowledge (e.g., capital, time, persons, processes, systems and
technologies);
h) Physical infrastructure and environment;
i) Information systems, information flows and deciding processes (both formal and informal);
j) Previous audits and former risk assessment results.

Based on an understanding of the organization’s purpose (e.g., pertaining to its mission statement or business
plan) also because the intended outcome(s) of the organization’s ISMS, the organization should:
— Review the external environment to spot relevant external issues; and review the interior aspects to spot
relevant internal issues. In order to spot relevant issues, the subsequent question is often asked:

How does a particular category of issues affect information security objectives?

Three samples of internal issues function an illustration by:

Example 1 on governance and organizational structure; When establishing an ISMS, already existing
governance and organizational structures should be taken under consideration. As an example, the
organization can model the structure of its ISMS supported the structure of other existing management
systems, and may combine common functions, like management review and auditing.

Example 2 on policy, objectives and methods: An analysis of existing policies, objectives and methods, can
indicate what the organization intends to realize and the way the knowledge security objectives are often
aligned with business objectives to make sure successful outcomes.

Example 3 on information systems and knowledge flows: When determining internal issues, the organization
should identify, at a sufficient level of detail, the knowledge flows between its various information systems.
As both the external and therefore the internal issues will change over time, the problems and their influence
on the scope, constraints and requirements of the ISMS should be reviewed regularly. Documented
information on this activity and its outcome is mandatory only within the form and to the extent that the
organization determines as necessary for the effectiveness of its management system.

Understanding the needs and expectations of interested parties

Required activity
The organization determines interested parties relevant to the ISMS and their requirements relevant to
information security.

Explanation
Interested party may be a defined term that refers to persons or organizations which will affect, be suffering
from, or perceive themselves to be suffering from a choice or activity of the organization. Interested parties
are often found both outside and inside the organization and may have specific needs, expectations and
requirements for the organization’s information security.

External interested parties can include:

a) Regulators and legislators;
b) Shareholders including owners and investors;
c) Suppliers including subcontractors, consultants, and outsourcing partners;
 Information Security Implementation Guide PAGE 7

d) Industry associations;
e) Competitors;
f) Customers and consumers;
g) Activist groups.

Internal interested parties can include:

a) Decision makers including top management;
b) Process owners, system owners, and knowledge owners;
c) Support functions like IT or Human Resources;
d) Employees and users;
e) Information security professionals.

Implementation Guidance
The following steps should be taken:
— identify external interested parties;
— identify internal interested parties;
— identify requirements of interested parties.
As the needs, expectations and requirement of interested parties change over time, these changes and their
influence on the scope, constraints and requirements of the ISMS should be reviewed regularly.
Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system.

Information security management system

Required activity
The organization establishes implements, maintains and continually improves the ISMS.

Explanation
ISO/IEC 27001:2013, 4.4 states the central requirement for establishing, implementing, maintaining and
continually improving an ISMS. While the opposite parts of ISO/IEC 27001 describe the specified elements of
an ISMS, 4.4 mandates the organization to make sure that each one required element are met so as to
determine, implement, maintain and continually improve the ISMS.

Determining the scope of the information security management system

Required Activity
Clause 4.3 ISO 27001 Implementation Guideline The organization determines the boundaries and applicability
of the ISMS (information security management system) to determine its scope.

Explanation
The scope of the information security defines where and for what precisely the ISMS is applicable and where
and for what it’s not. Establishing the scope is therefore a key activity that determines the required foundation
for all other activities within the implementation of the ISMS. as an example, risk assessment and risk
treatment, including the determination of controls, won’t produce valid results without having a particular
understanding of where precisely the ISMS is applicable. Precise knowledge of the boundaries and
applicability of the ISMS and therefore the interfaces and dependencies between the organization and other
 Information Security Implementation Guide PAGE 8

Organizations is critical as well. Any later modifications of the scope may result in considerable additional
effort and costs.

The following factors can affect the determination of the scope:

a) The external and internal issues described in Understanding the organization and its context;
b) The interested parties and their requirements that are determined consistent with ISO/IEC 27001:2013¸4.2;
c) The readiness of the business activities to be included as a part of ISMS coverage;
d) All support functions, i.e., functions that are necessary to support these business activities (e.g., Human
resources management; IT services and software applications; facility management of Buildings, physical
zones, essential services and utilities);
e) All functions that is outsourced either to other parts within the organization or to independent suppliers.

The scope of an ISMS is often very different from one implementation to a different. as an example, the scope
can include:
— One or more specific processes;
— One or more specific functions;
— One or more specific services;
— One or more specific sections or locations;
— A whole legal entity;
— A whole administrative entity and one or more of its suppliers.

To establish the scope of ISMS, multi-step approaches are often followed:

a) Determine the preliminary scope: this activity should be conducted by a little, but representative group of
management representatives;

b) Determine the refined scope: the functional units within and out of doors the preliminary scope should be
reviewed, possibly followed by inclusion or exclusion of a number of these functional units to scale back the
amount of interfaces along the boundaries. When refining the preliminary scope, all support functions should
be considered that are necessary to support the business activities included in the scope;

c) Determine the ultimate scope: the refined scope should be evaluated by all management within the refined
scope. If necessary, it should be adjusted then precisely described; and

d) Approval of the scope: the documented information describing the scope should be formally approved by
top management.

The organization should also consider activities with impact on the ISMS or activities that are outsourced,
either to other parts within the organization or to independent suppliers. For such activities, interfaces
(physical, technical and organizational) and their influence on the scope should be identified.

Documented information describing the scope should include:

a) The organizational scope, boundaries and interfaces;
b) The information and communication technology scope, boundaries and interfaces;
c) The physical scope, boundaries and interfaces.
 Information Security Implementation Guide PAGE 9

Leadership and commitment

ISO 27001 Implementation Guideline Clause 5.1 is related to Leadership and commitment.

Required activity
Implementation for Top management demonstrates leadership and commitment with regard to the ISMS.

Implementation Guideline
Leadership and commitment are essential for an efficient ISMS. Top management is defined (see ISO/IEC
27000) as an individual or group of individuals who directs and controls the organization of the ISMS at the
very best level, i.e. top management has the general responsibility for the ISMS. this suggests that top
management directs the ISMS during a similar thanks to other areas within the organization, for instance the
way budgets are allocated and monitored. Top management can delegate authority within the organization
and supply resources for actually performing activities associated with information security and therefore the
ISMS, but it still retains overall responsibility.

As an example, the organization implementing and operating the ISMS are often a business unit within a
bigger organization. during this case, top management is that the person or group of individuals that directs
and controls that business unit. Top management also participates in management review and promotes
continual improvement.

Top management should provide leadership and show commitment through the following:
a) Top management should make sure that the knowledge security policy and therefore the information
security objectives are established and are compatible with the strategic direction of the organization;

b) Top management should make sure that ISMS requirements and controls are integrated into the
organization’s processes. How this is often achieved should be tailored to the precise context of the
organization. for instance, a corporation that has designated process owners can delegate the responsibility to
implement applicable requirements to those persons or group of individuals. Top management support also
can be needed to beat organizational resistance to changes in processes and controls;

c) Top management should make sure the availability of resources for an efficient ISMS. The resources are
needed for the establishment of the ISMS, its implementation, maintenance and improvement, as well as for
implementing information security controls.

Resources needed for the ISMS include:

1) Financial resources;
2) Personnel;
3) Facilities;
4) Technical infrastructure.

The needed resources depend upon the organization’s context, like the dimensions, the complexity, and
internal and external requirements. The management review should provide information that indicates
whether the resources are adequate for the organization;

d) Top management should communicate the necessity for information security management within the
organization and therefore the got to conform to ISMS requirements. this will be done by giving practical
 Information Security Implementation Guide PAGE 10

examples that illustrate what the particular need is within the context of the organization and by
communicating information security requirements;

e) Top management should make sure that the ISMS achieves its intended outcome(s) by supporting the
implementation of all information security management processes, and especially through requesting and
reviewing reports on the status and effectiveness of the ISMS . Such reports are often derived from
measurements, management reviews and audit reports. Top management also can set performance
objectives for key personnel involved the ISMS;

f) Top management should direct and support persons within the organization directly involved information
security and therefore the ISMS. Failing to try to this will have a negative impact on the effectiveness of the
ISMS. Feedback from top management can include how planned activities are aligned to the strategic needs
for the organization and also for prioritizing different activities within the ISMS;

g) Top management should assess resource needs during management reviews and set objectives for
continual improvement and for monitoring effectiveness of implementation planned activities;

h) Top management should support persons to whom roles and responsibilities concerning information
security management are assigned, in order that they’re motivated and ready to direct and support
information security activities within their area. In cases where the organization implementing and operating
an ISMS is a component of a bigger organization, leadership and commitment are often improved by
engagement with the person or group of individuals that controls and directs the larger organization. If they
understand what’s involved in implementing an ISMS, they will provide support for top management within
the ISMS scope and help them provide leadership and demonstrate commitment to the ISMS. for instance, if
interested parties outside the scope of the ISMS are engaged in deciding concerning information security
objectives and risk criteria and are kept conscious of information security outcomes produced by the ISMS,
their decisions regarding resource allocations are often aligned to the wants of the ISMS.

Policy
Required activity
ISO 27001 Implementation Guideline Clause 5.2 Policy, Top management establishes an information security
policy.

Explanation
The information security policy describes the strategic importance of the ISMS for the organization and is out
there as documented information. The policy directs information security activities within the organization.
The policy states what the requirements for information security are within the actual context of the
organization.

The information security policy should contain brief, high-level statements of intent and direction concerning
information security. It is often specific to the scope of an ISMS or can have wider coverage. All other policies,
procedures, activities and objectives associated with information security should be aligned to the knowledge
security policy.

The information security policy should reflect the organization’s business situation, culture, issues and
concerns concerning information security. The extent of the knowledge security policy should be in
 Information Security Implementation Guide PAGE 11

accordance with the aim and culture of the organization and will seek a balance between simple reading and
completeness. it’s important that users of the policy can identify themselves with the strategic direction of the
policy.

The information security policy can either include information security objectives for the organization or
describe the framework for a way information security objective are set (i.e., who sets them for the ISMS and
the way they ought to be deployed within the scope of the ISMS). for instance, in very large organizations,
high level objectives should be set by the highest management of the whole organization, then, consistent
with a framework established within the information security policy, the objectives should be detailed during
a thanks to provides a sense of direction to all or any interested parties.

The information security policy should contain a transparent statement from the highest management on its
commitment to satisfy information security related requirements. The information security policy should
contain a transparent statement that top management supports continual improvement altogether activities.
it’s important to state this principle within the policy, in order that persons within the scope of the ISMS are
conscious of it.

The information security policy should be communicated to all or any persons within the scope of the ISMS.
Therefore, its format and language should be appropriate in order that it’s easily understandable by all
recipients.

Top management should plan to which interested parties the policy should be communicated. the knowledge
security policy is often written in such how that it’s possible to speak it to relevant external interested parties
outside of the organization. samples of such external interested parties are customers, suppliers, contractors,
subcontractors and regulators. If the knowledge security policy is formed available to external interested
parties, it shouldn’t include tip.

The information security policy may either be a separate standalone policy or included during a
comprehensive policy, which covers multiple management system topics within the organization (e.g. quality,
environment and knowledge security).

The information security policy should be available as documented information. the wants in ISO/IEC 27001
don’t imply any specific form for this documented information, and thus is up to the organization to make a
decision what form is most appropriate. If the organization features a standard template for policies, the
shape of the knowledge security policy should use this template.
 Information Security Implementation Guide PAGE 12

Organizational roles, responsibilities and authorities

Required activity
Top management ensures that responsibilities and authorities for roles relevant to information security are
assigned and communicated throughout the organization.

Implementation Guideline
Top management ensures that roles and responsibilities also because the necessary authorities relevant to
information security are assigned and communicated. The purpose of this requirement is to assign
responsibilities and authorities to make sure conformance of the ISMS with the wants of ISO/IEC 27001, and
to make sure reporting on the performance of the ISMS to the highest management.

Top management should regularly make sure that the responsibilities and authorities for the ISMS are
assigned in order that the management system fulfils the wants stated in ISO/IEC 27001. Top management
doesn’t get to assign all roles, responsibilities and authorities, but it should adequately delegate authority to
do this. Top management should approve major roles, responsibilities and authorities of the ISMS.
Responsibilities and authorities associated with information security activities should be assigned.

Activities include:
a) Coordinating the establishment, implementation, maintenance, performance reporting, and improvement
of the ISMS;
b) Advising on information security risk assessment and treatment;
c) Designing information security processes and systems;
d) Setting standards concerning determination, configuration and operation of data security controls;
e) Managing information security incidents; and
f) Reviewing and auditing the ISMS.
Beyond the roles specifically associated with information security, relevant information security
responsibilities and authorities should be included within other roles.

For instance, information security responsibilities are often incorporated within the roles of:
a) Information owners;
b) Process owners;
c) Asset owners (e.g., application or infrastructure owners);
d) Risk owners;
e) Information security coordinating functions or persons (this particular role is generally a supporting role
within the ISMS);
f) Project managers;
g) Line managers;
h) Information users.
 Information Security Implementation Guide PAGE 13

Resources
Required activity
The organization determines and provides the resources for establishing, implementing, maintaining and
continually improving the ISMS.

Implementation Guideline
Resources are fundamental to perform any quite activity. Categories of resources can include:
a) persons to drive and operate the activities;
b) time to perform activities and time to permit results to calm down before making a replacement step;
c) financial resources to accumulate, develop and implement what’s needed;
d) information to support decisions, measure performance of actions, and improve knowledge; and
e) infrastructure and other means are often acquired or built, like technology, tools and materials, no matter
whether or not they are products of data technology or not.
These resources are to be kept aligned with the requirements of the ISMS and hence are to be adapted when
required.

The organization should:

a) estimate the resources needed for all the activities associated with the ISMS in terms of quantity and
quality (capacities and capabilities);
b) acquire the resources as needed;
c) provide the resources;
d) maintain the resources across the entire ISMS processes and specific activities; and
e) review the provided resources against the requirements of the ISMS, and adjust them as needed.

Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system.

Actions to address risks and opportunities

Overview
ISO/IEC 27001:2013 cares with the design of actions to deal with all kinds of risks and opportunities that are
relevant to the ISMS. This includes risk assessment and planning for risk treatment.

The structure of ISO/IEC 27001 subdivides risks into two categories during planning:
Risks and opportunities relevant to the intended outcome(s) of the ISMS as a whole;
Information security risks that relate to the loss of confidentiality, integrity and availability of data within the
scope of the ISMS.
The first category should be handled in accordance with requirements laid out in ISO/IEC 27001:2013
(general). Risks that fall under this category are often risks concerning the ISMS itself, the ISMS scope
definition, top management’s commitment to information security, resources for operating the ISMS, etc.
Opportunities that fall under this category are often opportunities concerning the outcome(s) of the ISMS, the
commercial value of an ISMS, the efficiency of operating ISMS processes and knowledge security controls, etc.
 Information Security Implementation Guide PAGE 14

The second category consists of all risks that directly relate to the loss of confidentiality, integrity and
availability of data within the scope of the ISMS. These risks should be handled in accordance with
(information security risk assessment) and (information security risk treatment). Organizations may prefer to
use different techniques for every category.

The subdivision of requirements for addressing risks are often explained as follows:
It encourages compatibility with other management systems standards for those organizations that have
integrated management systems for various aspects like quality, environment and knowledge security;
It requires that the organization defines and applies complete and detailed processes for information security
risk assessment and treatment;
It emphasizes that information security risk management is that the core element of an ISMS. ISO/IEC
27001:2013 uses the expressions ‘determine the risks and opportunities’ and ‘address these risks and
opportunities. The word “determine” are often considered to be like the word “assess” utilized in ISO/IEC
27001:2013 (i.e. identify, analyze and evaluate). Similarly, the word “address” are often considered like the
word “treat” utilized in ISO/IEC 27001:2013.
When planning for the ISMS, the organization determines the risks and opportunities considering issues
mentioned in understanding the organization and its context and requirements mentioned in understanding
the needs and expectations of interested parties.

Implementation Guideline
For risks and opportunities relevant to the intended outcome(s) of the ISMS, the organization determines
them supported internal and external issues and requirements from interested parties.

Then the organization plans its ISMS to:

Make sure that intended outcomes are delivered by the ISMS, e.g., that the knowledge security risks are
known to the danger owners and treated to a suitable level;
Prevent or reduce undesired effects of risks relevant to the intended outcome(s) of the ISMS;
Achieve continual improvement, e.g., through appropriate mechanisms to detect and proper weaknesses
within the management processes or taking opportunities for improving information security. Risks connected
to a) above might be unclear processes and responsibilities, poor awareness among employees, poor
engagement from management, etc. Risks connected to b) above might be poor risk management or poor
awareness of risks. Risks connected to c) above might be poor management of the ISMS documentation and
processes.
When a corporation pursues opportunities in its activities, these activities then affect the context of the
organization (ISO/IEC 27001:2013) or the requirements and expectations of interested parties (ISO/IEC
27001:2013), may change the risks to the organization.

Examples of such opportunities can be:

Focusing its business on some areas of products or services, establishing marketing strategy for a few
countries, or expanding business partnerships with other organizations. Opportunities also exist in continual
improvements of the ISMS processes and documentation, alongside evaluation of the intended outcomes
delivered by the ISMS. for instance, consideration of a comparatively new ISMS often leads to identification of
opportunities to refining processes by clarifying interfaces, reducing administrative overhead, eliminating
parts of processes that aren’t cost effective, by refining documentation and introducing new information
technology.
 Information Security Implementation Guide PAGE 15

The planning includes the determination of:

Actions to deal with the risks and opportunities;
The way to:
Integrate and implement these actions into the ISMS processes;
Evaluate the effectiveness of those actions.
The organization should:
1. Determine risks and opportunities which will affect the achievement of the goals described in a), b) and c),
considering the problems mentioned in understanding the organization and its context and therefore the
requirements mentioned in understanding the needs and expectations of interested parties;
2. Develop an idea to implement the determined actions and to gauge the effectiveness of these actions;

Actions should be planned considering integration of data security processes and documentation in existing
structures; of these actions are linked with information security objectives against which the knowledge
security risks are assessed and treated. The general requirement to repeatedly improve the ISMS stated in
ISO/IEC 27001:2013, 10.2 is supported by the need to realize continual improvement given in 6.1.1 with other
relevant requirements of ISO/IEC 27001:2013). The actions required in this often different for strategical,
tactical and operational levels, for various sites, or for various services or systems.

Several approaches are often taken to satisfy the wants of two of which are:
considering risks and opportunities related to planning, implementing and operating the ISMS separately from
information security risks;
considering all risks simultaneously.
An organization that’s integrating an ISMS into a longtime management system can find that the wants of are
met by the organization’s existing business planning methodology. Where this is often the case, care should
be taken to verify that the methodology covers all the wants on the general. Documented information on this
activity and its outcome is mandatory only within the form and to the extent the organization determines as
necessary for the effectiveness of its management system.

Information security risk assessment process

Required activity
The organization defines and applies an information security risk assessment process.

Explanation
The organization defines an information security risk assessment process that:

Establishes and maintains;

The Risk acceptance criteria;
Criteria for performing information security risk assessments, which may include criteria for assessing the
consequence and likelihood, and rules for the determination of the extent of risk;
Ensures that repeated information security risk assessments produce consistent, valid and comparable results.
The information security risk assessment process is then defined along the subsequent sub-processes:
Identification of data security risks:
Identify risks related to the loss of confidentiality, integrity and availability for information within the scope of
the ISMS;
Identify the Risk owners related to these risks, i.e. identify and appoint persons with the acceptable authority
and responsibility for managing identified risks.
 Information Security Implementation Guide PAGE 16

Analysis of the knowledge security risks:

Assess the potential consequences just in case the identified risks materialize, e.g. direct business impacts like
monetary loss or indirect business impacts like damage in reputation.
Assessed consequences are often reported with quantitative or qualitative values;
Assess the realistic likelihood of occurrence of the identified risks, with quantitative (i.e., Probability or
frequency) or qualitative values;
Determine the amount of identified risk as a predefined combination of assessed consequences and assessed
likelihoods;
Evaluation of the knowledge security risks:
Compare the results of risk analysis with the Risk acceptance criteria established before;
Prioritize the analyzed risks for risk treatment, i.e. determine urgency of treatment for risks
That are considered as unacceptable, and sequence if several risks need treatment.
The information security risk assessment process is then applied.
All steps of the knowledge security risk assessment process also because the results of its application are
retained by the organization as documented information.
Implementation Guideline
The information security risk criteria should be established considering the context of the organization and
requirements of interested parties and will be defined in accordance with top management’s risk preferences
and risk perceptions on one hand and will leave a feasible and appropriate risk management process on the
opposite hand. The information security risk criteria should be established in reference to the intended
outcome(s) of the ISMS. The criteria concerning information security risk assessment that consider the
assessment of likelihood and consequences should be established. Further, risk acceptance criteria should be
established.
After establishing criteria for assessing consequences and likelihoods of data security risks, the organization
should also establish a way for combining them so as to work out A level of risk. Consequences and likelihoods
could also be expressed during a qualitative, quantitative or semi quantitative manner.

Risk acceptance criteria relates to risk assessment (in its evaluation phase, when the organization should
understand if a risk is suitable or not), and risk treatment activities (when the organization should understand
if the proposed risk treatment is sufficient to succeed in a suitable level of risk). Risk acceptance criteria are
often supported a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for
the organization. The risk acceptance criteria should be approved by the responsible management.

Producing consistent, valid and comparable assessment results

The risk assessment process should be supported methods and tools designed in sufficient detail in order that
it results in consistent, valid and comparable results.
Whatever the chosen method, the knowledge security risk assessment process should ensure that:
all risks, at the needed level of detail, are considered;
Its results are consistent and reproducible (i.e., the identification of risks, their analysis and their evaluation
are often understood by a 3rd party and results are an equivalent when different persons assess the risks
within the same context);
The results of repeated risk assessments are comparable (i.e., it’s possible to know if the amount of risk are
increased or decreased).
Inconsistencies or discrepancies within the results when the entire or a part of the knowledge security risk
assessment process is repeated can indicate that the chosen risk assessment method isn’t adequate.
Identification of data security risks
 Information Security Implementation Guide PAGE 17

Risk identification is that the process of finding, recognizing and describing risks. This involves the
identification of risk sources, events, their causes and their potential consequences. The aim of risk
identification is to get a comprehensive list of risks supported those events which may create, enhance,
prevent, degrade, accelerate or delay the achievement of data security objectives.
Two approaches are commonly used for the identification of data security risks:

Event-based approach: considers risk sources during a generic way. Events considered can have happened
within the past or are often anticipated for the longer term. within the first case they will involve historical
data, within the second case they will be supported theoretical analysis and expert opinions;
This approach supports identification of assets, threats, and vulnerabilities: considers two differing types of
risk sources: assets with their intrinsic vulnerabilities, and threats. Potential events considered here are ways
on how threats could exploit a particular vulnerability of an asset to impact the organization’s objectives.
Other approaches of risk identification could also be used if they need proven an identical practical usefulness
and if they will make sure the requirements in.

NOTE The approach supported assets, threats, and vulnerabilities corresponds to the knowledge security risk
identification approach by, and compatible with, the wants in ISO/IEC 27001 to make sure that previous
investments in risk identification aren’t lost. It is not recommended that the risk identification be too detailed
within the first cycle of risk assessment. Having a high level but clear picture of the knowledge security risks is
way better than having no picture in the least.

Analysis of the knowledge security risks

Risk analysis has the target to work out the extent of the Risk. ISO 31000 is referenced in ISO/IEC 27001 as a
general model. ISO/IEC 27001 requires that for every identified risk the Risk analysis is predicated on assessing
the results resulting from the Risk and assessing the likelihood of these consequences occurring to work out A
level of risk.

Techniques for risk analysis supported consequences and likelihood can be:
Qualitative, employing a scale of qualifying attributes (e.g., high, medium, low);
quantitative, employing a scale with numerical values (e.g., monetary cost, frequency or probability of
occurrence); or semi-quantitative, using qualitative scales with assigned values.

Whatever technique for risk analysis is employed, its level of objectivity should be considered.
There are several methods for analyzing the risks. the 2 approaches mentioned (event-based approach and
approach supported identification of assets, threats, and vulnerabilities) are often suitable for information
security risk analysis. Risk identification and analysis processes are often best when administered with the
assistance of experts within the relevant risks under discussion.

Evaluation of the knowledge security risks

Evaluation of analyzed risks involves using the organization’s deciding processes to match the assessed level of
risk for every risk with the pre-determined acceptance criteria so as to work out the Risk treatment options.

This final step of the Risk assessment verifies whether the risks that are analyzed within the previous steps are
often accepted consistent with the acceptance criteria defined under or need further treatment. The step in
delivers information about the magnitude of the Risk but no immediate information about the urgency of
implementing risk treatment options. counting on the circumstances during which risks occur, they will have
 Information Security Implementation Guide PAGE 18

different priorities for treatment. Therefore, the output of this step should be an inventory of risks in priority
order. it’s useful to retain further information about these risks from the risk identification and risk analysis
steps to support decisions for risk treatment.

Information-security-risk-treatment
Required activity
The organization defines and applies an information security risk treatment process.

Implementation Guideline
Information security risk treatment is that the overall process of choosing risk treatment options, determining
appropriate controls to implement such options, formulating a risk treatment plan and obtaining approval of
the Risk treatment plan by the Risk owner(s). All steps of the knowledge security risk treatment process also
because the results of its application are retained by the organization as documented information.

Information security risk treatment options

Risk treatment options are:
Avoiding the Risk by deciding to not start or continue with the activity that provides rise to the Risk or by
removing the Risk source (e.g., closing an e-commerce portal);
Taking additional risk or increasing risk so as to pursue a business opportunity (e.g., opening an e-commerce
portal);
Modifying the Risk by changing the likelihood (e.g., reducing vulnerabilities) or the results (e.g., diversifying
assets) or both;
Sharing the Risk with other parties by insurance, sub-contracting or risk financing; and
Retaining the Risk supported the Risk acceptance criteria or by informed decision (e.g., maintaining the
prevailing e-commerce portal because it is).
Each individual risk should be treated in line with information security objectives by one or more of those
options, so as to satisfy risk acceptance criteria.

Determining necessary controls

Special attention should tend to the determination of the required information security controls. Any control
should be determined supported information security risks previously assessed. If a corporation features a
poor information security risk assessment, it’s a poor foundation for its choice of data security controls.

Appropriate control determination ensures:

All necessary controls are included, and no unnecessary controls are chosen; and
The planning of necessary controls satisfies an appropriate breadth and depth.
As a consequence of a poor choice of controls, the proposed information security risk treatment can be:
Ineffective;
Inefficient and thus inappropriately expensive.
To ensure that information security risk treatment is effective and efficient, it’s therefore important to be
ready to demonstrate the connection from the required controls back to the results of the Risk assessment
and risk treatment processes. It is often necessary to use multiple controls to realize the specified treatment
of the knowledge security risk for instance, if the choice to vary the results of a specific event is chosen, it may
require controls to effect prompt detection of the event also as controls to reply to and recover from the
event.
 Information Security Implementation Guide PAGE 19

When determining controls, the organization should also take under consideration controls needed for
services from outside suppliers of e.g., applications, processes and functions. Typically, these controls are
mandated by entering information security requirements within the agreements with these suppliers,
including ways to urge information close to which extent these requirements are met (e.g., right of audit).
There could also be situations where the organization wishes to work out and describe detailed controls as
being a part of its own ISMS albeit the controls are administered by outside suppliers. Independently of the
approach taken, the organization always should consider controls needed at their suppliers when determining
controls for its ISMS.
Comparing controls with those in ISO/IEC 27001:2013,
Annex A ISO/IEC 27001:2013, Annex A contains a comprehensive list of control objectives and controls. Users
of this document are directed to the generic representation of controls in ISO/IEC 27001:2013, Annex A to
make sure that no necessary controls are overlooked. Comparison with ISO/IEC 27001:2013, Annex A also can
identify alternative controls to those determined in which may be simpler at modifying information security
risk. Control objectives are implicitly included within the controls chosen. The control objectives and controls
listed in ISO/IEC 27001:2013, Annex A aren’t exhaustive and extra control objectives and controls should be
added as required.

Not every control within ISO/IEC 27001:2013, Annex A must be included. Any control within ISO/IEC
27001:2013, Annex A that doesn’t contribute to modifying risk should be excluded and justification for the
exclusion should tend.

Producing a Statement of Applicability (SoA)

The SoA contains:

Justification for including an impact partially relies on the effect of the control in modifying an information
security risk. A regard to information security risk assessment results and therefore the information security
risk treatment plan should be sufficient, alongside the knowledge security risk modification expected by the
implementation of necessary controls.
Justification for excluding an impact contained within ISO/IEC 27001:2013, Annex A can include the following:
It’s been determined that the control isn’t necessary to implement the chosen information security risk
treatment option(s);
The control isn’t applicable because it’s outside the scope of the ISMS (e.g. ISO/IEC 27001:2013,
Outsourced development isn’t applicable if all the organization’s system development is performed in-house)
It’s obviated by a custom control (e.g., in ISO/IEC 27001:2013 management of removable media might be
excluded if a custom control prevents the utilization of removable media).
NOTE A custom control may be a control not included in ISO/IEC 27001:2013, Annex A.

A useful SoA are often produced as a table containing all 114 controls of ISO/IEC 27001:2013, Annex A along
the rows plus rows with the extra controls that aren’t mentioned in ISO/IEC 27001:2013, Annex A, if needed.
One column of the table can indicate whether an impact is important to implement the Risk treatment
option(s) or are often excluded. A next column can contain the justification for inclusion or exclusion of an
impact. a final column of the table can indicate the present implementation status of the control. Further
columns are often used, like for details not required by ISO/IEC 27001 but usually useful for subsequent
reviews; these details are often a more detailed description of how the control is implemented or a cross-
 Information Security Implementation Guide PAGE 20

reference to a more detailed description and documented information or policies relevant for implementing
the control.

Although it’s not a selected requirement of ISO/IEC 27001, organizations can find it useful to incorporate
responsibilities for the operation of every control included within the SoA.

Formulating an information security risk treatment plan

ISO/IEC 27001 doesn’t specify a structure or content for the knowledge security risk treatment plan.

Thus, the plan should document for every treated risk:

Selected treatment option(s);
Necessary control(s); and
Implementation status.
Risk owner(s);
Expected residual risk after the implementation of actions.
If any action is required by the Risk treatment plan, then it should be planned indicating responsibilities and
deadlines such an action plans are often represented by an inventory of those actions.

A useful information security risk treatment plans are often designed as a table sorted by risks identified
during the Risk assessment, showing all the determined controls. As an example, there are often columns
during this table which indicate the names of the persons liable for providing the controls. Further columns
can indicate the date of implementation of the control, information about how the control (or a process) is
meant to work and a column about the target implementation status.

As an example, for a part of the Risk treatment process, consider the theft of a mobile.

The results are loss of availability and potential undesirable disclosure of data. If the assessment of the Risk
showed that the extent of risk is out of acceptance, the organization can plan to change the likelihood, or
change the results of the Risk. To change the likelihood of loss or theft of a mobile , the organization can
determine that a suitable control is to oblige employees through a mobile device policy to require care of
mobile phones and periodically check for loss.

To change the consequence of loss or theft of a mobile, the organization can determine controls such as:

An event management process so users can report the loss;

A Mobile Device Management (MDM) solution to delete the content of the phone if lost; and
A backup plan of mobile devices for recovering the phone’s content.
When preparing its SoA, the organization can include its chosen controls (mobile device policy and MDM),
justifying their inclusion supported their effects of changing the likelihood and consequences of mobile loss or
theft, leading to reduced residual risk.

Comparing these controls with those listed in ISO/IEC 27001:2013, Annex A, it is often seen that the mobile
device policy is aligned with ISO/IEC 27001:2013, A.6.2.1, but the MDM control doesn’t directly align and will
be considered as a further custom control. If MDM and other controls are determined as necessary control(s)
in an organization’s information security risk treatment plan, they ought to be included within the SoA (see
“Guidance on producing an SoA.
 Information Security Implementation Guide PAGE 21

If the organization wants to further reduce the Risk, it can consider from ISO/IEC 27001:2013(access control
policy) that it lacked control of access to mobile phones and modify its mobile device policy to mandate the
utilization of PINs on all mobile phones. this could then be an extra control to vary the results of loss or theft
of mobile phones.

When formulating its information security risk treatment plan, the organization should then include actions to
implement mobile device policy and MDM and assign responsibilities and time frames.

Obtaining risk owners’ approval

When the knowledge security risk treatment plan is formulated, the organization should obtain the
authorization from the Risk owners. Such authorization should be supported defined risk acceptance criteria
or justified concession if there’s any deviance from them. Through its management processes the organization
should record the Risk owner’s acceptance of the residual risk and management approval of the plan.

As an example, this risk owner’s approvals are often documented by amending the Risk treatment plan
described under guidance on by columns indicating the effectiveness of the control, the residual risk, and
therefore the risk owner’s approval.

Information security objectives & planning

Objectives and planning
ISO 27001 CLAUSE 6.2 Information security objectives & planning to achieve them.

Required activity
The organization establishes information security objectives and plans to realize them at relevant functions
and levels.

Implementation Guideline
Information security objectives help to implement strategic goals of a corporation also on implement the
knowledge security policy. Thereby, objectives in an ISMS are the knowledge security objectives for
confidentiality, integrity and availability of data. Information security objectives also help to specify and
measure the performance of data security controls and processes, in accordance with the knowledge security
policy.
The organization plans establishes and issues information security objectives to relevant functions and levels.
Requirements in ISO/IEC 27001 concerning information security objectives apply to all or any information
security objectives. If the knowledge security policy contains objectives, then those objectives are required to
satisfy the standards. If the policy contains a framework for setting objectives, then the objectives produced
by that framework are required to that can be satisfy.
Requirements to be taken under consideration when establishing objectives are those determined when
understanding the organization and its context also because the needs and expectations of interested parties.
The results from risk assessments and risk treatments are used as input to the on-going review of objectives to
make sure that they continue to be appropriate to the circumstances of a corporation Information security
objectives are inputs for risk assessment: risk acceptance criteria and criteria for performing information
security risk assessments take under consideration these security objectives and thus make sure that levels of
risk are aligned with them.
 Information Security Implementation Guide PAGE 22

Information security objectives as per ISO/IEC 27001 are:

According to the knowledge security policy;

Measurable if practicable; this suggests that it’s important to be ready to determine whether or not an
objective has been met;
Connected to applicable information security requirements, and results from risk assessment and risk
treatment;
communicated;
Updated as appropriate;
The organization retains documented information on the knowledge security objectives.
When planning the way to achieve its information security objectives, the organization determines:

What is going to be done;

What resources are going to be required;
Who are going to be responsible;
When it’ll be completed;
How the results are going to be evaluated;
The above requirement concerning planning is generic and applicable to other plans required by ISO/IEC
27001. Plans to think about for an ISMS include:

Plans for improving the ISMS;

Plans for treating identified risks;
The other plans that are found necessary for effective operation (e.g. plans for developing competence and
increasing awareness, communication, performance evaluation, internal audits and management reviews).
The information security policy should state the knowledge security objectives or provide a framework for
setting the objectives. Security objectives are often expressed in various ways. The expression should be
suitable to satisfy the need of being measurable (if practicable) (ISO/IEC 27001:2013, ).

For example, information security objectives are often expressed in terms of:

Numerical values with their limits, e.g., “not re-evaluate a particular limit”, and “reach level 4”;
The targets for measurements of data security performance;
The targets for measurements of the effectiveness of the ISMS;
Compliance with ISO/IEC 27001;
Compliance with ISMS procedures;
The necessity to finish actions and plans;
Risk criteria to be met.
The following guidance applies to the bullets addressed within the explanation:

The knowledge security policy specifies the wants for information security in a corporation. All other specific
requirements set for relevant functions and levels should be according to them. If the knowledge security
policy has information security objectives, then the other specific information security objective should be
linked to those within the information security policy. If the knowledge security policy only provides the
framework for setting objectives, then that framework should be followed and will make sure that more
specific objectives are linked to the more generic ones;
 Information Security Implementation Guide PAGE 23

Not every objectives are often measurable, but making objectives measurable supports achievement and
improvement. it’s highly desirable to be ready to describe, qualitatively or quantitatively, the degree to which
an objective has been met. for instance, to guide priorities for extra effort if objectives aren’t met, or to supply
insights into opportunities for improved effectiveness if objectives are exceeded. It should be possible to know
whether or not they are achieved or not, how achievement of objectives is decided, and whether it’s possible
to work out the degree of accomplishment of objectives using quantitative measurements. Quantitative
descriptions of objective attainment should specify how associated measurement is completed. it’s going to
not be possible to quantitatively determine the degree of attainment of all objectives. ISO/IEC 27001 requires
objectives to be measurable if practicable;
Information security objectives should be aligned with information security needs; for this reason, risk
assessment and treatment results should be used as inputs when setting information security objectives;
Information security objectives should be communicated to relevant internal interested parties of the
organization. they’ll even be communicated to external interested parties, e.g. customers, stakeholders, to the
extent they have to understand and are suffering from the knowledge security objectives;

When information security needs change over time, related security objectives should be updated accordingly.
Their update should be communicated as needed in d), to internal and external interested parties as
appropriate.
The organization should plan the way to achieve its information security objectives. The organization may use
any methodology or mechanism it chooses to plan for the achievement of its security objectives. There could
also be one information security plan, one or more project plans, or actions included in other organizational
plans. Whatever form planning takes.

The resulting plans should define as:

the activities to be done;

the specified resources to be committed to execute the activities;
the responsibilities;
the timelines and milestones of activities;
the methods and measurements to gauge whether the results achieve objectives, which incorporates timing
of such evaluations.
ISO/IEC 27001 requires organizations to retain documented information on the knowledge security objectives.
Such documented information can include:

plans, actions, resources, responsibilities, deadlines and evaluation methods;

requirements, tasks, resources, responsibilities, evaluation frequency and methods.

Resources
Required activity
The organization determines and provides the resources for establishing, implementing, maintaining and
continually improving the ISMS.

Implementation Guideline
Resources are fundamental to perform any quite activity. Categories of resources can include:
a) persons to drive and operate the activities;
b) time to perform activities and time to permit results to calm down before making a replacement step;
 Information Security Implementation Guide PAGE 24

c) financial resources to accumulate, develop and implement what’s needed;

d) information to support decisions, measure performance of actions, and improve knowledge; and
e) infrastructure and other means are often acquired or built, like technology, tools and materials, no matter
whether or not they are products of data technology or not.
These resources are to be kept aligned with the requirements of the ISMS and hence are to be adapted when
required.

The organization should:

a) estimate the resources needed for all the activities associated with the ISMS in terms of quantity and
quality (capacities and capabilities);
b) acquire the resources as needed;
c) provide the resources;
d) maintain the resources across the entire ISMS processes and specific activities; and
e) review the provided resources against the requirements of the ISMS, and adjust them as needed.

Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system.

Competence
Required activity
ISO 27001 Implementation Guideline for Clause 7.2, Clause 7.3 & Clause 7.4, The organization determines the
competence of persons needed for information security performance and ensures that the persons are
competent.

Implementation Guidance
Competence is that the ability to use knowledge and skills to realize intended results. it’s influenced by
knowledge, experience and wisdom. Competence are often specific (e.g. about technology or specific
management areas like risk management) or general (e.g. soft skills, trustworthiness, and basic technological
and managerial subjects).

Competence relates to persons that employment in check of the organization. this suggests that competence
should be managed for persons that are employees of the organization and for people as required. Acquisition
of upper or new competence and skills are often achieved both internally and externally through experience,
training (e.g. courses, seminars and workshops), mentoring, hiring or contracting external persons.

For competence that’s only temporarily needed – for a selected activity or for a brief period of your time, e.g.
to hide unexpected temporary shortage of internal personnel – organizations can hire or contract external
resources, whose competence is to be described and verified.

The organization should:

Determine the expected competence for every role within the ISMS and choose if it must be documented (e.g.
during a job description);
Assign the roles within the ISMS to persons with the specified competence either by:

identifying persons within the organization who have the competence (based e.g. on their education,
experience, or certifications);
 Information Security Implementation Guide PAGE 25

planning and implementing actions to possess persons within the organization obtain the competence (e.g.
through provision of coaching, mentoring, reassignment of current employees);
engaging new persons who have the competence (e.g. through hiring or contracting);
Evaluate the effectiveness of actions

EXAMPLE 1 Consider if persons have acquired competence after the training.

EXAMPLE 2 Analyze the competence of newly hired or contracted persons a while after their arrival within the
organization.
EXAMPLE 3 Verify if the plan for acquiring new persons has been completed needless to say.
Verify that the persons are competent for his or her roles;
Make sure that the competence evolves over time as necessary which it meets expectations.

Appropriate documented information is required as evidence of competence. The organization should

therefore retain documentation about the required competence affecting information security performance
and the way this competence is met by relevant persons.

Awareness
Required activity
The persons doing work under the organization’s control are made conscious of the knowledge security policy,
their contribution to the effectiveness of the ISMS, benefits of improved information security performance
and implications of not conforming to the wants of the ISMS.

Implementation Guidance
Awareness of persons working under the organization’s control refers to having the required understanding
and motivation about what’s expected of them with reference to information security.

Awareness concerns persons who need to know, understand, accept

Support the objectives stated within the information security policy;

Follow the principles to properly perform their daily tasks in support of data security.
Additionally, the persons doing work under the organization’s control also got to know, understand and accept
the implications of not conforming with the ISMS requirements. Implications are often negative consequences
for information security or repercussions for the person.

These persons got to remember that an information security policy exists and where to seek out information
about it. Many staff in a corporation don’t got to know the detailed content of the policy. Instead, they ought
to know, understand, accept and implement the knowledge security objectives and requirements derived
from the policy that affect their job role. These requirements are often included in the standards or
procedures they’re expected to follow to try to their job.

The organization should:

Prepare a program with the precise messages focused on each audience (e.g. internal and external persons);
Include information security needs and expectations within awareness and training materials on other topics
to put information security needs into relevant operational contexts;
 Information Security Implementation Guide PAGE 26

Prepare an idea to speak messages at planned intervals;

Verify the knowledge and understanding of messages both at the top of an awareness session and randomly
between sessions;
Verify whether persons act consistent with the communicated messages and use samples of ’good’ and ’bad’
behavior to strengthen the message.
Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system (see ISO/IEC
27001:2013).

Communication
Required activity
The organization determines the requirements for internal and external communications associated with the
ISMS.

Implementation Guidance
Communication may be a key process within an ISMS. Adequate communication is important with internal and
external interested parties. Communications are often between internal interested parties in the least levels
of the organization or between the organization and external interested parties. Communication are often
initiated within the organization or by an external interested party.

Organizations got to determine:

Which content must be communicated, e.g. information security policies, objectives, procedures, their
changes, knowledge on information security risks, requirements to suppliers and feedback on the knowledge
security performance;
The well-liked or optimal point in time for communication activities;
Who is to be involved in communication activities, and which is that the audience of every communication
effort;
Who is to initiate communication activities, e.g. specific content can require communication to be initiated by
a selected person or organization;
Which processes are driving or initiating communication activities, and which processes are targeted or
suffering from communication activities.
Communication can happen regularly or as needs arise. It are often either proactive or reactive.
Communication relies on processes, channels and protocols. These should be chosen to make sure the
communicated message is integrally received, correctly understood and, when relevant, acted upon
appropriately.

Organizations should determine which content must be communicated, such as:

Plans and results of risk management to interested parties as required and appropriate, within the
identification, analysis, evaluation, and treatment of the risks;
Information security objectives;
Achieved information security objectives including people who can support their position within the market
(e.g., ISO/IEC 27001 certificate granted; claiming conformance with personal data protection laws);
Incidents or crises, where transparency is usually key to preserve and increase trust and confidence within the
organization’s capability to manage its information security and affect unexpected situations;
 Information Security Implementation Guide PAGE 27

Roles, responsibilities and authority;

Information exchanged between functions and roles as needed by the ISMS’s processes;
Changes to the ISMS;
Other matters identified by reviewing the controls and processes within the scope of the ISMS;
Matters (e.g., incident or crisis notification) that need communication to regulatory bodies or other interested
parties;
Requests or other communications from external parties like customers, potential customers, users of services
and authorities.
The organization should identify the wants for communication on relevant issues:

Who is allowed to speak externally and internally (e.g. in special cases like a knowledge breach), allocating to
specific roles with the acceptable authority. for instance, official communication officers are often defined
with the acceptable authority. they might be a PR officer for external communication and a security officer for
internal communication;
The triggers or frequency of communication (e.g., for communication of an occasion, the trigger is that the
identification of the event);
The contents of messages for key interested parties (e.g. customers, regulators, general public, important
internal users) supported high level impact scenarios. Communication are often simpler if supported messages
prepared and pre-approved by an appropriate level of management as a part of a communication plan, the
incident response plan or the business continuity plan;
The intended recipients of the communication; in some cases, an inventory should be maintained (e.g. for
communicating changes to services or crisis);
The communication means and channels. Communication should use dedicated means and channels, to form
sure that the message is official and bears the acceptable authority. Communication channels should address
any needs for the protection of the confidentiality and integrity of the knowledge transmitted; and
The designed process and therefore the method to make sure messages are sent and are correctly received
and understood.
Communication should be classified and handled consistent with the organization’s requirements.

Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system (see ISO/IEC
27001:2013).

Documented information Implementation Guideline

General Guideline Documented information
Required activity
The organization includes documented information within the ISMS as directly required by ISO/IEC 27001, also
as determined by the organization as being necessary for the effectiveness of the ISMS.

Implementation Guideline
Documented information is required to define and communicate information security objectives, policy,
guidelines, instructions, controls, processes, procedures, and what persons or groups of individuals are
expected to try to do and the way they’re expected to behave. Documented information is additionally
needed for audits of the ISMS and to take care of a stable ISMS when persons in key roles change. Further,
documented information is required for recording actions, decisions and outcome(s) of ISMS processes and
knowledge security controls.
 Information Security Implementation Guide PAGE 28

Documented information can contain:

Information about information security objectives, risks, requirements and standards;

Information about processes and procedures to be followed;
Records of the input (e.g. for management reviews) and therefore the outcomes of processes (including plans
and outcomes of operational activities).
There are many activities within the ISMS that produce documented information that’s used, most of the
time, as an input for an additional activity. ISO/IEC 27001 requires a group of mandatory documented
information and contains a general requirement that additional documented information is required if it’s
necessary for the effectiveness of the ISMS.
The amount of documented information needed is usually associated with the dimensions of the organization.
In total, the mandatory and extra documented information contains sufficient information to permit the
performance evaluation requirements laid out in Clause 9 to be administered.

The organization should determine what documented information is important for ensuring effectiveness of
its ISMS additionally to mandatory documented information required by ISO/IEC 27001.The documented
information should be there to suit the aim. Factual and ‘to the point’ information is what’s needed.

Examples of documented information which will be determined by the organization to be necessary for
ensuring effectiveness of its ISMS are:

The results of the context establishment;

The roles, responsibilities and authorities;
Reports of the various phases of the danger management;
Resources determined and provided;
The expected competence;
Plans and results of awareness activities;
Plans and results of communication activities;
Documented information of external origin that’s necessary for the ISMS;
Process to regulate documented information;
Policies, rules and directives for guiding and operating information security activities;
Processes and procedures required to implement, maintain and improve the ISMS and therefore the overall
information security status;
Action plans;
Evidence of the results of ISMS processes (e.g. incident management, access control, information security
continuity, equipment maintenance, etc.).
Documented information’s are often of internal or external origin.
 Information Security Implementation Guide PAGE 29

Creating and updating

Required activity
When creating and updating documented information, the organization ensures its appropriate identification
and outline, format and media, and review and approval.

Implementation Guideline
The organization identifies intimately how the documented information is best structured and defines an
appropriate documentation approach. Review and approval by appropriate management ensures that the
documented information is correct, suitable for the aim, and in an adequate form and detail for the intended
audience. Regular reviews ensure continued suitability and adequacy of documented information.

Documented information could also be retained in any form, e.g. traditional documents (in both paper and
electronic form), web pages, databases, computer logs, computer generated reports, audio and video.
Moreover, documented information may contain specifications of intent (e.g. the knowledge security policy)
or records of performance (e.g. the results of an audit) or a mix of both. the subsequent guidance applies on
to traditional documents and will be interpreted appropriately when applied to other sorts of documented
information.

Organizations should create a structured documented information library, linking different parts of
documented information by:

Determining the structure of the documented information framework;

Determining the quality structure of the documented information;
Providing templates for various sorts of documented information;
Determining the responsibilities for preparing, approving, publishing and managing the documented
information;
Determining and documenting the revision and approval process to make sure continual suitability and
adequacy.

Organizations should define a documentation approach that has common attributes of each document, which
permit clear and unique identification. These attributes usually include document type (e.g. policy, directive,
rule, guideline, plan, form, process or procedure), the aim and scope, title, date of publication, classification,
reference number, version number, and a revision history. The identification of the author and therefore the
person(s) currently liable for the document, its application and evolution, also because the approver(s) or
approval authority should be included.

Format requirements can include definition of suitable documentation languages, file formats, software
version for working with them and graphical content. Media requirements define on which physical and
electronic media the knowledge should be available. Statements and literary genre should be tailored to the
audience and scope of the documentation.

Duplication of data in documented information should be avoided and cross-references used instead of
replicating an equivalent information in several documents. The documentation approach should ensure
timely review of the documented information which all documentation changes are subject to approval.
Suitable review criteria are often timing related (e.g. maximum time periods between document reviews) or
 Information Security Implementation Guide PAGE 30

content related. Approval criteria should be defined, which ensures that the documented information is
correct, suitable for the aim, and in an adequate form and detail for the intended audience.

Control of documented information

Required activity
The organization manages documented information throughout its lifecycle and makes it available where and
when needed.

Implementation Guideline
Once approved, the documented information is communicated to its intended audience. Documented
information is out there where and when it’s needed, while preserving its integrity, confidentiality, and
relevance throughout the entire lifecycle. Note that activities described “as applicable” in ISO/IEC 27001:2013
got to be performed if they will be performed and are useful, considering the organization’s needs and
expectations.

A structured documented information library are often wont to facilitate access to documented information.
All of the documented information should be classified (see ISO/IEC 27001:2013) in accordance with the
organization’s classification scheme. Documented information should be protected and handled in accordance
with its classification level (see ISO/IEC 27001:2013).
A change management process for documented information should make sure that only authorized persons
have the proper to vary and distribute it as required through appropriate and predefined means.

Documented information should be protected to make sure it keeps its validity and authenticity. Documented
information should be distributed and made available to authorized interested parties. For this, the
organization should establish who are the relevant interested parties for every documented information (or
groups of documented information), and therefore the means to use for distribution, access, retrieval and use
(e.g. an internet site with appropriate access control mechanisms). The distribution should suit any
requirements associated with protecting and handling of classified information.

The organization should establish the acceptable retention period for documented information consistent
with its intended validity and other relevant requirements. The organization should make sure that
information is legible throughout its retention period (e.g. using formats which will be read by available
software or verifying that paper isn’t corrupted).

The organization should establish what to try to do with documented information after its retention period
has expired. The organization should also manage documented information of external origin (i.e. from
customers, partners, suppliers, regulatory bodies, etc.).
Documented information on this activity and its outcome is mandatory only within the form and to the extent
the organization determines as necessary for the effectiveness of its management system (see ISO/IEC
27001:2013).
 Information Security Implementation Guide PAGE 31

Operational planning & control

Required activity

The organization plans, implements and controls the processes to satisfy its information security requirements
and to realize its information security objectives. The organization keeps documented information as
necessary to possess confidence that processes are administered as planned. The organization controls
planned changes and reviews the results of unintended changes, and ensures that outsourced processes are
identified, defined and controlled.

Implementation Guideline

The processes that a corporation uses to satisfy its information security requirements are planned, and once
implemented, they’re controlled, particularly when changes are required. Building on the design of the ISMS,
the organization performs the required operational planning and activities to implement the processes
needed to fulfil the knowledge security requirements.

Processes to satisfy information security requirements include:

ISMS processes (e.g. management review, internal audit);

Processes required for implementing the knowledge security risk treatment plan.

Implementation of plans leads to operated and controlled processes.

The organization ultimately remains liable for planning and controlling any outsourced processes so as to
realize its information security objectives. Thus, the organization needs to:

Determine outsourced processes considering the knowledge security risks associated with the outsourcing;
Make sure that outsourced processes are controlled (i.e. planned, monitored and reviewed) during a manner
that gives assurance that they operate as intended (also considering information security objectives and
therefore the information security risk treatment plan).

After the implementation is completed, the processes are managed, monitored and reviewed to make sure
that they still fulfil the wants determined after understanding the requirements and expectations of interested
parties. Changes of the ISMS operational are often either planned or they occur unintended. Whenever the
organization makes changes to the ISMS (as a result of planning or unintentionally), it assesses the potential
consequences of the changes to regulate any adverse effects.

The organization can get confidence about the effectiveness of the implementation of plans by documenting
activities and using documented information as input to the performance evaluation processes laid out in
Clause 9. The organization therefore establishes the specified documented information to stay.
 Information Security Implementation Guide PAGE 32

The processes that are defined as a result of the design described in Clause 6 should be implemented,
operated and verified throughout the organization. the subsequent should be considered and implemented:

Processes that are specific for the management of data security (such as risk management, incident
management, continuity management, internal audits, management reviews);
Processes emanating from information security controls within the information security risk treatment plan;
Reporting structures (contents, frequency, format, responsibilities, etc.) within the knowledge security area,
for instance incident reports, reports on measuring the fulfillment of data security objectives, reports on
performed activities;
Meeting structures (frequency, participants, purpose and authorization) within the knowledge security area.
Information security activities should be coordinated by representatives from different parts of the
organization with relevant roles and job functions for effective management of the knowledge security area.

For planned changes, the organization should:

Plan their implementation and assign tasks, responsibilities, deadlines and resources;
Implement changes consistent with the plan;
Monitor their implementation to verify that they’re implemented consistent with the plan;
Collect and retain documented information on the execution of the changes as evidence that they need been
administered as planned (e.g. with responsibilities, deadlines, effectiveness evaluations).

For observed unintended changes, the organization should:

Review their consequences;

Determine whether any adverse effects have already occurred or can occur within the future;
Plan and implement actions to mitigate any adverse effects as necessary;
Collect and retain documented information on unintended changes and actions taken to mitigate adverse
effects.

If a part of the organization’s functions or processes are outsourced to suppliers, the organization should:

Determine all outsourcing relationships;

Establish appropriate interfaces to the suppliers;
Address information security related issues within the supplier agreements;
Monitor and review the supplier services to make sure that they’re operated as intended and associated
information security risks meet the risk acceptance criteria of the organization;
Manage changes to the supplier services as necessary.
 Information Security Implementation Guide PAGE 33

Information security risk assessment

Required activity

The organization performs information security risk assessments and retains documented information on their
results.

Implementation Guideline

When performing information security risk assessments, the organization executes the method defined. These
assessments are either executed consistent with a schedule defined beforehand, or in response to significant
changes or information security incidents. The results of the knowledge security risk assessments are retained
in documented information as evidence that the method in 6.1.2 has been performed as defined.
Documented information from information security risk assessments is important for information security risk
treatment and is effective for performance evaluation.

Organizations should have an idea for conducting scheduled information security risk assessments. When any
significant changes of the ISMS (or its context) or information security incidents have occurred, the
organization should determine:

Which of those changes or incidents require a further information security risk assessment;
How these assessments are triggered.

The level of detail of the risk identification should be refined step by step in further iterations of the
knowledge security risk assessment within the context of the continual improvement of the ISMS. A broad
information security risk assessment should be performed a minimum of once a year.

Information security risk treatment

Required activity

The organization implements the knowledge security risk treatment plan and retains documented information
on the results of the knowledge security treatment.

Implementation Guideline

In order to treat information security risks, the organization must perform the knowledge security risk
treatment process defined in 6.1.3. During operation of the ISMS, whenever the risk assessment is updated
consistent with 8.2, the organization then applies the risk treatment consistent with 6.1.3 and updates the risk
treatment plan. The updated risk treatment plan is again implemented. The results of the knowledge security
risk treatment are retained in documented information as evidence that the method in 6.1.3 has been
performed as defined.
 Information Security Implementation Guide PAGE 34

The information security risk treatment process should be performed after each iteration of the knowledge
security assessment process in 8.2 or when the implementation of the risk treatment plan or parts of it fails.
The progress of implementation of the knowledge security risk treatment plan should be driven and
monitored by this activity.

Performance evaluation Monitoring, measurement, analysis &

evaluation
Required activity
ISO 27001 Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation, The
organization evaluates the knowledge security performance and therefore the effectiveness of the ISMS.

Implementation Guideline
The objective of monitoring and measurement is to assist the organization to gauge whether the intended
outcome of data security activities including risk assessment and treatment is achieved as planned. Monitoring
determines the status of a system, a process or an activity, whilst measurement may be a process to work out
a worth. Thus, monitoring is often achieved through a succession of comparable measurements over a while
period.

For monitoring and measurement, the organization establishes:

What to watch and measure;
Who monitors and measures?
Methods to be used so on produce valid results (i.e., comparable and reproducible).
For analysis and evaluation, the organization establishes:
Who analyses and evaluates the results from monitoring and measurement, and when?
Methods to be used so on produce valid results.
There are two aspects of evaluation:
Evaluating the knowledge security performance, for determining whether the organization is doing needless
to say, which incorporates determining how well the processes within the ISMS meet their specifications;
Evaluating the effectiveness of the ISMS, for determining whether or not the organization is doing the proper
things, which incorporates determining the extent to which information security objectives are achieved.
Note that as “as applicable” (ISO/IEC 27001:2013) means if methods for monitoring, measurement, analysis
and evaluation are often determined, they have to be determined.

A good practice is to define the ‘information need’ when planning the monitoring, measurement, analysis and
evaluation. An information need is typically expressed as a high-level information security question or
statement that helps the organization evaluate information security performance and ISMS effectiveness. In
other words, monitoring and measurement should be undertaken to realize an outlined information need.

Care should be taken when determining the attributes to be measured. it’s impracticable, costly and
counterproductive to live too many, or the incorrect attributes. Besides the prices of measuring, analyzing and
evaluating numerous attributes, there’s an opportunity that key issues might be obscured or missed
altogether.
 Information Security Implementation Guide PAGE 35

There are two generic sorts of measurements:

Performance measurements, which express the planned leads to terms of the characteristics of the planned
activity, like head counts, milestone accomplishment, or the degree to which information security controls are
implemented;
Effectiveness measurements, which express the effect that realization of the planned activities has on the
organization’s information security objectives.

It is often appropriate to spot and assign distinctive roles to those participating within the monitoring,
measurement, analysis and evaluation. Those roles are often measurement client, measurement planner,
measurement reviewer, information owner, information collector, information analyst and knowledge
communicator of input or output of evaluation.

The responsibilities for monitoring and measurement and people for analysis and evaluation are often
assigned to separate persons whom different competence is required.

Monitoring, measurement, analysis and evaluation is critical to the success of an efficient ISMS. There are
variety of clauses in ISO/IEC 27001 that explicitly require determination of the effectiveness of some activities.
for instance, ISO/IEC 27001:2013). Further information are often found in ISO/IEC 27004, which provides
guidance on meeting the wants of ISO/IEC 27001:2013, especially, it expands on all of the concepts mentioned
above, like roles and responsibilities, and forms, and provides numerous examples.

Internal audit
Activity
ISO 27001 Clause 9.2 Internal audit, the organization conducts internal audits to supply information on
conformity of the ISMS to the wants.

Implementation Guideline
Evaluating an ISMS at planned intervals by means of internal audits provides assurance of the status of the
ISMS to top management. Auditing is characterized by variety of principles: integrity; fair presentation; due
professional care; confidentiality; independence; and evidence-based approach (see ISO 19011). Internal
audits provide information on whether the ISMS conform to the organization’s own requirements for its ISMS
also on the wants in ISO/IEC 27001.

The organization’s own requirements include:

Requirements stated within the information security policy and procedures;
Requirements produced by the framework for setting Information security objectives, including outcomes of
the danger treatment process;
Legal and contractual requirements;
Requirements on the documented information.
Auditors also evaluate whether the ISMS is effectively implemented and maintained. An audit program
describes the general framework for a group of audits, planned for specific time frames and directed towards
specific purposes. This is often different from an audit plan, which describes the activities and arrangements
for a selected audit. Audit criteria are a group of policies, procedures or requirements used as a reference
against which audit evidence is compared, i.e. the audit criteria describe what the auditor expects to be in
situation. An internal audit can identify nonconformities, risks and opportunities. Nonconformities are
 Information Security Implementation Guide PAGE 36

managed consistent with requirements. Risks and opportunities are managed consistent with requirements.
The organization is required to retain documented information about audit program and audit results.

Managing an audit program

An audit program defines the structure and responsibilities for planning, conducting, reporting and following
abreast of individual audit activities. intrinsically it should make sure that audits conducted are appropriate,
have the proper scope, minimize the impact on the operations of the organization and maintain the required
quality of audits. An audit program should also make sure the competence of audit teams, appropriate
maintenance of audit records, and therefore the monitoring and review of the operations, risks and
effectiveness of audits. Further, an audit program should make sure that the ISMS (i.e. all relevant processes,
functions and controls) is audited within a specified time frame. Finally, an audit program should include
documented information about types, duration, locations, and schedule of the audits.

The extent and frequency of internal audits should be supported the dimensions and nature of the
organization also as on the character, functionality, complexity and therefore the level of maturity of the ISMS
(risk-based auditing). The effectiveness of the implemented controls should be examined within the scope of
internal audits.

An audit program should be designed to make sure coverage of all necessary controls and will include
evaluation of the effectiveness of selected controls over time. Key controls (according to the audit program)
should be included in every audit whereas controls implemented to manage lower risks could also be audited
less frequently. The audit program should also consider that processes and controls should are operational for
a few time to enable evaluation of suitable evidence.

Internal audits concerning an ISMS are often performed effectively as a neighborhood of, or together with,
other internal audits of the organization. The audit program can include audits associated with one or more
management system standards, conducted either separately or together. An audit program should include
documented information about: audit criteria, audit methods, selection of audit teams, processes for handling
confidentiality, information security, health and safety provisions for auditors, and other similar matters.

Competence and evaluation of auditors

Regarding competence and evaluation of auditors, the organization should:

Identify competence requirements for its auditors;

Select internal or external auditors with the acceptable competence;
Have a process in place for monitoring the performance of auditors and audit teams; and
Include personnel on internal audit teams that have appropriate sector specific and knowledge security
knowledge.
Auditors should be selected considering that they should to be competent, independent, and adequately
trained. Selecting internal auditors are often difficult for smaller companies. If the required resources and
competence aren’t available internally, external auditors should be appointed. When organizations use
external auditors, they ought to make sure that they have acquired enough knowledge about the context of
the organization. This information should be supplied by internal staff.

Organizations should consider that internal employees acting as internal auditors are often ready to perform
detailed audits considering the organization’s context, but might not have enough knowledge about
 Information Security Implementation Guide PAGE 37

performing audits. Organizations should then recognize characteristics and potential shortcomings of internal
versus external auditors and establish suitable audit teams with the required knowledge and competence.

Performing the audit

When performing the audit, the audit team leader should prepare an audit plan considering results of
previous audits and therefore the got to follow abreast of previously reported nonconformists and
unacceptable risks. The audit plan should be retained as documented information and will include criteria,
scope and methods of the audit.

The audit team should review:

Adequacy and effectiveness of processes and determined controls;
Fulfillment of data security objectives;
Compliance with requirements defined in ISO/IEC 27001:2013, Clauses 4 to 10;
Compliance with the organization’s own information security requirements;
Consistency of the Statement of Applicability against the result of the knowledge security risk treatment
process;
Consistency of the particular information security risk treatment plan with the identified assessed risks and
therefore the risk acceptance criteria;
Relevance (considering organization’s size and complexity) of management review inputs and outputs;
Impacts of management review outputs (including improvement needs) on the organization.
The extent and reliability of obtainable monitoring over the effectiveness of controls as produced by the ISMS
(see 9.1) may allow the auditors to scale back their own evaluation efforts, provided they need confirmed the
effectiveness of the measurement methods.

If the result of the audit includes nonconformities, the audit should prepare an action plan for every
nonconformity to be agreed with the audit team leader.

A follow-up action plan typically includes:

Description of the detected nonconformity;
Description of the cause(s) of nonconformity;
Description of short-term correction and long run corrective action to eliminate a detected nonconformity
within an outlined time frame;
The persons liable for implementing the plan.
Audit reports, with audit results, should be distributed to top management. Results of the previous audits
should be reviewed and therefore the audit program adjusted to raised manage areas experiencing higher
risks thanks to nonconformities 27001 Clause 9.2 Internal audits

Other information
Further information are often found in ISO 19011, which provides general guidance on auditing management
systems, including the principles of auditing, managing an audit program and conducting management system
audits. It also provides guidance on the evaluation of competence of persons or group of individuals involved
within the audit, including the person managing the audit program, auditors and audit teams.

Also, additionally to the guidance contained in ISO 19011, further information are often found in:
 Information Security Implementation Guide PAGE 38

a) (ISO/IEC 270071), which provides specific guidance on managing an ISMS audit program, on conducting the
audits, and on the competence of ISMS auditors; and
b) (ISO/IEC 270081), which provides guidance on assessing information security controls.

Management review
Activity
Top Management conducts management review for ISO 27001 at planned intervals.

Management review, clause highlights the significance of management review which helps to ensure
continuing suitability, adequacy, and effectiveness of Information Security Management System in the
organization, where Suitability refers to the continuous alignment with the objectives of the organization,
Adequacy and Effectiveness call for appropriate design and organizational embedding respectively. It is a
process which is administered at various levels of the organization where the activities could range from daily,
weekly or monthly organization unit meeting to simple reporting discussions. It is the responsibility of the top
management to evaluate this review with contributions from all the levels of the organization. Management
Review generally happens after the ISMS internal audit is completed, and it occurs at planned intervals and in
a strategic manner.

What does Management Review incorporate?

The management review should consider the requirements of Clause 9.3 from ISO 27001:2013, which helps
the top management to facilitate effective reviews and strategic decisions which is best suited for the business
needs. There are some ways by which management can review the ISMS, like receiving and reviewing
measurements and reports, transmission, verbal updates. Top management should include reporting on ISMS
efficiency and should frequently review it. The primary components of the management review include the
result of the information security assessment, results of internal audit, risk assessment and the status of risk
management plan. While assessing the information security risk assessment, the management should check
that the residual risk fulfills risk acceptance criteria that cover all applicable risks and their risk treatment
options in the risk treatment plan.

All aspects of the ISMS should be reviewed by management at planned intervals, a minimum of yearly, by
fixing suitable schedules and agenda items in management meetings. Also, recently implemented ISMS should
be reviewed frequently by management to increase overall effectiveness.

What should be the agenda of the management review?

The standard ISO 27001 – 9.3 Management review shall consider the following topics: -
Status of actions from previous management reviews;
Changes in external and internal issues that are relevant to the ISMS;
Feedback on the information security performance, including trends, in;
Non conformities and corrective actions;
Monitoring and measurement results;
Audit results;
Fulfillment of information security objectives.
Feedback from stakeholders, including suggestions for improvement, requests for change and complaints;
Results of information security risk assessment(s) and status of risk treatment plan; and
 Information Security Implementation Guide PAGE 39

Opportunities for continual improvement, including efficiency improvements for both the ISMS and
information security controls.
The input for the management review should be at an acceptable level of detail, consistent with the objectives
set for the organization. For example, just a description of all things, aligned with information security
objectives or high-level objectives, will be reviewed by top management.

The end result of this management review process will include continuous improvement of ISMS and will also
address any changes if required in ISMS. End results may also include evidence of selections regarding-

Changes in information security policy

Changes in risk acceptance criteria and also the criteria for performing information security risk assessments
Updating information security risk treatment plan or Statement of Applicability
Necessary improvements in monitoring and measuring activities
Change in resources
The organization needs to document the information as evidence of results of management reviews.

“Information is an asset, a building block and the key to growth for any organization. To ensure business keeps
ahead of the competition, it is essential to safeguard business critical information from threats of data hacking
and data loss.

Non-conformity and corrective action

Required activity
ISO 27001 Clause 10.1 Non conformity and corrective action, Clause 10 containing sections 10.1 and 10.2
covers the “Act” part W. Edwards Deming’s Plan-Do-Check-Act (PDCA) cycle. This clause helps an organization
react to nonconformities, evaluate them and take corrective actions with the end goal of continually
improving how it runs its daily activities.

Explanation
Nonconformity may be a non-fulfilment of a requirement of the ISMS. Nonconformity cannot always be
avoided, because mistakes do happen in an organization; however, what is important is that the issue is
identified and handled accordingly when it presents itself. Requirements are needs or expectations that are
stated, implied or obligatory. There are several types of nonconformities such as:

Failure to fulfil a requirement (completely or partially) of ISO/IEC 27001 within the ISMS;
Failure to properly implement or conform to a requirement, rule or control stated by the ISMS;
Partial or total failure to suits legal, contractual or agreed customer requirements.
Nonconformities are often for example:
Persons not behaving needless to say by procedures and policies;
Suppliers not providing agreed products or services;
Projects not delivering expected outcomes; and
controls not operating consistent with design.
Nonconformities are often recognized by:
Deficiencies of activities performed within the scope of the management system;
Ineffective controls that aren’t remediated appropriately;
 Information Security Implementation Guide PAGE 40

Analysis of data security incidents, showing the non-fulfilment of a requirement of the ISMS;
Complaints from customers;
Alerts from users or suppliers;
Monitoring and measurement results not meeting acceptance criteria; and
Objectives not achieved.

How should organizations deal with non-conformity?

The three basic steps when it comes to controlling nonconformity are identifying the problem or violation,
recording it and taking appropriate action to put an end to it.

In general, following steps should be adopted:

Identifying the extent and impact of the nonconformity.
Choosing the corrections so as to limit the impact of the nonconformity. Corrections can include switching to
previous, failsafe or other appropriate states. Care should be taken that corrections don’t make things worse.
To identify effective corrective action, it is strongly advised to complete a root cause analysis of the issue that
occurred. If you don’t get to the bottom of why or how it happened, then it is likely that whatever fix you
implement will not be fully effective.

Communicating with relevant personnel to make sure that corrections are carried out.
Completing corrections as decided;
Monitoring things to make sure that corrections have had the intended effect and haven’t produced
unintended side-effects;
Acting further to correct the nonconformity if it’s still not remediated; and
Communicating with other relevant interested parties, as appropriate.
However, corrections alone won’t necessarily prevent recurrence of the nonconformity. Corrective actions can
occur after, or in parallel with, corrections. the subsequent process steps should be taken:

The organization needs to decide if there’s a requirement to hold out a corrective action, in accordance with
established criteria (e.g., impact of the nonconformity, repetitiveness);
Review of the nonconformity, considering:
– If similar nonconformities are recorded;
– All the results and side-effects caused by the nonconformity;
– The corrections taken.
Perform an in-depth root cause analysis of the nonconformity.
Patterns and criteria which will help to spot similar situations within the future.
Perform an analysis of potential consequences on the ISMS, considering:
– whether similar nonconformities exist in other areas, e.g., by using the patterns and criteria found during the
cause analysis;
– whether other areas match the identified patterns or criteria, in order that it’s only a matter of your time
before an identical nonconformity occurs.
Determine actions needed to correct the cause, evaluating if they’re proportionate to the results and impact
of the nonconformity, and checking for any potential side-effects which can cause other nonconformities or
significant new information security risks.
To plan for the corrective actions, giving priority, if possible, to areas where there are higher likelihood of
recurrence and more significant consequences of the nonconformity.
Implement the corrective actions consistent with the plan.
 Information Security Implementation Guide PAGE 41

Finally, to assess the corrective actions to work out whether or not they have actually handled the explanation
for the nonconformity, and whether it has prevented nonconformities from occurring. This assessment should
be impartial, evidence-based and documented. It should even be communicated to the acceptable roles and
stakeholders.
Also Read: ISO 27001 Clause 10.2 Continual Improvement
As a result of corrections and corrective actions, it is possible that new opportunities for improvement are
identified. These should be treated accordingly. Sufficient documented information is required to be retained
to demonstrate that the organization has acted appropriately to deal with the nonconformity and has
addressed the related consequences.

All significant steps of nonconformity management (starting from discovery and corrections) and, if started,
corrective action management (cause analysis, review, decision about the implementation of actions, review
and alter decisions made for the ISMS itself) should be documented. The documented information is
additionally required to incorporate evidence on whether or not actions taken have achieved the intended
effects.

Some organizations maintain registers for tracking nonconformities and corrective actions. There is often one
register (for example, one for every functional area or process) and on different media (paper, file, application,
etc.). If this is often the case, then they ought to be established and controlled as documented information
and that they should allow a comprehensive review of all nonconformities and corrective actions for ensuring
the right evaluation of the necessity for actions.

Thus, stakeholders need to realize that the event of a nonconformity itself within an organization is not the
end of the world, but it will have more dire consequences if the nonconformity is not properly identified,
addressed, corrected, and prevented in the future.

Continual Improvement
Required Activity
ISO 27001 Clause 10.2 Continual Improvement, the organization continually improves the suitability, adequacy
and effectiveness of the ISMS.

Why organization needs to have continual improvement?

Organizations are never static, nor their contexts. In addition, the threats to the information systems, and the
ways in which they can be compromised, are rapidly changing. At the end of the day, there’s no ISMS which
remains perfect; it always needs to be set on continual improvement; however, the organization and its
context are not changing.

As an example of non-conformity or risk-related improvements, an assessment of an ISMS component (in

terms of suitability, adequacy and effectiveness) may show that it exceeds ISMS requirements or is lacking in
efficiency. If so, then the ISMS can often be improved by making changes in the management system.

Area of improvements
Regular internal audits
Regular and proper management review (Clause 9.3 ISO 27001)
 Information Security Implementation Guide PAGE 42

Regular external audits

Understanding the suggestion from the stakeholders and accordingly implementing them in information
management system
Keeping a check whether organization is following Regulatory policies or not
Reviewing security controls
Matching the organization activities with requirements of standard ISO 27001
Also, top management can set objectives for continual improvement, e.g. through measurements of
effectiveness, cost, or process maturity. ISMS is known as a crucial entity that plays a vital role in business
operations. In order to keep pace with the developments, the ISMS is periodically checked for function,
efficacy and consistency with the objectives of the organization.

What all necessary while doing the assessment?

Suitability of the ISMS, considering the external and internal issues, requirements of the interested parties,
established information security objectives and identified information security risks are properly addressed
through planning and implementation of the ISMS and information security controls.
ISMS adequacy to find the conformity of ISMS processes and information security meets the ultimate goals,
practices and processes of the company.
Effectiveness of the ISMS, considering if the intended outcome(s) of the ISMS are achieved, the wants of the
interested parties are met, information security risks are managed to satisfy information security objectives,
nonconformities are managed, while resources needed for the establishment, implementation, maintenance
and continual improvement of the ISMS are commensurate with those results.
The assessment can also include an overview of the efficiency of the ISMS and the components of its
resources, evaluating whether their usage of resources is appropriate, if there is a possibility of productivity
loss or opportunity to achieve greater effectiveness. Area of improvement can also be identified while
managing nonconformities with corrective actions.

Once area(s) of improvement are identified, the organization should be consistent in maintaining them by:-

Evaluate them to determine whether or not they are worth pursuing;

Plan and implement the actions to deal with the opportunities ensuring that benefits are realized, and
nonconformities don’t occur or should plan for corrective actions for non-conformities;
Evaluate the effectiveness of the actions.
Information Security Implementation Guide PAGE 43

ISO 27001 Annex A Controls

INDEX
ISO 27001 Annex A Controls
1 Information Security Policies
2 Organization of Information Security
3 Mobile Devices and Teleworking
4 Human Resource Security
5 During Employment
6 Termination and Change of Employment
7 Asset Management
8 Acceptable Use of Assets & A Return of Assets
9 Information Classification
10 Labelling of Information & A Handling of Assets
11 Media Handling
12 Access Control
13 Access to Networks and Network Services
14 User Access Management
15 Management of Privileged Access Rights
16 Management of Secret Authentication Information of Users
17 Review of User Access Rights
18 Removal or Adjustment of Access Rights
19 User Responsibilities
20 System and Application Access Control
21 Use of Privileged Utility Programs
22 Access Control to Program Source Code
23 Cryptography
24 Physical and Environmental Security
25 Equipment
26 Securing Offices, Rooms and Facilities
27 Protecting Against External and Environmental Threats
28 Working in Secure Areas
29 Delivery and Loading Areas
30 Equipment Maintenance
31 Removal of Assets
32 Security of Kit and Assets Off-Premises
33 Secure Disposal or Re-use of Equipment
34 Unattended User Equipment
35 Clear Desk and Clear Screen Policy
36 Operations Security
37 Protection from Malware
38 Backup
39 Logging and Monitoring
Information Security Implementation Guide PAGE 44

40 Control of Operational Software

41 Technical Vulnerability Management
42 Information Systems Audit Considerations
43 Communications Security
44 Information Transfer
45 Electronic Messaging
46 Confidentiality or Non-Disclosure Agreements
47 Annex System Acquisition, Development and Maintenance
48 Securing Application Services on Public Networks
49 Protecting Application Services Transactions
50 Security in Development and Support Processes
51 Technical Review of Applications after Operating Platform Changes
52 Restrictions on Changes to Software Packages
53 Secure System Engineering Principles
54 Secure Development Environment
55 Outsourced Development
56 System Security Testing
57 System Acceptance Testing
58 Test data
59 Supplier Relationships
60 Addressing Security Within Supplier Agreements
61 Information and Communication Technology Supply Chain
62 Supplier Service Delivery Management
63 Information Security Incident Management
64 Reporting Information Security Events
65 Reporting Information Security Weaknesses
66 Assessment of and Decision on Information Security Events
67 Response to Information Security Incidents
68 Learning from Information Security Incidents
69 Collection of Evidence
70 Information Security Aspects of Business Continuity Management
71 Verify, Review and Evaluate Information Security Continuity
72 Compliance
73 Protection of Records
74 Privacy and Protection of Personally Identifiable Information
75 Regulation of Cryptographic Controls
76 Information Security Reviews
 Information Security Implementation Guide PAGE 45

Organization of Information Security

Internal Organization
ISO 27001 Annex: A.6 Organization of Information Security its object is to establish a management framework
for initiating and controlling the implementation and functioning of information security within the
organization.

6.1.1 Information Security Roles and Responsibilities

Control- All responsibilities related to information security should be well defined and assigned.

Implementation Guidance- Allocation of information security responsibilities should be carried out in

compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual
assets and the implementation of specific information security procedures should be defined. Responsibilities
for information security risk management activities and, in particular, for the acceptance of residual risks
should be defined. When necessary, further guidance should be provided for specific sites and information
processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for
the protection of assets and for the implementation of specific security processes. Individuals with assigned
responsibility for information security can delegate security tasks to others. But they remain responsible and
must decide whether any delegated tasks are conducted correctly or not

Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:

1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details
describing the responsibility should be documented;
3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with
their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of
supplier relations.

Other Information- Many organizations assign an information security officer to take ultimate responsibility
for information security development and implementation, and to help access recognition. However,
individual management will often remain responsible for the resourcing and implementation of the controls. It
is common practice to appoint an owner for all assets which are then responsible for their regular security.

6.1.2 Segregation of Duties

 Information Security Implementation Guide PAGE 46

Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or
misuse the assets of the organization without permission or unintended.

Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or
use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of
collusion in should be considered while designing the controls. Small organizations may find it impossible to
accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If
segregation is challenging, other measures such as task reporting, audit trails and management supervision
should be considered.

Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional
abuse of the assets of the organization.

6.1.3 Contact with Authorities

Control- It is necessary to maintain proper communications with the relevant authorities.

Implementation Guidance- Organizations should have processes in place that determine when and by whom
officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how
information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have
been violated).

Other Information- Internet-assaulted organizations may require authorities to take measures against the
attack. Holding these connections may also be a necessity to support incident management or business
continuity and contingency planning processes in information security. Contacts with regulatory bodies are
also useful when anticipating and preparing potential changes in the laws or regulations that the organization
needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and
safety, and protection such as fire departments, telecommunication (routing and availability) suppliers, and
water (equipment cooling).

6.1.4 Contact with Interest groups

Control- Appropriate connections should be established with special interest organizations or other forums for
professional security and professional associations.

Implementation Guidance

Membership of community groups or forums should be considered as a way to:

1. Improve skills and keep up to date on appropriate safety details about the best practices;
2. Ensuring an up-to – date and complete understanding of information security;
3. Receive early warnings about threats and vulnerabilities, updates and patches;
4. Enable expert information security advice;
5. Share and exchange information on new technology, products, threats or vulnerabilities;
6. provide correct liaison points for events relevant to information security
Other Information- Information sharing agreements to enhance co-operation and coordination of security
issues can indeed be developed. These agreements will define confidential information security requirements.

Also Read: ISO 27001 Annex: A.5 Information Security Policies

 Information Security Implementation Guide PAGE 47

6.1.5 Information Security in Project Management

Control- Throughout project management, the confidentiality of information should be discussed irrespective
of project type

Implementation Guidance- Information security should be incorporated with the project management
method(s) of the organization to ensure the identification and response to threats in information security as
part of a project. This is commonly applicable to any project irrespective of its purpose, e.g., a core business
process project, IT, facilities management, and other supporting processes.

The methods of project management should consider:

1. The goals of information security are part of the project’s priorities;
2. An early assessment of the information security risk in order to determine appropriate controls are carried
out in the project;
3. Information security is part of all phases of the project methodology;
Information security issues will be discussed and reviewed on a regular basis in all programs. Responsibilities
for information security should be specified and delegated to different roles as specified in project
management methods.

Mobile Devices and Teleworking

Mobile Device Policy

Control- To manage the risks introduced by the use of mobile devices, a policy and supporting safety
measures should be adopted.

Implementation Guidance- Special care should be taken when using mobile devices to ensure that business
information is not compromised. The policy on mobile devices should take into account the risks of working
with mobile devices in unprotected environments.

Mobile device policy should include: -

Registration of mobile devices;

Requirements for physical protection;
Restriction of software installation;
Requirements for mobile device software versions and for applying patches;
Restriction of connection to information services;
Access controls; Cryptographic techniques;
Malware protection;
Remote disabling,
erasure or lockout;
Backups;
Usage of web services and web apps.
Be careful while using mobile devices in public areas like meeting rooms and other not so protected areas.
Preventive measures should be taken to avoid unauthorized access, or disclosure of confidential information
stored and processed by the devices, eg. cryptographic methods and enforcing the use of secret
authentication information
 Information Security Implementation Guide PAGE 48

Mobile devices should also be physically secured against theft, particularly when entering, for example, in
vehicles and other modes of transport, hotel rooms, convention centers, and public gatherings. A chosen
protocol, taking into account the regulatory, insurance, and other security requirements of the organization,
should be defined for cases of theft or loss of mobile devices. Devices containing confidential, sensitive, or
crucial business information should not be ignored and, if possible, should be physically locked away, or
special locks should be used to protect the items.

Training should be provided for workers using mobile devices to increase their understanding of the potential
risks emerging from this method of operating and, thereby, the controls that should be implemented. If the
mobile device policy allows the use of private mobile devices, it will also include the rules and associated
security controls, those are: -

Separate personal and business usage of the devices, including by using software to help the segregation of
personal devices and protect business data;
Providing access to business information only after an end-user agreement has been signed that recognizes
their duties (physical safeguard, software upgrade, etc.) waives control of the company’s business data and
requires remote data wiping by the client for burglary, loss of a device, or no longer authorized to use a
service. The Privacy Legislation must be taken into account in this strategy.
Other Information- Wireless networks for mobile devices are similar to other network connections but have
significant variations to be taken into account in the detection of controls. Those significant variations are as
follows: -

Certain wireless security protocols are immature and have defined weaknesses;
Mobile device storage may not be backed up due to insufficient network bandwidth and even when backup
processing is scheduled, devices may not be connected.
Mobile devices generally share common functions, e.g. networking, internet access, e-mail, and file handling,
with fixed-use devices. Controls in information security for mobile devices typically consist of those
implemented within fixed use systems and those to counter risks raised by their use outside the premises of
the organization.

A.6.2.2 Teleworking

Control- To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting
security measures should be implemented.

Implementation Guidance- Teleworking organizations should issue a policy defining the guidelines for using
teleworking. The following points should be considered where deemed applicable and authorized by law: -

The existing physical security of the teleworking site, taking into account the physical safety of the building
and, consequently, the local environment;
the proposed physical teleworking environment;
Communications security requirements, taking into consideration the need for direct access to the internal
networks of the organization, the sensitivity of the information to be obtained and transmitted via the contact
channel and, thus, the vulnerability of the internal system;
Providing virtual desktop access which prevents information processing and storing on private equipment;
 Information Security Implementation Guide PAGE 49

Risk of unauthorized access to information or resources from other persons using the amenities, e.g. family
and friends.
Usage of home networks, and requirements or limitations on wireless network access configuration;
Policies and procedures for settling conflicts involving property rights built on privately-owned equipment;
Access to private facilities (to test the security of the device or during an investigation) which may be
prohibited by law;
Software License agreements which are such organizations may be responsible on workstations owned
privately by staff and/or external parties for licensing for client software;
Requirements for malware protection and firewall.

Also Read: ISO 27001 Annex: A.6 Organization of Information Security

The guidelines and arrangements should include the following: -

The procurement of suitable teleworking facilities and storage furniture, where the use of private devices not
under the organization’s regulation is not permitted;
A definition of the work allowed, the hours of work, the classification of the information to be stored and
therefore the internal systems and services to which the teleworker is entitled;
Provision of an appropriate communication system, including methods for securing remote access;
Physical security, provision of insurance policies, a requirement of support and maintenance for hardware and
software
Rules and guidance on access to equipment and information for families and visitors;
Monitoring of audit and security,
Backup and business continuity planning
Revocation of authority and service privileges and removal of facilities after termination of teleworking
operations.
Other Information- Telecommunications applies to all working practices, particularly non-traditional work
environments, such as those known as ‘telecom,’ ‘flexible workplace,’ ‘virtual work’ or ‘remote work.’

Communication plays a vital role in personal life as well as in Business operations, standards like ISO 27001
and its sister standard ISO 27002 which provides the guidelines on usages of mobile devices and teleworking,

Human Resource Security

Prior to Employment
ISO 27001 Annex: A.7 Human Resource Security Its object is to make sure both employees and vendors
recognize their duties and are suitable for their positions.

A.7.1.1 Screening
Control- Background verification checks on all job applicants will be performed in compliance with applicable
rules, legislation, and ethics and should be proportionate to business criteria, classification of the information
to be obtained, and potential risks.

Implementation Guidance- All applicable privacy, personal identity information security, and employment-
based policies, should be taken into consideration and should include the following:
 Information Security Implementation Guide PAGE 50

Availability of appropriate references to character, e.g., one business and one personal;
A verification of the applicant’s curriculum vitae (for completeness and correctness);
Verification of asserted professional and academic qualifications;
Independent biometric identification (passport or similar document);
Further thorough checking; such as credit verification or criminal record verification.

If recruiting a private individual for a designated security position, organizations should ensure the following
points: -

Has the expertise needed to carry out the security role;

Whether the candidate can be trusted, especially when the organization’s role is important.
When a position requires a person with access to information processing facilities, either for initial
appointment or promotion, and in especially when they handle sensitive information, such as financial
information or confidential information, the organization should often require further verification.

Procedures should identify requirements and limitations for verification reviews, such as who is eligible for
screening, and how, where, and why verification reviews are performed.

A process of screening for contractors should also be guaranteed. In these situations, the agreement between
the company and thus the contractor will specify the requirements for the screening and notification
protocols to be followed if the screening has not been completed or if the results give rise to doubts or
concerns.

Information on all applicants eligible for positions within the company will be obtained and processed in
compliance with the applicable regulations in the relevant jurisdiction. Taking into account the law in place,
candidates will be notified in advance of the screening activities.

This is where Human Resources plays a crucial role in the organization, beginning with having the right
selection, making them aware of their roles and responsibilities, and in addition, the role of HR comes with
great responsibility and security for the organization.

A.7.1.2 Terms and Conditions of Employment

Control- Contract agreements with employees and contractors would set out their responsibility for
information security, and hence the responsibility of the company.

Implementation Guidance- The contractual responsibilities of employees or contractors should represent the
information security policies of the company in addition to clarifying and stating the following points:-

That and employee and contractor who has access to sensitive information will sign a confidentiality or non-
disclosure agreement before access to information processing facilities is granted;
Legal responsibilities and rights of the employee or contractor, e.g. copyright or data protection legislation;
Responsibilities for classifying information and handling organizational assets related to information,
information processing and information services managed by the employee or contractor;
 Information Security Implementation Guide PAGE 51

Employee or contractor’s responsibilities in the handling of information received from other companies or
from outside parties;
Actions to be taken where the employee or contractor fails to comply with the security requirements of the
organization.
Roles and responsibilities in information security should be communicated to job applicants during the pre-
employment process.

The organization should see to it that the terms and conditions of information security are agreed by the
employees and the contractor as appropriate for the nature and scope of their access to information systems
and services assets of the organization.

Responsibilities under the terms and conditions of employment should, where appropriate, continue for a
defined period after the termination of employment.

Other Information- The Code of Conduct can be used to set out the information responsibilities of the
employee or contractor with respect to confidentiality, data security, ethics, proper use of the organization’s
equipment and facilities, as well as the responsible practices required by the organization. An external party to
which the contractor is associated may be expected to enter into contractual agreements on behalf of the
contracted person.

During Employment

ISO 27001 Annex: A.7.2 During Employment Its objective is to make sure that employees and contractors are
conscious of and fulfill their information security responsibilities.

A.7.2.1 Management Responsibilities

Control- Management should mandate all employees and contractors to exercise information security in
accordance with established policies and procedures set by the organization.

Implementation Guidance- Responsibilities for management should include ensuring employees and
contractors are:

Are adequately briefed about information security role and responsibilities before given access to confidential
information or information systems;
Shall provide proper guidelines stating the information security expectations from their roles in the
organization.
Motivated to comply with the organization’s information security policies;
Achieving the level of information security awareness relevant to their organizational positions and
responsibilities;
comply with the terms and conditions of employment, including the information security policy of the
organization and the relevant working methods;
Seek to have relevant qualifications and expertise, and are regularly trained;
An anonymous reporting platform is provided to report breaches of information security policies or
procedures (“whistleblowing”). Management should demonstrate, and serve as a role model for, information
security policies, procedures, and controls.
 Information Security Implementation Guide PAGE 52

Other Information- If employees and contractors are not made aware of their responsibility for information
security, they may cause significant damage to the organization. Motivated personnel are likely to be more
professional and trigger fewer accidents related to information security.

Poor management can cause staff to feel undervalued, resulting in a negative impact on the organization’s
information security. Poor management, for example, can lead to neglecting information security or, potential
misuse of the assets of an organization.

A.7.2.2 Information Security Awareness, Education and Training

Control- All company workers and, where necessary, contractors will receive adequate awareness education
and training, as well as daily updates on organizational policies and procedures, as applicable to their job
function.

Implementation Guidance- An information security awareness program will strive to make workers and,
where appropriate, contractors aware of their information security responsibilities and the instances where
those responsibilities will be discharged.

In line with the information security policies and related procedures of the organization, and, information
security awareness plan should be introduced, taking into account the information to be protected of the
organization and the controls to be carried out to guard the information. The awareness plan will include a
range of awareness-raising events, such as promotions and booklet issuance or newsletter launches.

The awareness program should be organized in the context of the roles of the employees in the organization
and, if necessary, the expected awareness of contractors. the activities in the awareness program, ideally
annually, will be scheduled over time so that new workers and contractors can be identified and replicated.
The awareness program should also be frequently updated so that it conforms to the organizational policies
and procedures and draws on lessons learned from events in the area of information security.

Awareness training should be carried out as required by the information security awareness program of the
organization. Awareness training may take advantage of multiple distribution platforms, including classroom-
based, distance learning, web-based, self-paced, and others.

Information security training and curriculum will also cover key aspects such as:

– To state the commitment of management to information security across the organization;

– The need to become familiar with the relevant rules and regulations on information security, as specified in
policies, guidelines, laws, regulations, contracts, and agreements;
– Personal accountability of own acts and inactions and overall responsibility for securing or protecting
organizational and external information;
– Basic procedures (e.g., reporting of security incidents) and baseline controls (e.g. password security,
malware controls and clear desks);
– Contact points and tools for additional knowledge and guidance on information security issues, including
more information security awareness and training materials.
 Information Security Implementation Guide PAGE 53

Information security awareness and training should take place on a regular basis. Initial education and training
refer to those who transition to new positions or roles with significantly different information security criteria,
not just to new beginnings, but should take place before the role is active.

In order to implement education and training efficiently, the organization must establish an education and
training program. The plan will be consistent with the information security policies and procedures of the
organization, taking into account the information to be protected and the safeguards that have been
implemented in place to protect the information. The curriculum should consider various forms of education
and preparation, e.g., seminars or self-study.

Other Information- When designing an awareness plan, it is important not only to concentrate on ‘what’ and
‘how,’ but also on ‘why.’ It is crucial for employees to understand the purpose of information security and the
possible positive and negative effects on the organization from their own behavior.

Awareness, training, and awareness can be part of other training programs, such as general IT or general
security training, or in collaboration with them. Awareness, education, and training programs should be
necessary and suitable for the duties, responsibilities, and skills of the person.

At the conclusion of an awareness, education, and training course for testing knowledge transfer, and
evaluation of employee comprehension may be carried out.

Also Read: ISO 27001 Annex: A.7 Human Resource Security

A.7.2.3 Disciplinary Process

Control- A formal and informed administrative process will be in place to take action against employees who
have committed an information security breach.

Implementation Guidance- Legal proceedings should not be conducted without prior verification that an
information security violation has occurred.

The systematic disciplinary process will ensure correct and fair treatment for employees suspected of
breaching information security. The standard disciplinary process will allow for a graduated response that
takes into account factors such as the extent and severity of the violation and its effect on business, whether
or not it is either a primary or repeat incident, whether or not the perpetrator was adequately educated,
applicable regulations, business contracts and other factors as appropriate.

The disciplinary method can also be seen as a barrier to prevent employees from breaching the information
security policies and procedures of the organization and other violations of information security. Deliberate
infringements may require immediate action.

Other Information-The disciplinary process can also become a motivation or encouragement if appropriate
measures are defined for extraordinary actions with regard to information security.

Termination and Change of Employment

 Information Security Implementation Guide PAGE 54

Termination and Change of Employment Its objective is to safeguard the interests of the organization as part
of the adjustment or termination of employment.

A.7.3.1 Termination or change of Employment Responsibilities

Control- Responsibility and information security requirements that continue to be valid following termination
or change of employment must be defined, communicated to, and implemented by the employee or
contractor.

Implementation Guidance- Communication of termination duties may include on-going information security
requirements and legal responsibilities and, as applicable, the duties found in the confidentiality arrangement
and the terms and conditions of employment to be maintained for a specified time following the termination
of the job of the employee or contractor.

Responsibilities and duties still valid after termination must be included in the terms and conditions of
employment of the employee/contractor.

As a termination of existing responsibility or employment combined with additional duties, changes of

responsibility or employment should be managed.

Other Information- The human resource function is generally responsible for the overall termination process
and works with the supervisor to manage the safety measures of the relevant procedures. This termination
process is carried out by an external party in compliance with the arrangement between the organization and
the external party in the event of a contractor appointed by an external party. Changes in personnel and
operating arrangements may be required to inform employees, clients, and contractors.

Asset Management

Responsibility for Assets

ISO 27001 Annex: A.8 Asset Management Its objective is to identify and establish acceptable security
responsibilities for the organization’s assets.

A.8.1.1 Inventory of Assets

Control- Assets related to information and information facilities of an organization should be identified and
listed, inventory of these assets should also be maintained.

Implementation Guidance- An organization will identify important assets in the information lifecycle, and
document their importance. The life-cycle of information should include creation, processing, storage,
transmission, deletion, and destruction. Documentation of specific or current inventories should be
maintained, as per need.

The inventory of assets should be accurate, up to date, compatible, and matched with other inventories. The
ownership of the asset should be allocated to each of the specified assets and the classification should be
specified.
 Information Security Implementation Guide PAGE 55

Other Information- Asset inventories help to ensure adequate protection for certain purposes such as safety
and health, insurance, or financial (asset management) reasons. This may also be achieved for other required
factors.

As with humans, life is their greatest asset, similarly, the organization too have its assets. when you keep
yourself safe and stable, you live longer, in the same way, if the company keeps its assets protected, its
reputation and success on the market lasts longer.

For a healthy business, identifying the assets, making an inventory of the assets, and assigning an owner to the
assets is important. The guidelines for and the implementation of these Asset Management Guidelines are
provided in Annex A.8.

A.8.1.2 Ownership of Assets

Control- Assets in the inventory should have their owners (Asset-owner)

Implementation Guidance- Individuals who qualify as asset owners are management authorized and are
responsible for the asset whole throughout its life cycle.

A process is usually enforced to make sure timely assigning of asset ownership. Ownership should be allocated
when creating assets or transferring assets to the organization. The owner of the asset should adequately
manage the asset over the entire asset life cycle.

Responsibilities of the asset owner are as follows: -

– Ensuring the proper inventory of the assets

– Ensuring proper classification and security of the assets

– Defines and regularly updating access constraints and classifying important assets taking into consideration
the existing access management policies;

– Ensuring proper management of assets when they are deleted or destroyed

Other Information- The defined owner may be either a person or an entity that has authorized management
control over an asset’s entire lifecycle. The defined owner doesn’t necessarily have ownership rights to the
assets.

Routine duties may also be assigned, for example to a custodian who takes care of the properties on a day-to-
day basis, but the responsibility remains with the owner.

It can be helpful to identify groups of assets that function together to provide a specific service for complex
information systems. In this situation, the owner is responsible for the delivery of the service, including its
asset operation.
 Information Security Implementation Guide PAGE 56

Acceptable Use of Assets & Return of Assets

Acceptable Use of Assets & A.8.1.4 Return of Assets this is a part of assets management previous article was
based on same which is continue in this article.

A.8.1.3 Acceptable Use of Assets

Control- Rules should be identified, documented, and implemented for the acceptable use of information and
assets linked to information and information processing facilities.

Implementation Guidance- The information security requirements of the organization’s assets along with
information and information processing facilities and resources should be made aware to employees and
external users who use or have access to the company’s assets. They will be responsible for their use and all
other usage carried out on their own responsibility, of any information processing services.

A.8.1.4 Return of Assets

Control- Both workers and external stakeholders must return all of the organizational assets in their
possession upon termination of their job, contract or agreement

Implementation Guidance- The termination process must be legally concluded with the return of all tangible
and electronic assets previously assigned owned or entrusted to the organization.

When an employee or external user buys the equipment of the company or uses his / her own personal
equipment, it is important to follow protocols to ensure that all relevant information is transmitted to the
company and safely removed from the equipment.

In situations where an employee or external user is aware that this information is necessary for ongoing
operations, it should be reported and transmitted to the organization. During the notice period of termination,
unauthorized copying of sensitive information (e.g., intellectual property) by terminated workers and
contractors should be monitored by the company.

Information Classification

Information Classification Its objective is to ensure that the information is properly secured, in accordance
with its significance to the organization.

A.8.2.1 Classification of Information

Control- Information should be classification the basis of their legal provisions, criticality, and vulnerability to
unwanted release or alteration

Implementation Guidance- Classifications and associated information security measures will also include
regulatory standards, which take into account market demands for information sharing or restriction. Assets
other than information may also be classified according to the information classification stored, processed,
otherwise handled or protected by the asset. Information asset owners would be responsible for their
classification.
 Information Security Implementation Guide PAGE 57

The classification system will include classification standards, as well as classification analysis guidelines over
time. The level of security found in the system will be determined by evaluating confidentiality, integrity and
availability, and all other information specifications under consideration. The scheme should be aligned with
policy on access control

The scheme will be consistent with the policy on access management. Each level should be given a name
which makes sense for the application of the classification scheme. The scheme should be consistent across
the organization to ensure that everyone classifies information and related assets in the same way, has a
common understanding of the security standards, and applies appropriate protection.

Classification should be part of the organization ‘s processes and be consistent across the organization.
Classification results may highlight the importance of assets, depending on their sensitivity and their criticality
to the organization, e.g., in terms of confidentiality, integrity, and availability. Classification findings should be
revised to reflect changes in their importance, responsiveness, and criticality during their life-cycle.

Other Information- Classification offers a concise summary of how to manage and secure knowledge for those
who deal with it. This is facilitated by establishing information groups with similar protection needs and
defining information security procedures that apply to all or some of the information in each group. This
approach eliminates the need for case-by-case risk assessment, as well as personalized control design.

Information can cease to be sensitive or critical after a certain duration of the time, when the information is
made public, for example. These aspects should be taken into account, as over-classification may result in the
implementation of unnecessary controls resulting in additional expenditure or, on the contrary, under-
classification may threaten the achievement of business goals.

Labeling of Information & Handling of Assets

Labeling of Information & A.8.2.3 Handling of Assets is based on ISO in this article these two topics has been
explained.

A.8.2.2 Labeling of Information

Control- A.8.2.2 Labeling of Information In accordance with the information classification scheme adopted by
the organization an adequate set of methods for labeling information should be established and implemented.

Implementation Guidance- Information labeling procedures need to cover information in physical and
electronic formats and its related assets. The labeling will represent A.8.2.1 defined classification scheme. The
labels are to be clearly identifiable. The protocols will provide instructions on where and how labels are
applied taking into account whether the information is obtained or the assets are managed based on media
forms. The procedures that identify situations where labeling is absent, e.g. non-confidential information
labeling to scale back workloads. Employees and contractors should be made aware of the procedures for
labeling.
An appropriate classification label should be included in the output from the system containing information
classified as sensitive or critical.
 Information Security Implementation Guide PAGE 58

Other Information- Classified information labeling is an essential prerequisite for agreements for information
sharing. The common labeling form is physical labels and metadata.
Information labeling and associated assets can sometimes be detrimental. Subject to classified assets, insider
assets or external attackers are easier to identify and steal.

A.8.2.3 Handling of Assets

Control- A.8.2.3 Handling of Assets Procedures for the handling of assets in accordance with the organization
‘s information classification scheme should be developed and implemented.

Implementation Guidance- Procedures should be developed for the handling, processing, storing, and
communication of classified information.

The following points should be taken into consideration: -

– Access restrictions that support the security standards for each classification level;

– Maintaining a formal record of the approved recipients of the assets;

– Security to a level consistent with the security of the original information for temporary or permanent copies
of information;

– IT asset storage as specified by the manufacturer;

– Clear marking for the authorized recipient of all copies of the media.

The scheme for classification used in the organization, even if the classification levels are similar, may not
equate to the schemes employed by other organizations; in addition, information moving across organizations
can vary according to their contexts, even if their classification schemes are equal.
Accords with other organizations that include sharing information should include methods of classifying that
information and interpreting other organizations’ classifications labels.

Media Handling

Media Handling Its objective is to Stop unauthorized release, alteration, deletion, or destruction of
information contained in the media.

A.8.3.1 Management of Removable Media

Control- Procedures shall be implemented for the management of removable media in accordance with the
classification scheme adopted by the organization.

Implementation Guidance- The following guidelines should be considered for the management of removable
media:
 Information Security Implementation Guide PAGE 59

If not needed, the contents of any reusable media that are to be removed from the organization should be
made unrecoverable;
Where applicable and practicable, authorization should be needed for the removal of media from the
company and a record of these removals should be maintained in order to preserve the audit trail;
In compliance with manufacturers’ standards, all media should be kept in a secure and safe environment;
Where confidentiality or integrity of data is important, cryptographic techniques for securing data on
removable media must be used;
In order to minimize the possibility of media loss when storage data is still needed, the data should be moved
to fresh media before being unreadable;
Multiple copies of important data should be stored in different media to further reduce the possibility of
accidental data damage or loss;
Registration of removable media should be taken into account to limit the possibility of data loss;
Removable media drives should only be allowed if there is a business purpose to do so;
Where there is a requirement for the use of disposable media, the movement of data to such media will be
supervised.
Where there is a need to use disposable media, the transition of data to such devices will be monitored.
Procedures and levels of approval will be reported.

A.8.3.2 Disposal of Media

Control- When not required by specific protocols, media should be disposed of securely.

Implementation Guidance- Formal protocols for the secure disposal of media should be established to reduce
the possibility of leakage of sensitive information to unauthorized persons. The protocols for the secure
processing of sensitive information media should be proportionate to the sensitivity of that material.

Following should be taken into account: -

Confidential media should be processed and disposed of safely through, e.g. by incineration or shredding, or
data erasure for use by another application within an organization.
Procedures should be in place to identify the items that could need safe disposal
Instead of trying to isolate important objects, it could be better to plan to safely collect and dispose of all
media items;
Many organizations offer media collection and disposal services; care must be taken to select a suitable
external party with adequate controls and experience;
In order to maintain an audit trail, the disposal of confidential items will be logged.
The aggregation effect should be taken into account when collecting media for disposal, and a large number of
sensitive information can become vulnerable.

Other Information- Damaged devices containing sensitive data can require a risk assessment to evaluate the
physical loss of objects instead of being sent to them for repair or discharge.

Also Read: ISO 27001 Annex: A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets

A.8.3.3 Physical Media Transfer

 Information Security Implementation Guide PAGE 60

Control- Information media should be protected from unauthorized access, misuse or corruption during
transportation.

Implementation Guidance- For the safety of media containing information transported, the following
guidelines should be considered:

Reliable transport or the use of couriers;

Management should agree on a list of authorized couriers;
procedures should be established for verifying courier identification;
Packaging should probably be sufficient to safeguard the content from any physical damage likely to occur
during transit and to protect the content against environmental factors such as exposure to heat, humidity, or
electromagnetic fields which could reduce media recovering efficiency.
Logs should be maintained, the content of the media should be established, the security applied, and times of
transfer to custodians and reception should be reported at the destination.
Other Information- Information may be vulnerable to unauthorized access, misuse or corruption during
physical transport, e.g. when sending the media by mail or courier. The media include paper documents in this
control. When confidential information on the media is not encrypted, additional physical protection of the
media should be considered.

Access Control

Business Requirements of Access Control

ISO 27001 Annex: A.9 Access Control Its Objective is limiting the access to information and information
processing facilities.

A.9.1.1 Access Control Policy

Control- An access control policy with supporting business and information security requirements should be
established, documented, and reviewed.

Implementation Guidance- Asset owners should lay down appropriate rules for access control, access rights,
and limits on particular user roles to their assets, with the level of info and the strictness of controls
representing the related information security risks. Access controls are both logical as well as practical, so they
should be taken together. Users and service providers should be provided with a clear, transparent statement
of the business requirements that access controls should meet.

The inbox is always open in my brain, and anyone can get in any time and access me. Turning it off is taking
back control. I decide who gets in. It’s about privacy, having a self.
-Jill Soloway

The policy should take note of:

Security requirements applied to business applications;
Information dissemination and authorization procedures, e.g., the need-to-know concept and extent of
information access and information classification;
Consistency between access rights and policies on the classification of information systems and networks;
related legislation and other contractual obligations pertaining to information or information access controls;
 Information Security Implementation Guide PAGE 61

Access rights management in distributed and networked environments which recognizes the kinds of available
connections;
Segregation of access management functions, e.g., access request, access authorization, access
administration;
formal authorization requirements for access applications;
Requirements for periodic review of the rights to access;
Removing access rights
Archiving details of all important incidents relating to the use and management of user identity and secret
authentication information;
Organization’s role with privileged access.

Other Information- When defining rules on access control, care needs to be taken to understand the following
implications:

Establishing rules underpinned by the principle “Everything is generally prohibited unless expressly
authorized” rather than the weaker rule “Everything is generally permitted unless expressly prohibited”;
Changes to information labels automatically introduced by information processing facilities and those
implemented at the user’s discretion;
User authorization changes that are automatically initiated by an administrator and the information system;
Rules requiring specific prior approval and those without approval
Regulations on access control should be assisted by defined and structured procedures.
Access management based on responsibilities is a method that many organizations have successfully used in
relating access rights to business roles.
Also Read: ISO 27001 Annex: A.8.3 Media Handling

In the guidelines of access control policy, two of the common principles are:
Need-to-know: only the information you need to execute your tasks is accessible to you (specific tasks/roles
mean different needs-to-know and therefore different access profiles);
Need-to-use: you grant access to information processing facilities (IT software, programs, protocols, rooms)
that you would need to execute your task/job/role.
In order to keep the organization’s assets (IT, software, programs, and protocols) safe, certain access controls
are required to prevent unauthorized users from accessing your assets. The criteria for access management,
access rights, and limitations of specific user roles on their assets are being defined in Annex 9 of Standard
27002.

Access to Networks and Network Services

Control- ISO 27001 Annex: A.9.1.2 Access to Networks and Network Services Only network and network
facilities which have expressly been approved for use will be made available to users.

Implementation Guidance- A policy on the use of networks and network policy should be developed.
Following points should be covered in this policy:

networks and network infrastructure to which access is permitted;

 Information Security Implementation Guide PAGE 62

Authorization procedures for determining who is permitted to access which networks and Networking
services;
Management processes and policies for securing access to network interfaces and network services;
the medium for networking and network services (for example, using VPN or wireless network);
Access to various network services requires user authentication;
Network service usage monitoring.
The network services policy should comply with the access control policy of the organization.

Other information- Unauthorized and insecure network connections will impact the entire organization. Such
monitoring is especially essential for network connections to sensitive or vital business applications or users in
high-risk environments, e.g. public or external areas beyond the management and control of information
security of an organization.
In order to keep the organization’s assets (including network and networking services) safe, certain access
controls are required to prevent unauthorized users from accessing your network. The guidelines that policy
for access management, access rights, and limitations of specific user roles on the network are being defined
in Annex 9.1.2 of Standard 27002.

User Access Management

User Access Management Its objective is to ensure approved user access and avoid unauthorized access to
systems and facilities.

A.9.2.1 User registration and de-registration

Control- In order to allow the assignment of access rights, a systematic process of user registration and de-
registration should be enforced.

Implementation Guidance- The process to manage user IDs should include:

Use unique user IDs to encourage users to be connected to and hold accountable for their actions; use of
shared IDs should only be permitted where they are required for business or operational purposes and should
be authorized and documented.
Immediately disable or delete user IDs of people that have left the organization.
Identifying and deleting or disabling redundant user IDs on a periodically
Making sure that other users do not receive redundant UIs.

Other information- The provision or revocation of access to information or information processing facilities is
typically a two-step procedure:

1) Assign, allow, or revoke a user identity;

2) Providing or revoking the privilege of access to certain user ID;

In order to keep the organization’s assets safe, we should design certain policies for access controls and
prevent unauthorized users from accessing our organization. User Access management is one of the main
access controls that should be in place so to keep up with the confidentiality, availability, and integrity. The
 Information Security Implementation Guide PAGE 63

guidelines for the policy of User Access Management, Unique User IDs, User Authorization, access rights, and
limitations of specific user roles are being defined in Annex 9.2. of Standard 27002.

Also Read: ISO 27001 Annex: A.9.1.2 Access to Networks and Network Services

A.9.2.2 User Access Provisioning

Control- A formal process for granting access to users should be put in place to grant or remove access
privileges for all categories of users to all systems and services.

Implementation Guidance- The process for granting or revoking access rights granted to user IDs should
include:

Approval from the Information System Owner or the Service User Authorization; separate approval by
management of the Access Rights may also be advisable;
Verify, in line with other criteria such as the segregation of duties, that the level of access given is sufficient for
access policies;
Ensuring that access privileges (e.g., by service providers) are not enabled prior to the completion of
authorization procedures;
Maintaining a central database of access privileges given to a user ID for accessing information systems and
services;
Adapt users’ access rights who have changed their roles or jobs, restrict or block privileged access
automatically by users who left the organization;
Reviewing access privileges with owners of information systems or facilities periodically
Other Information- The establishment of user access roles based on organizational criteria should be taken
into account, which summarizes the number of access privileges in typical user access profiles. Access requests
and reviews at the level of these positions are easier to handle than at the level of individual privileges.
Consideration should be given to incorporating clauses into contracts for personnel and service that define
sanctions if personnel or contractors attempt unauthorized access.

Review of User Access Rights & Removal or Adjustment of Access Rights

Review of User Access Rights & A.9.2.6 Removal or Adjustment of Access Rights these two topics has been
explained.

A.9.2.5 Review of User Access Rights

Control- Access rights of users should be reviewed regularly by asset owners.

Implementation Guidance- The following should be considered while reviewing the access rights:-

Access rights of users should be reviewed at regular intervals and after any changes, such as promotion,
demotion or job termination;
User access rights for moving from one role to another within the same organization should be reviewed and
re-allocated;
The privileged access rights authorizations should be reviewed frequently
 Information Security Implementation Guide PAGE 64

The allocation of access rights should be regularly reviewed to ensure that unauthorized privileges are not
obtained;
Regular reviews should be registered for changes to privileged accounts.
Other Information- This control probably accounts for potential weaknesses in the execution of the 9.2.1,
9.2.2 and 9.2.6 controls.

A.9.2.6 Removal or Adjustment of Access Rights

Control- Access rights of all employees and external users to information and information processing facilities
should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.

Implementation Guidance- Upon termination, an individual’s access rights to information and assets
associated with the facilities and services for information processing should be removed or suspended.
Whether access rights should be removed will be determined. Changes in employment should be reflected in
removing all access rights which have not been approved for the new job. The access rights which should be
removed or adjusted include the physical and logical access rights. The removal or adjustment of keys,
identification cards, information processing facilities, or subscriptions may be done by removal, revocation, or
replacement. Any documentation identifying employees and contractors’ access rights should reflect removal
or adjustment of access rights. If a departing employee or external user has identified passwords that are still
active for user IDs, these should be updated after termination or change of job, contract, or agreement.

Also Read: ISO 27001 Annex: A.9.2.3 Management of Privileged Access Rights & A.9.2.4 Management of Secret
Authentication Information of Users

Access rights for information and assets related to information processing facilities should be restricted or
withdrawn before the termination or change of jobs, based on the following risk factors:

Whether termination or alteration is initiated by the employee, external user or management team, and the
reason for termination;
Current responsibilities of client, external user or some other user;
Price of currently available assets.

In the current era, it’s always advisable to limit and control access privileges. For an organization, it’s really
important that its information assets and accessibility to those assets should always be protected. There
should exist Access rights to particular users and should be reviewed regularly. Annex 9.2 covers the guidelines
and implementation of controls to safeguard data getting accessed by unauthorized users or to users who are
departed from the organization.

Other Information- Access rights can be divided under some circumstances on the grounds that more people
are eligible than the leaving employee or external user, e.g. group IDs. In these cases, departing individuals
should be excluded from all group access lists, and arrangements should be made to warn all other employees
and external party users concerned not to share this information with the departing person.
 Information Security Implementation Guide PAGE 65

In the event of terminations initiated by management, disgruntled employees or external users can
deliberately corrupt information or sabotage information processing facilities. In situations where employees
resign or are fired, they can be tempted to collect information for potential use.

User Responsibilities

User Responsibilities Its objective is the Responsibility of users for safeguarding their authentication
information.

A.9.3.1 Use of Secret Authentication Information

Control- Use of secret authentication information should be allowed for users to follow the organization’s
practices.

Implementation Guidance- It is recommended that all users:

Maintain confidential information on secure authentication to ensure that it is not leaked to the other parties,
including people of authority;
Avoid maintaining a record of confidential authentication details (e.g. on a document, software file or mobile
device) unless it can be stored safely and the storage system (e.g., password vault) has been approved;
Change details regarding secret authentication where potential vulnerability signs exist;
When passwords are used as secret authentication information, select quality passwords with a minimum
length of:
– It’s easy to remember;
– Will not endorse something that anyone else might easily guess or access using personal details, e.g., names,
phone numbers, dates of birth, etc.;
– Not susceptible to dictionary attacks (i.e., don’t contain words included in dictionaries);
– Free of identical, all-numeric or all-alphabetical characters consecutively;
– If temporary, change the first time you log on;
Do not disclose information about secret authentication of individual users;
Ensure proper password security when passwords are used in automated log-on procedures and stored as
hidden authentication information;
Do not use the same information regarding secret authentication for business or non-business purposes.

Other Information- Providing Single Sign On (SSO) or other secret information management tools for
authentication reduces the amount of secret authentication information that users need to protect, and can
thus increase the effectiveness of this control. But these tools can also increase the impact of disclosure of
information about secret authentication.
 Information Security Implementation Guide PAGE 66

Similarly, the Organization’s also aims of keeping its confidential information safe and in proper security.
There are various roles in the organization and every user has its access rights, after the segregation of roles
and access rights, now it’s the duty of the users to keep their credentials, information and assets of the
organization safe, where we see, keeping password is most common way for securing any information, those
passwords should be of better quality. Annex 9.3 talks about the Responsibility of users for safeguarding their
authentication information.

System and Application Access Control

System and Application Access Control Its objective is to put a stop to unauthorized access to systems and
applications.

A.9.4.1 Information Access Restriction

Control- Access to information and application system functions should be limited in compliance with the
policy on access control.

Implementation Guidance- Access controls should be based on individual requirements for business
applications and in compliance with a specified access control policy.

In order to meet access restriction criteria, the following should be considered: -

Provide menus for controlling access to application system functions;

Controlling which data, a particular user can access;
Control user access permission, e.g., read, write, delete, and execute;
Control of the access permission to other applications;
Restrict the information contained in the outputs;
Physical or logical access controls for sensitive applications, application data, or systems isolation.

A.9.4.2 Secure Log-on Procedures

Control- Access to systems and applications should be controlled by a secure log-on procedure when required
by the Access Control Policy.

Implementation Guidance- To validate the user’s claimed identity, an effective authentication technique
should be used Authentication alternative to passwords, like cryptographic means, smart cards, tokens, or bio-
metric methods, should be used where good authentication and identity verification is called for.

The process for logging into a system or application should be configured to reduce the risk of unauthorized
access. Accordingly, the login process should reveal a minimum information about the system or the
application in order to avoid giving any unnecessary assistance to an unauthorized person. The following will
provide a strong log-on procedure:
 Information Security Implementation Guide PAGE 67

Do not display system or application identifiers until the log-in phase has been successfully completed;
Show a general alert warning that only approved users should have access to the computer;
Do not provide support messages during the login process that would benefit an unauthorized user;
Validate log-on information only after completion of all input data. When an error occurs, the system should
not indicate which part of the data is right or simply wrong;
Protect from brute force log-in attempts;
Record the successful and unsuccessful attempts;
Raise a security event when potential log-on control violation or active infringement is detected;
Display the following information when a successful login is completed:
– Date and time of the previous successful login;
– Details of any failed log-in attempts after the last successful log-in;
Do not display a password that is entered;
Stop inactive sessions after a given period of inactivity, especially in high-risk locations such as public or
external areas outside security management of the organization or on mobile devices;
Restrict connection times for high-risk applications to provide enhanced protection and reduce the
opportunity window for unauthorized access.
Other Information- Passwords are a simple way to recognize and authenticate based on a secret only known
by the user. Cryptographic means and authentication protocols are also possible to accomplish the same. The
strength of authentication of the user should be appropriate for the classification of the information to be
accessed.

If the passwords are transmitted in clear text during the login session over the network, the network “sniffer”
program can be used to capture them.

Also Read: ISO 27001 Annex: A.9.3 User Responsibilities

A.9.4.3 Password Management System

Control- Password management systems should be cooperative to ensure the quality of the passwords.

Implementation Guidance- The following points should be taken into account in a password management
system:

Impose the use of individual user IDs and passwords in order to ensure accountability;
Enable users to select and update their own passwords and provide a validation process to enable input
errors;
1. Enforce the selection of quality passwords;
2. Force users to update their passwords at the first login;
3. Enforce regular and, if necessary, make changes to your password;
4. Keep a list of previously used passwords and avoid re-use;
5. Do not display the passwords on the screen when you enter them;
6. Store password files separately from data on the application system;
7. Protected storing and transmission of passwords.
 Information Security Implementation Guide PAGE 68

Similarly, the Organization also aims of keeping its confidential information safe and in proper security. There
are various roles in the organization and every user has its access rights, after the segregation of roles and
access rights, now it’s the duty of the users to keep their credentials, information and assets of the
organization safe, where we see, keeping password is most common way for securing any information, those
passwords should be of better quality.

Other Information- Many systems allow an independent authority to grant user passwords. Points (2), (4 ), and
( 5) in these circumstances are not applicable in these guidelines .. Users must select and maintain the
passwords in most situations.

Use of Privileged Utility Programs & Access Control to Program Source Code

Use of Privileged Utility Programs & A.9.4.5 Access Control to Program Source Code this two topics are
explain.

A.9.4.4 Use of Privileged Utility Programs

Control- The use of utility programs that could bypass system and application controls should be limited and
tightly controlled.

Implementation Guidance- The following guidelines should be taken into account when using utility programs
that could override system and application controls:

the use of procedures for identification, authentication, and authorization of utility programs;
Segregation of the utility programs from software applications;
Limiting the availability of utility services to the minimum practicable number of reliable, authorized users
(refer to 9.2.3);
Approval for the ad hoc use of utility programs;
Limiting the availability of utilities, e.g., for the time of the approved amendment;
Logging the use of utility programs;
Definition and documentation of levels of authorization for utility programs;
Deletion or disabling of all unused utilities;
Not allowing utility programs accessible to users accessing applications on systems requiring segregation of
duties.
Other Information- Most computer installations have one or more utility programs that can bypass application
controls and systems.

A.9.4.5 Access Control to Program Source Code

Control- Access should be limited to the source code of the program.

Implementation Guidance- To prevent the introduction of unauthorized functionality and to avoid unintended
changes, and to maintain the confidentiality of valuable intellectual property, it is necessary to strictly control
access to source code and related items (such as designs, specifications, verification plans, and validation
 Information Security Implementation Guide PAGE 69

plans). For program source code, this can be achieved by controlling the central storage of such code,
preferably in program source libraries. In order to minimize the potential for misuse of computer applications,
the following guidelines will then be considered to control access to these source libraries:

Where appropriate, software source libraries should not be kept in operating systems;
The source code of the program and the source library of the program should be administered according to
procedures;
Support staff should have restricted access to program source libraries;
The updating of program source libraries and related objects, and therefore the issuing of software sources to
programmers, should be carried out only after sufficient authorization has been received;
The program listings should be stored in a safe environment;
The audit log of all accesses to program source libraries should be maintained;
Strict change control procedures may refer to the management and copying of software source libraries.
If the source code of the program is to be published, additional controls (e.g., digital signature) should be
taken into account to ensure its integrity.

Also Read: ISO 27001 Annex: A.9.4 System and Application Access Control

The Organization aims to keep its confidential information, which also includes codes for the program source,
secure. Also, it should be restricted and tightly regulated to utilities that can circumvent the system and
application controls. Annexes 9.4.4 & 9.4.5 discuss the application restriction and storing the source codes in a
secure environment.

Use of Privileged Utility Programs & Access Control to Program Source Code

Use of Privileged Utility Programs & A.9.4.5 Access Control to Program Source Code this two topics are
explain.

A.9.4.4 Use of Privileged Utility Programs

Control- The use of utility programs that could bypass system and application controls should be limited and
tightly controlled.

Implementation Guidance- The following guidelines should be taken into account when using utility programs
that could override system and application controls:

the use of procedures for identification, authentication, and authorization of utility programs;
Segregation of the utility programs from software applications;
Limiting the availability of utility services to the minimum practicable number of reliable, authorized users
(refer to 9.2.3);
Approval for the ad hoc use of utility programs;
Limiting the availability of utilities, e.g. for the time of the approved amendment;
Logging the use of utility programs;
Definition and documentation of levels of authorization for utility programs;
Deletion or disabling of all unused utilities;
Not allowing utility programs accessible to users accessing applications on systems requiring segregation of
duties.
 Information Security Implementation Guide PAGE 70

Other Information- Most computer installations have one or more utility programs that can bypass application
controls and systems.

A.9.4.5 Access Control to Program Source Code

Control- Access should be limited to the source code of the program.

Implementation Guidance- To prevent the introduction of unauthorized functionality and to avoid unintended
changes, and to maintain the confidentiality of valuable intellectual property, it is necessary to strictly control
access to source code and related items (such as designs, specifications, verification plans, and validation
plans). For program source code, this can be achieved by controlling the central storage of such code,
preferably in program source libraries. In order to minimize the potential for misuse of computer applications,
the following guidelines will then be considered to control access to these source libraries:

Where appropriate, software source libraries should not be kept in operating systems;
The source code of the program and the source library of the program should be administered according to
procedures;
Support staff should have restricted access to program source libraries;
The updating of program source libraries and related objects, and therefore the issuing of software sources to
programmers, should be carried out only after sufficient authorization has been received;
The program listings should be stored in a safe environment;
The audit log of all accesses to program source libraries should be maintained;
Strict change control procedures may refer to the management and copying of software source libraries.
If the source code of the program is to be published, additional controls (e.g. digital signature) should be taken
into account to ensure its integrity.

Cryptography

Cryptography in this article explaining Cryptographic controls, Policy on the Utilization of Cryptographic
Controls & Key Management.

A.10.1 Cryptographic controls

Its objective is to ensure the proper and efficient use of cryptography to protect the confidentiality,
authenticity and/or integrity of the information.

A.10.1.1 Policy on the Utilization of Cryptographic Controls

 Information Security Implementation Guide PAGE 71

Control- A policy on the use of cryptographic controls to secure information should be developed and
enforced.

Implementation Guidance- The following should be considered when designing a cryptographic policy:

A management guide to the use of cryptographic controls across the organization, including the general
principles by which business information should be protected;
Based on the risk assessment, the necessary level of security should be calculated taking into account the
type, strength, and quality of the encryption algorithm necessary;
Usage of encryption to secure information transported by mobile or portable media devices or through
communication lines;
Approach to key management, including strategies for coping with the security of cryptographic keys and the
recovery of encrypted information in the event of missing, corrupted or damaged keys;
Roles and responsibilities, e.g. for who is responsible for whom
– Implementing policy
– key management including quality generation;
The standards to be followed in the organization for successful implementation (which solution for which
business processes are used);
The effect of encrypted information on controls that rely on content validation (e.g., malware detection).
When enforcing the cryptographic policy of the organization, consideration should be given to regulations and
national restrictions that may relate to the use of cryptographic techniques in different parts of the world and
to issues relating to the trans-border flow of encrypted information.

Specific information security goals can be accomplished by cryptographic control, e.g.

Confidentiality: use of information encryption to secure confidential or vital information, either stored or
transmitted;
Integrity/authenticity: use digital signatures or message authentication codes to check the authenticity or
integrity of confidential or vital information stored or transmitted;
Non-repudiation: use of cryptographic techniques to provide evidence of an occurrence or non- occurrence
Authentication: Use of cryptographic techniques to authentically request access to or transactions with users,
entities, and resources of systems.

Other Information- Making a judgment as to whether a cryptographic solution is suitable can be seen as part
of the broader risk assessment and control selection process. This assessment would then be used to decide if
cryptographic control is sufficient, what form of control should be used, and for what function and business
processes.

A policy on the use of cryptographic controls is important to optimize the benefits and reduce the risks
associated with the use of cryptographic techniques and to prevent inappropriate or incorrect use. Expert
consultation should be taken into consideration in selecting suitable cryptographic controls to meet the
objectives of the information security policy.

The Organization aims to keep its information within the triads of the CIA. They also ensure the proper and
efficient use of cryptography to protect the confidentiality, authenticity and/or integrity of the information
 Information Security Implementation Guide PAGE 72

and information processing facilities. Annex 10 discusses the cryptographic controls and policies for those
controls that an organization should maintain and implement over their entire life cycle.

Also Read: ISO 27001 Annex: A.9.4.4 Use of Privileged Utility Programs & A.9.4.5 Access Control to Program
Source Code

A.10.1.2 Key Management

Control- A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over
their entire life cycle.

Implementation Guidance- The policy should provide criteria for handling cryptographic keys over their entire
life cycle, including generating, processing, archiving, retrieving, transmitting, removing, and destroying keys.

Cryptographic algorithms, primary lengths, and implementation methods should be chosen in line with best
practice. Appropriate key management includes safe processes for generating, processing, archiving,
retrieving, transmitting, removing and destroying cryptographic keys.
All cryptographic keys should be safe against change and loss. In addition, confidential and private keys
require protection against unauthorized use as well as disclosure. The equipment used for generating,
processing, and archiving keys should be physically secured.

A key management framework should be based on an agreed set of principles, protocols, and appropriate
methods for:

Generate keys for various cryptographic schemes and applications;

Issuing and receiving a public key certificate;
Distribute key to intended entities with the activation of the keys on receiving;
Storing keys, including how approved users can access them;
Adjust or upgrade keys, including guidelines about when keys should be modified and how they should be
modified.
Addressing missing keys;
Revoking keys, and how keys can be deleted or disabled, e.g. when keys have been compromised or when a
user leaves an organization (in such case keys should also be archived);
Recovery of keys that are missing or corrupted;
Backup or archiving keys;
Destroying keys;
Logging and auditing of key management activities.
In order to reduce the likelihood of improper use, key activation and deactivation dates should be defined in
such a way that keys can only be used for the time period defined in the associated key management policy.
 Information Security Implementation Guide PAGE 73

The authenticity of public keys should also be considered in addition to managing secret and personal keys
safely. This authentication process may be carried out using public key certificates, which are usually provided
by a Certification Authority, which should be a recognized organization with adequate controls and procedures
in place to provide the necessary degree of confidence.

The nature of service level agreements or contracts with external suppliers of cryptographic services, e.g. with
the Certification Authority, will cover issues of accountability, reliability of services, and response times for the
delivery of services.

Other information- The control of cryptographic keys is important for the successful use of cryptographic
techniques. Further information on key management is provided in ISO / IEC 11770.

ISO 27001 Annex: A.10 Cryptography techniques may also be used to protect cryptographic keys. Procedures
would need to be taken into account when managing legal demands for access to cryptographic keys, e.g. it
might demand that encrypted information be made accessible as proof in a litigation case in an unencrypted
form.

Physical and Environmental Security

Physical and Environmental Security in this article explain Secure areas, Physical Security Perimeter and
Physical Entry Controls.

A.11.1 Secure areas

Its objective is to avoid unauthorized physical access, damage and interference with the organization’s
information and information processing facilities.

A.11.1.1 Physical Security Perimeter

Control- Security perimeters should be established in order to secure areas that contain either sensitive or
confidential information and information processing facilities.

Implementation Guidance- When appropriate, for physical security perimeters, the following guidelines
should be considered and implemented:

Security perimeters should be established and the location and intensity of each perimeter should depend on
the security requirements of the assets inside the perimeter and on the results of the risk assessment;
The building or facility perimeters should be physically secure (i.e. there are no perimeter gaps or places
where a break-in can easily occur); the site’s exterior buildings, walls, and floors should be securely built and
all external doors should be properly secured against unauthorized controlled entry (e.g. bars, alarms, locks);
Doors and windows should be locked when the windows are unattended and external security, especially at
ground level, should be considered;
There should be a manned reception area or other methods of physical access control for the site or building
and only authorized personnel can access to sites and buildings.
Physical barriers to prevent unauthorized physical access and environmental contamination should be built,
wherever applicable;
 Information Security Implementation Guide PAGE 74

All fire doors should be alerted, monitored and tested alongside walls in order to determine the level of
resistance needed in accordance with appropriate state, national and international standards; should act in a
failsafe fashion in accordance with the Local Code;
Appropriate intrusion detection systems, according to the national, regional, or international standards shall
be installed and tested regularly for the coverage of all exterior doors and accessible windows. Unoccupied
areas should be alarmed at all times.
Organization-controlled information management facilities should be segregated physically from those
operated by outside parties.

“When you gambled with safety, you bet your life”

Other Information- The physical protection of the organization’s premises and information processing facilities
can be achieved by creating one or several physical barriers. Additional protection is offered by using multiple
barriers when a single barrier failure does not immediately affect security.

A protected space may be a closed office or multiple rooms that are enclosed with an internal physical
protection restriction. Additional barriers and perimeters for the physical access control between areas with
various security requirements within the safety perimeter may be necessary. And in the case of buildings with
assets for multiple organizations, special attention to be given to physical security of entry.

The use of physical controls especially for the safe areas, as set out in the risk assessment, needs to be
adjusted to the technical and economic circumstances of the organization.

The Organization wishes that its information to remain within the CIA triads. They also ensure that the
physical security controls are properly and efficiently implemented to protect the confidentiality, authenticity
and/or integrity of the organization’s information and information processing facilities. The physical and
environmental protection of the company is covered in Annex 11 of ISO 27002.

Also Read: ISO 27001 Annex: A.10 Cryptography

A.11.1.2 Physical Entry Controls

Control- Appropriate access controls should protect places to ensure that only authorized employees are
allowed access.

Implementation Guidance- The following points should be taken into consideration:

Visitors should be registered on the date and time of their entry and departure and should supervise all
visitors, without prior approval of their access; Access should be given for certain approved purposes only, and
guidelines should be provided regarding safety and emergency procedures specifications for the region.
Visitors’ identity should be authorized using a suitable means;
Access should be limited to areas where information is processed or stored by means of suitable access
controls, for example, the introduction of a two-factor authentication system, such as an access card and a
secret PIN;
Securely maintaining and monitoring of a physical logbook or electronic audit trail of all access records;
Every employee, contractor and an external person should wear some visible identification and should inform
security personnel immediately if they meet unescorted people and anyone who does not have visible ID;
 Information Security Implementation Guide PAGE 75

Limited access to secure areas or confidential information processing facilities should only be allowed to the
employee who is external support services when necessary; access authority and monitoring should be
provided;
Access privileges to protected areas should be periodically reviewed, updated and, revoked. where necessary.

Equipment

Equipment Its objective is to avoid loss, damage, theft, or compromise of assets and disrupt the operations of
the organization.

A.11.2.1 Equipment Siting and Protection

Control- To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should
be sited and secured.

Implementation Guidance- To protect equipment, the following directives should be considered:

In order to minimize unnecessary access in work areas, equipment should be sited;

Information processing facilities that handle sensitive information should be carefully positioned to reduce the
risk of unauthorized persons viewing information during their use;
In order to avoid unauthorized access, storage facilities should be secured;
Objects requiring special protection should be protected to reduce the required level of overall protection;
The risk of potential threats to the environment and physicality such as theft, fire, explosives, smoke, and
water, dust, vibrations, chemical effects, interference with electrical supplies, interference with
communications, electric radiation and vandalism should be minimized;
Guidelines should be defined for eating, drinking and smoking close to information processing facilities;
Environmental factors such as temperature and humidity for factors which may have a negative effect on the
operation of information processing facilities should be monitored;
Lightening protection for all buildings, and lightning protection filters for all incoming power and
communications lines should be implemented;
In order to reduce the risk of information leakage due to electromagnetic emanation, sensitive information
treatment equipment should be secured.
Special protection methods such as keyboard membranes for equipment in industrial environments should be
considered;

A.11.2.2 Supporting Utilities

 Information Security Implementation Guide PAGE 76

Control- Equipment should be secured against power failures and other disruptions caused by the supporting
infrastructure failures.

Implementation Guidance- The support facilities (e.g., power, telecommunications, water, gas, sanitation, air
conditioning, and ventilation) should consider the following points:

conform to specifications and local legal requirements of the equipment manufacturer;

be periodically assessed for its ability to fulfill corporate growth and relations with other supporting utilities;
to be regularly inspected and tested for effective functioning;
keep Alarm for detecting malfunctions if necessary;
Have multiple physical routing feeds, if necessary.
It should be provided with emergency lighting and communication. Emergency switches and valves should be
located close to emergency exits or equipment rooms for power, water, gas or other utilities.

Other Information- Additional redundancy can be achieved through several routes from more than a single
utility provider for network connectivity.

Also Read: ISO 27001 Annex: A.11 Physical and Environmental Security

A.11.2.3 Cabling Security

Control- Cable for power and telecommunications that carry data or support services should be safeguarded
from interception, interference, or damage.

Implementation Guidance- The following cable safety guidelines should be taken into account:

power and telecommunications lines should be underground or subject to appropriate, alternative, security
into information processing facilities where possible;
Power cables should be isolated in order to avoid interference from communication cables;
Additional controls to reflect on sensitive or critical systems include:
Installation of reinforced ducts and locked rooms or boxes at inspection and termination points;
Electromagnetic shielding for cable protection;
Initiation of technical sweeps and physical inspections of unauthorized cable devices;
Access controlled to cable rooms and patch panels.

Equipment Maintenance, Removal of Assets & Security of Kit and Assets Off-Premises

Equipment Maintenance, A.11.2.5 Removal of Assets & A.11.2.6 Security of Kit and Assets Off-Premises.

A.11.2.4 Equipment Maintenance

Control- To ensure its continued availability and integrity, the equipment should be correctly maintained.

Implementation Guidance- The following equipment maintenance guidelines should be taken into account:

Equipment should be maintained according to the service intervals and specifications recommended by the
supplier;
Repair and service equipment should only be performed by authorized maintenance personnel;
 Information Security Implementation Guide PAGE 77

All suspected or actual defects, preventive and corrective maintenance, and records should be kept;
Appropriate checks should be carried out when maintenance equipment is scheduled, bearing in mind
whether maintenance is done by on-site or external personnel; confidential information from equipment
should be disclosed if required, or sufficient maintenance personnel should be cleared;
All maintenance requirements of insurance policy should be fulfilled;
After its maintenance, it should be inspected before bringing equipment back into service to ensure that it
does not get tampered or malfunction.

A.11.2.5 Removal of Assets

Control- Without prior authorization, equipment, information, or software should not be taken off-site.

Implementation Guidance- The following guidelines should be taken into consideration:

It is important to recognize employees and external users who are approved for the removal on-site of assets;
Asset removal time limits should be established and compliance returns verified;
Assets that are removed from the site and recorded when returned should be recorded where necessary and
appropriate.
Anyone who manages or uses assets should document the identity, role, and affiliation and return this
documentation with the equipment, information, or software.

Other Information- Spot checks conducted for the identification of unauthorized removal of assets, may also
be performed on the site in order to identify non-authorized recording devices, weapons, etc. Such spot
checks should be done in accordance with the laws and regulations applicable. It should be noted to
individuals that spot inspections are conducted and only with authorization to comply with the legal and
regulatory requirements should be performed.

Also Read: ISO 27001 Annex: A.11.1.3, A.11.1.4, A.11.1.5 & A.11.1.6

A.11.2.6 Security of Kit and Assets Off-Premises

Control- The security of off-site assets should be applied to the various risks of working outside the premises
of the organization in mind.

Implementation Guidance- Management should be authorized to use any information storage and processing
equipment outside the premises. This refers to organization-owned equipment that owns equipment privately
and is used for the organization’s benefit.
 Information Security Implementation Guide PAGE 78

For the safety of off-site facilities, the following guidelines should be considered:

Equipment and media began to not leave the premises publicly unattended;
Manufacturers’ protective device instructions, e.g., for exposure protection to strong electromagnetic fields,
should be complied with at all times;
Risk identification and effective controls should be determined for off-site locations, such as homeworking,
telework and temporary locations, such as lockable filing cabinets, clear desk instructions, computer access
controls and safe office communication;
A log specified by the chain of custody for equipment, containing at least the names and organizations of
those who are responsible for that equipment should be maintained if the equipment is transferred between
separate entities or external parties.
In determining the best controls, risk, such as damage, theft, or eavesdropping, could vary significantly
between locations.

Other Information- Informative equipment for storage and processing comprises all types of personal
computers, organizers, phones, smart cards, paper, and other forms held for homework or transportation
away from the usual place of work.

The risk can be avoided by discouraging certain workers from working off-site or reducing the use of portable
IT equipment;

Secure Disposal or Re-use of Equipment, Unattended User Equipment & Clear Desk and Clear Screen Policy

Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User Equipment & A.11.2.9 Clear Desk and Clear
Screen Policy

A.11.2.7 Secure Disposal or Re-use of Equipment

Control- To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any
device containing storage medium, all devices must be reviewed.

Implementation Guidance- Equipment should be tested to ensure that the storage media is contained or not
until disposal or re-use. In order to make original information inaccessible instead of using the standard delete
or a software functionality, the storage media with confidential or copyrighted information should physically
be destroyed or information destroyed, deleted, or overwritten using techniques.

Other information- Determining whether the items should be physically destroyed rather than sent to repair
or discard damaged equipment containing storage media can require a risk assessment. The use or reuse of
equipment may compromise information.

In addition, full disk encryption reduces the risk of confidential information being disclosed when equipment is
disposal or redeployed if:

Encryption process is strong enough to cover the entire disk (including slack space, swap files, etc.);
Encryption keys are sufficient to resist attacks by brute force;
The encryption keys are confidential themselves (e.g. never stored on the same disk). (Refer Clause 10)
 Information Security Implementation Guide PAGE 79

Safe overwriting techniques for storage media differ according to the technology for storage media. To ensure
they are applicable to storage media technology, overwriting tools should be reviewed.

A.11.2.8 Unattended User Equipment

Control- Unattended equipment should be adequately protected by users.

Implementation Guidance- Every user should be informed of their responsibility to implement the security
requirements and procedures for protecting unattended equipment. Following should be informed to users:

Once done, terminate active sessions, unless protected with correct locking mechanisms, for example. A
screen saver protected with a password
When no longer required, log-off from apps or network services;
Unauthorized use by key locks or devices, such as access to passwords, of secure computers or mobile devices,
when not in use.
The Organization wishes that its information equipment to remain within the CIA triads. They also ensure that
the security controls are properly and efficiently implemented to protect the confidentiality, authenticity
and/or integrity of the organization’s information and information processing facilities even at the time of
their disposal. The disposal or reuse of any device containing storage medium, covered in Annex 11.2 of ISO
27002.

Also Read: ISO 27001 Annex: A.11.2.4 Equipment Maintenance, A.11.2.5 Removal of Assets & A.11.2.6 Security
of Kit and Assets Off-Premises

A.11.2.9 Clear Desk and Clear Screen Policy

Control- A clear desk policy should be adopted for papers and removable storage media and a clear screen
policy should be applied to information processing facilities.

Implementation Guidance- Clear desk and clear screen policy should include organization’s information
classifications, legal, contractual requirements, and associated risk and cultural aspects. It is important to
consider the following guidelines:

When not needed, confidential or critical information for businesses (e.g., on paper or in electronic storage
media), especially when the office is vacated, should be closed away (ideally in safe or cabinet or in some type
of safe furniture).
Computers and terminals should be left signed off or secured by a password, token, or similar users’
authentication mechanism, regulated with screen and keyboard locking mechanism, when unattended.
It should not be permitted to use photocopiers and other reproductive technology (e.g., scanners, digital
cameras);
Sensitive or classified information media should immediately be removed from printers.
Other Information- A clear desk/screen policy minimizes the risk of unexpected access, information loss, and
damage during and outside normal hours of work. Security systems or other forms of safe storage may also
protect information stored on them from disasters such as earthquakes, floods, or explosions.

Consider the use of PIN-code printers, so only originators are able to get their print-outs and only when they
stand beside the printer.
 Information Security Implementation Guide PAGE 80

Operations Security

Operations Security in this article explain Operational procedures and responsibilities, Documented Operating
Procedures, Change Management & Separation of Development, Testing and Operational Environments.

A.12.1 Operational procedures and responsibilities

Its objective is to ensure that information processing facilities operate correctly and securely.

A.12.1.1 Documented Operating Procedures

Control-Operating procedures should be documented and accessed by all users in need.

Implementation Guidance- Documented procedures for operating information processing and

communications facility activities should be prepared including computer start-up and closing down, backup,
maintenance of equipment, media handling, computer room and mail management, and safety.

The operating procedures should include the following operating instructions:

Systems installation and settings;

Automated and manual processing and management of information;
Backing up
scheduling requirements such as early work start and latest job completion times, including interdependencies
to other systems;
Instructions for handling errors or any additional exceptional conditions, including restrictions on system
utilities that may arise during job execution;
Support and escalation contacts in cases of unexpected operational or technical issues include external
support contacts
Specific output and medium handling instructions, including procedures for safe disposition of the output
from failed work, such as the use of specific stationery or confidential output management;
system reboot and recovery procedures for the system failure to be used;
Audit-trail management and system log information;
Procedures for monitoring.

Operating procedures and documented procedures for system operations should be treated as managerial
authorized formal documents and alterations. Where technically feasible, IT systems should be consistently
administered using the same procedures, tools, and utilities.

A.12.1.2 Change Management

Control- Changes in the organization, organizational procedures, information management facilities, and
information security systems should be controlled.

Implementation Guidance- The following things will in particular be taken into account:

Identify and record significant changes;

Planning and testing of modifications;
 Information Security Implementation Guide PAGE 81

the assessment of the possible impacts of these changes, including the effects on information security;
Procedure for formal approval of changes proposed;
Verification of compliance with information security requirements;
Communication to all or any specific individuals about the changes in detail;
Failure to recover from costly improvements and unforeseeable incidents like abortion procedures and
responsibilities;
Providing an emergency procedure for making the changes required to resolve the incident quickly and
controlled.
In order to guarantee adequate oversight of all changes, structured management roles and procedures should
be enforced. An audit log with all relevant information should be retained when changes are made.

Other Information- A common cause of system failures or security failures is poor control over improvements
in information processing facilities and systems. Changes in the operating environment can have an impact on
the reliability of applications, in particular when transitioning from development to operational stage.

A.12.1.3 Capacity Management

Control- In order to ensure necessary system performance, the use of resources should be monitored,
adapted, and projected based on future capacity requirements.

Implementation Guidance- Taking into account the criticality of the business system concerned, capability
requirements should be defined. System tuning and control should be implemented to ensure the quality and
reliability of the systems and, where possible, improve them. In order to detect problems in due time,
detective audits should be put in place. For future capacity requirements, the new business and system needs
and current and projected trends in information processing capacity should be taken into account.

Any resources with long procurement lead times or high cost should be given particular attention; managers
should also control the usage of the key system resources. Trends in use should be identified, especially with
respect to business applications or tools for managing information systems.

Managers will use the data to identify and remove possible bottlenecks and dependency on key workers who
may risk network protection or services.

By rising capacity or growing demand, adequate capacity can be achieved. Examples of capacity management
requirements include the following points:

Removal of obsolete data (disk space);

Decommissioning application, programs, databases or environment;
Optimization of batch procedures and schedules;
Optimizing logic of program or database queries.
Refusal or limitation of bandwidth for resource-hungry applications if they are not business-critical (e.g., video
streaming).
A recorded capacity management strategy for mission-critical systems should be considered.

Other Information- This control also includes the capacity of human resources, offices, and facilities.
 Information Security Implementation Guide PAGE 82

Also Read: ISO 27001 Annex: A.11.2.7 Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User
Equipment & A.11.2.9 Clear Desk and Clear Screen Policy

A.12.1.4 Separation of Development, Testing and Operational Environments

Control- To reduce risks of non-authorized access or changes in the operational environment, development,
testing, and operational environments should be separated.

Implementation Guidance- It is important to define and enforce the degree of separation between
organizational, testing and development environments needed to avoid operational problems.

The following should be taken into account:

Rules should be described and reported for software transition from development to operational status;
Development and software should be run on various systems or computer processors and in various domains
or directories;
Changes to operating systems and applications shall be tested before they are applied to operational systems
in a testing or staging environment;
Tests should not be performed on operating systems except under extraordinary circumstances;
When not required, compilers, editors and other tool or system development utilities from operating systems
should not be accessible;
For operational and testing systems users should use different user profiles, and the menus should display
acceptable identifying messages in order to minimize the possibility of error;
Unless the test system equivalent controls are provided, sensitive data should not be copied to the test system
environment.
Other Information- Development and testing activity can lead to serious problems such as file, system
environment, or system failure unwanted modifications. There is a need to carry out substantial tests to avoid
unsafe access for developers to the operating system in a well-known to secure setting.

Where development and testing personnel have access to, or modification of operational data, the operating
system and its data may be unauthorized or untested. In some systems, fraud or untested or malicious code
could be misused in order to cause serious operational problems.

The confidentiality of operational information also concerns the development and testing of employees.
Unintended software or information changes may occur when the production and testing activities share the
same computing environment. Therefore, it is beneficial to reduce the possibility of unnecessary alteration or
 Information Security Implementation Guide PAGE 83

exposure to operational software and business data by separating development, testing, and operational
environments.

Protection from Malware

Protection from Malware Its objective is ensuring that malware protection is provided to information and
information processing facilities.

A.12.2.1 Controls Against Malware

Control- In combination with appropriate user awareness, the detection, prevention, and recovery controls to
protect against malware should be implemented.

Implementation Guidance

Malware protection should be supported by malware detection and repair software, awareness of the safety
of information, and adequate system access and management reviews on changes. The guidance should be
considered as follows:

a create formal policy barring the use of unauthorized software;

Implementation of controls preventing or detecting the use of unauthorized software;
Implement controls which avoid or detect the use of malicious websites known or suspected (e.g.,
blacklisting);
Create a structured risk management policy, which indicates what protective measures should be taken to
secure obtaining file and information, either from or through external networks;
Reducing malware-exploitable vulnerabilities, e.g., by management of technical vulnerabilities;
conduct frequent software and data quality reviews of applications that help critical processes; a formal
investigation will take place into the existence of unapproved files or unauthorized amendments;
Installing and regularly updating malware and repair software as precautionary or routine test for scanning
computers and media; Administered scanning should include:
scan for malware before using any files received via networks or any storage device;
Scanning of E-mail attachments and downloads for malware; the scan will be performed in different places,
e.g., electronic mail servers, mobile computers and when accessing the organization’s network;
Malware scanning of web pages;
define malware protection procedures and responsibilities on systems, training in their use, reporting and
recovery from malware:
Establishing appropriate business continuity plans, including all necessary software backup and recovery
arrangements to recover from malware attacks;
implementation of information gathering procedures, such as a subscription to mailing lists or websites
providing new malware information;
Implementing malware information verification procedures to ensure the accuracy and information quality of
advisory bulletins; managers should ensure the differentiation between rogues and real malware is achieved
using a qualified source, e.g. reputable journals, reliable internet sites or software suppliers;
Isolate environments that could result in catastrophic effects.
 Information Security Implementation Guide PAGE 84

Other information – The use of two or more software products protecting malware from various providers and
technology throughout the information processing environment can improve malware protection efficiency.
Protection from malware introduction during maintenance and emergency procedures, which could bypass
normal malware protection controls, should be taken with care.
Malware protection could under certain conditions cause operational disturbances.
The use of malware detection and software repair alone as a malware control is usually unsuited and usually
accompanied by malware operations.

Backup

Backup Its objective is to safeguard against data loss.

A.12.3.1 Information backup

Control- In accordance with the agreed backup policy copies of records, program and device images shall be
collected and regularly tested

Implementation Guidance – The organization’s information, software, and systems backup requirements
should be established with a backup policy. The policy of backup should define the requirements for retention
and protection. There should be sufficient backup facilities to ensure that all important information and
software can be recovered after a disaster or media failure.

The following things should be considered when designing a backup plan:

Precise and full back up records should be prepared as well as recorded restoration procedures;
The nature and frequency of the backup (e.g., full or differential backups) should reflect the company’s
business requirements, security requirements for the information involved and criticality to the continued
operation of the organization;
Backups should be held at a remote location at a distance sufficient to prevent any damage at most locations
due to a disaster;
The appropriate level of physical and environmental protection should be given backup information (Refer
clause 11) in accordance with the standards at the main site;
The backup medium should be tested regularly to ensure that they can be used for emergency use if required;
combined with the restore procedures test and controlled for the required restore time. The check should not
be carried out with overwriting of the original medium if the backup or restore process fails and cause
irreparable data damage or loss;
Backups should be secured by encryption in cases where confidentiality is the concern.
“By failing to prepare, you are preparing to fail”
-Benjamin Franklin

Operating procedures should monitor backup performance and address planned backup failures to ensure
that the backups are complete according to the backup policy.
 Information Security Implementation Guide PAGE 85

Backup procedures should be reviewed on a regular basis for specific systems and facilities to ensure they
meet the criteria of business continuity plans. In essential systems and facilities, all computer information,
software, and data required to restore the entire network during the event of a disaster should be protected
by backup arrangements.

The preservation period should be set, taking into account any conditions for permanent retention of archive
copies.

Also Read : ISO 27001 Annex : A.12.2 Protection from Malware

Logging and Monitoring

Logging and Monitoring Its objective is recording events and generating evidence.

A.12.4.1 Event Logging

Control- Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions,
defects, and information security events.

Implementation Guidance- Where applicable, event logs should include:

IDs of User;
Activities of the system;
dates, times and key events details, such as log-on and log-off;
System ID or location and device recognition where possible;
records of the attempts to access the system successfully as well as rejected ones
successful and unsuccessful data records and other attempts to access resources;
system configuration alterations;
utilization of privileges;
the application and use of systems utilities;
Accessed files and access kinds;
network addresses and protocols;
Entry management system warnings.
Protective mechanisms such as anti-virus and intrusion detection systems are activated and deactivated as
required;
Transaction records done in applications by users.
Event logging inspires automatic control systems capable of producing integrated network monitoring
notifications and warnings.

Other information- Sensitive information and personally identifiable information can be used in event logs.
Proper measures in the field of privacy should be implemented.
System administrators should not be allowed to delete or deactivate logs of their own activities where
possible.
 Information Security Implementation Guide PAGE 86

A.12.4.2 Protection of Log Information

Control- Logging and log information should be secure from intrusion and unauthorized access.

Implementation Guidance- Controls should be designed to protect against unauthorized log information
changes and operational logging problem, including the following:

Alterations to the types of messages recorded;

Editing or removing log files;
The logfile media storage space is surpassed, which means either that an event is not registered or that the
past events have been over-written.
Certain audit logs may require archiving as part of the retention of records or as a result of collecting evidence
and retention requirements.

Other information- System logs also contain a large amount of information, which is largely unique to
monitoring information security. The copying automatically to a second log of relevant message types or the
use of suitable device utilities or auditing tools to perform file interrogations and rationalizing should be
considered to help classify significant events for information security monitoring.

System logs must be protected, because data can create a false sense of security, when often modified or
deleted. To safeguard logs, real-time copy of logs to a system outside the control of a system
manager/operator.

Also Read: ISO 27001 Annex: A.12.3 Backup

Controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity,
and Availability to maintain their critical, sensitive information in a secure manner it will help you to
understand and recognize the full scope of your organization’s security checks to protect your organization’s
activities and information equipment (assets) from attacks, and also to illustrate the backup policy to
safeguard if data gets lost due to intentional or natural hazards. It also helps in maintaining the logging and
monitoring of data transaction records, access records, and other records into protection.

A.12.4.3 Administrator and Operator Logs

Control- The activity of the System Manager and System Operator is to be logged and the logs kept safe and
monitored closely.

Implementation Guidance- The logs of the information processing facilities that be manipulated under their
direct control by Private user account holders, so it is important to keep logs safe and reviewed to ensure the
privileged users are kept accountable.

Other information- A non-controlling system and network administrators can be used to monitor compliance
activities of the system and the network management.

A.12.4.4 Clock Synchronization

 Information Security Implementation Guide PAGE 87

Control- Clocks in all related information management systems should be integrated into a single reference
time source for an organization or safety domain.

Implementation Guidance- Documentation of external and internal time representation requirements,

synchronization, and precision. These may be legal, regulatory, contractual, standardized, or internal
monitoring requirements. A standard reference time should be defined for use inside the organization.

The organization approach should be documented and implemented to obtain a reference time from an
external source and the way internal clocks can be synchronized reliably.

Other Information- Correct clock settings are essential to ensure that audit reports, which may be used for
investigation or as proof in legal or disciplinary proceedings, are reliable. Inaccurate audit logs can impede
such inquiries and damage their credibility. The main clock for logging systems can be used as a clock linked to
the radio time from a national atom. To maintain all servers in sync with the master clock, a network time
protocol can be used.

Control of Operational Software

Control of Operational Software Its objective is to ensure operating system integrity.

A.12.5.1 Installation of Software on Operational Systems

Control- To control the installation of software on operating systems, procedures should be implemented.

Implementation Guidance- To control changes in software on operational systems, the following guidelines
should be considered:

Trained administrators should only upgrade operational software, applications and libraries upon appropriate
management permission;
Only approved executable code and non-developed code or compilers should exist in operating systems;
Usability, safety, effects on other systems and user-friendly functions should only be included after successful
and extensive testing; testing should also be conducted on separate systems; ensure that each of the
corresponding program source libraries has been updated;
To retain control of all deployed applications as well as system documentation, a configuration control system
should be used;
Before introducing changes, a roll-back strategy should be in place;
All changes to operating system libraries should be maintained with an audit log;
Previous product versions must be maintained as a measure of contingency;
For as long as data is retained in the archive, old software versions and all required information and
parameters should be archived together with procedures, setup details, and software support.

The software provided by the vendor to operating systems should be maintained at the vendor support level.
Software vendors should cease older software versions over time. The organization’s risk of using faulty
software should be considered.
 Information Security Implementation Guide PAGE 88

Every decision to upgrade to a new release should take account of business changes requirements and the
security of the release, for example by introducing new security functions or the number and severity of the
security of information problems affecting the release. When it is able to remove or reduce security
information vulnerabilities, software patches should be used.

Suppliers can only be provided with physical or logical access for assistance, if necessary, and with
management consent. The activities of the supplier should be monitored.

In order to avoid non-authorized changes that may lead to security defects, software can rely on externally
provided software and modules to monitor and control.

Also Read: ISO 27001 Annex: A.12.4 Logging and Monitoring

Technical Vulnerability Management

Technical Vulnerability Management Its objective is to avoid technological vulnerabilities from being exploited.

A.12.6.1 Management of Technical Vulnerabilities

Control- Information on technological vulnerabilities of information systems used should be obtained in a
timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate
measures taken to address the risk involved

Implementation Guidance – An up-to-date and comprehensive asset inventory is necessary for the effective
management of technical vulnerability (see Clause 8). The software vendor, version numbers, current
installation status (e.g., what the software on which systems are installed), and the person(s) within the
organization responsible for the software are included in the basic details required to support technological
vulnerability management.

In order to identify potential technical vulnerabilities, appropriate and timely action should be taken. To
establish an efficient management process for technical vulnerabilities, the following guidelines should be
followed:

The organization should define and define technical vulnerability management roles and responsibilities,
including vulnerability monitoring, risk assessment of vulnerability, asset patching, asset tracking, and any
necessary coordination responsibilities.
Informative resources to identify and raise awareness about the relevant technical vulnerabilities for the
software and other technology (based on the asset inventory list, refer 8.1.1), should be updated based on
inventory changes and other new or useful resources;
A timeline to respond to potentially relevant technical vulnerabilities notifications should be defined;
The organization will recognize the associated risks and acts when a potential technological weakness has
been identified; these acts may include patching compromised systems, or enforcing other controls;
 Information Security Implementation Guide PAGE 89

Actions should be carried out according to changes management protocols or following incident response
procedures in information security, depending on the degree to which a technical problem needs to be
handled.
The risk of the installation of a patch should be measured (those risks raised by the vulnerability must be
compared to the risk of installing the patch) if a patch is available from a valid source;
Before downloading the patch, it must be checked and reviewed to make sure that it is safe and does not lead
to side effects that cannot be tolerated; other tests, such as:
Switching off vulnerability related services or capabilities;
Adapting or adding network boundary access controls, such as firewalls;
Enhanced surveillance for real attacks;
Increase vulnerability awareness;
.For all procedures undertaken, an audit log should be maintained;
In order to ensure its efficiency and effectiveness, the technical vulnerability management process should be
monitored and assessed regularly;
High-risk systems should be addressed first.

The incident management activities should be compatible with effective technical vulnerability management
processes to relay vulnerability information to the incident response mechanism and provide appropriate
procedures that may occur;

Defining a procedure to tackle a situation that has identified a vulnerability, yet no appropriate
countermeasure exists. The organization should in this situation assess the risks associated with the known
vulnerability and define appropriate detective and corrective measures.
Also Read: ISO 27001 Annex: A.12.5 Control of Operational Software

Other Information – Technical vulnerability management can be viewed as a subfunction of change

management and therefore can benefit from the processes and procedures of change management.

Vendors also have to issue patches as quickly as possible under significant pressures. So, a patch cannot
adequately resolve the problem and has negative side effects. It is therefore possible. In some cases, it is not
easy to uninstall a patch when the patch is applied.

If it is not possible to adequately test patches, for example, due to costs or lack of resources, a delay in
patching can be taken into account to evaluate the associated risks, based on the experience of other users. It
may be helpful to use ISO / IEC 27031.

A.12.6.2 Restrictions on Software Installation

Control- Users should set and implement rules governing software installation.

Implementation Guidance – Strict guidelines on what types of software users can be developed by the
organization.

It would follow the concept of less privilege. Users may be able to install software if certain privileges are
granted. Identifies what software installation types are permitted (e.g. software updates or security patches)
 Information Security Implementation Guide PAGE 90

and what installations are forbidden (e.g. software for personal use only and software whose malicious history
is unknown or suspect). Taking into account the role of the users concerned, these privileges should be given.

Other Information- Installing software uncontrolled on computer systems may lead to vulnerabilities and
information leakage, loss of integrity or other incidents of intellectual property security, or infringement of
intellectual property rights.

Information Systems Audit Considerations

Information Systems Audit Controls

Control- The audit criteria and activities related to operating system verification should be carefully prepared
and decided in order to reduce business process disturbance.

Implementation Guidance – It is necessary to follow the following guidance:

audit standards for access to systems and data should be negotiated with appropriate management;
Scope should be agreed and controlled on the technical audit tests;
Audit processing should be restricted to read-only access to applications and data;
Access, rather than read-only, should only be permitted for isolated copies of system files, which should be
deleted when the audit is completed, or provided with adequate security where such files are needed to be
held in accordance with the documenting audit requirements;
The criteria for special or additional processing should be defined and decided upon;
Audit tests that could affect the availability of the system should be carried out outside business hours;
To create a reference trail, all access should be controlled and logged.

Communications Security

Network Security Management

Its objective is to ensure the security and supporting information processing facilities of the information in a
network.

A.13.1.1 Network Controls

Control- To protect information in systems and applications, networks should be managed and monitored.

Implementation Guidance – The monitoring of network information security and the security of connected
networks from unauthorized access should be undertaken. The following things will in particular be taken into
account:

Networking equipment management responsibilities and procedures should be established;

Network operational responsibility can, where necessary, be segregated from computer operations;
The confidential and integrity of data transmission via public networks and wireless networks and the
protected network and applications should be subject to special controls; specific controls may also be
essential to maintain the availability of network services and connected computers;
Appropriate logging and monitoring should be used so that actions that may or are relevant to information
security can be recorded and detected;
 Information Security Implementation Guide PAGE 91

Close coordination of management activities should be provided to improve the service offered to the
company and to ensure effective control of all information processing infrastructures;
Authentication of network systems;
Network connection should be restricted to devices.
Other Information – Further network protection information is available in ISO / IEC 27033.

A.13.1.2 Security of Network Services

Control- Security protocols, quality of service, and management criteria for all network services, whether in-
house or outsourced, should be defined and included in-network services agreements.

Implementation Guidance – It is necessary to determine and regularly supervise the capability of the network
service provider to safeguard the agreed services and to agree to audit rights.

The required security structures such as security features, service rates, and management criteria for
particular facilities should be defined. It will ensure that these steps are enforced by network service
providers.

Other Information- Network services include connection provisions, a private network and value-added
network services and management solutions for network security, such as firewalls and intrusion detection
systems. The services vary from basic unmanaged bandwidth to complex value-added products and services.

Network infrastructure security features should include the following:

Network services security technology such as authentication, encryption and network connection controls;
technical criteria required in compliance with security and network connection guidelines for the secured
reference of network services;
Network service procedures to restrict access, where necessary, to network services or applications.
Also Read: ISO 27001 Annex: A.12.7 Information Systems Audit Considerations

A.13.1.3 Segregation in Networks

Control – Network segregation should be established for information services, users, and information systems.

Implementation Guidance – One way to manage large networks sequence is to divide them into different
network areas. The domains may be selected based on confidence (e.g., public access domain, desktop
domain, server domain) or combined with organizational units ( e.g. human resources, finance, marketing).
The segregation can be done either through different physical networks or via various logical networks ( e.g.
virtual private networking).

You can describe the perimeter of any domain. Connection is permitted between network domains, but must
be managed by the gateway (e.g. firewall, filter router) on the perimeter. The requirements for network
segregation into domains and gateway access should be based on an evaluation of each domain ‘s security
requirement. The assessment should conform to access control policy, access requirements, information
processing value, and classification, as well as an understanding of the relative costs and performance impact
of the incorporation of suitable gateway technology.
 Information Security Implementation Guide PAGE 92

Due to the poorly defined network perimeter, wireless networks require special treatment. With regard to
sensitive environments, all wireless access must be considered as external connections and separated from
internal networks until access is crossed by a gateway in line with the policy regarding network control before
access to internal systems has been granted.

Modern, standard-based wireless network authentication, encryption, and user-level access control
technologies may be appropriate if they are correctly implemented to connect directly to the company’s
internal network.

Other Information – Networks often reach beyond organizational borders because corporate partnerships are
formed, where information processing or networking facilities are interconnected or distributed. Such
extensions can increase the risk of unauthorized access to the networked information process of the
organization, some of which require protection because they are sensitive or critical to other network users.

Information Transfer

Information Transfer Policies and Procedures

Control- In order to protect the transferees by using all types of communication facilities, official transfer
policies, procedures and controls should be developed.

Implementation Guidance – The following items should be addressed in the procedures and controls required
to use communications facilities to transmit information:

Procedures to prevent interception, copying, altering, misrouting or destruction of transmitted information;

Procedures to detect and protect malware from electronic communications which can be transmitted;
Procedures for the protection of communicated electronically sensitive information in the form of an
attachment;
Guidelines or rules specifying an appropriate usage of communication facilities (refer to 8.1.3);
The moral duty of, external party and the other user not to compromise, e.g., defamation, harassment,
impersonation, transmission of chain letters, unauthorized purchase-out, etc.;
Use of encryption techniques, for example, to protect confidentiality, information integrity and authenticity
(refer Clause 10);
retaining and disposing of guidelines in compliance with national and native legislation and regulations for all
business correspondence, including messages;
controls and constraints relating to the use of communication facilities, such as electronic mail automatic
forwarding to external mail addresses;
advise employees not to share personal details and take sufficient precautions;
Do not leave messages that contain sensitive information regarding answering machines, because they can be
replayed by unauthorized individuals, stored or wrongly stored as a result of wrong dialing;
Advising staff on issues concerning the use of fax machines or services, in particular:
Unauthorized access for message retrieval to built-in message stores;
deliberate or unintended computer programming to transmit messages to particular numbers;
 Information Security Implementation Guide PAGE 93

either misdial or use the wrong stored number to send documents and messages to the wrong number

Furthermore, workers should not have publicly confidential discussions or through unreliable communication
networks, open offices and meeting places.

Services of information transfer should meet all relevant legal requirements.

Other Information – Different kinds of communication facilities, including electronic mail, voice, facsimile and
video, can lead to the transfer of information.

The transfer of software may occur through a variety of various media, including Internet downloads and
purchases of off-shell products by suppliers.

The implications of business, legal and security related to electronic data exchange, electronic commerce, and
electronic communications and control requirements should be taken into account.

Electronic Messaging

Electronic Messaging
Control- Electronic messaging information should be adequately protected.

Implementation Guidance – The following should include information security aspects for electronic
messages:

Protecting messages against unauthorized access, change or denial of services in line with the organization’s
classification scheme;
ensure that the message is correctly addressed and transported;
Service reliability and availability;
Legal considerations, such as electronic signature requirements;
Approval before using external public authorities, such as instant messaging, social networking or sharing of
files;
Stronger standards of publicly accessible network authentication access management.
Other Information – There are various kinds of messages, such as e-mail systems, an exchange of electronic
data, and social networking.

Confidentiality or Non-Disclosure Agreements

Control- Information protection requirements of the organization for confidentiality or non-disclosure

agreements should be identified, regularly reviewed, and documented.

Implementation Guidance – The requirement to protect confidential information by legal enforceability

should be addressed by confidentiality or non-disclosure agreements. Confidentiality or non-disclosure
provisions extend to third parties or to the organization’s employees. In view of the kind of the other party
 Information Security Implementation Guide PAGE 94

and its allowed access or handling of confidential information, elements should be selected or added. to
identify confidentiality requirements or non-disclosure agreements,

It should be considered the following elements:

Definition of protected information (e.g., confidential information);

Expected duration of an agreement, including cases of permanent confidentiality;
the actions needed for termination of an agreement;
Signatory responsibilities and actions to prevent unauthorized disclosure of information;
Information ownership, business secrets and intellectual property, as well as how this relates to privacy;
Made use of the details of confidentiality and signatory ‘s rights to use the data;
the right to audit and monitor confidential information activities;
the notification and reporting process of unauthorized disclosure or leakage of confidential information;
Conditions for the return or destruction of information on cessation of agreement;
Expected measures should only be taken if an agreement is violated.
Other elements may be included during the confidentiality or non-disclosure agreement depending on the
information security requirements of an organization.

Confidentiality and non-disclosure agreements would comply with all the laws and codes of integrity
applicable to them.

Confidentiality and non-disclosure agreements provisions should be regularly reviewed and these conditions
should be impacted when there are changes.

Other Information – Confidentiality and non-disclosure agreements protect organizational information and
inform signatory in an authorized and accountable fashion of their responsibility to protect the use of and
disclosure of information.

In a variety of cases, an organization may have to use different types of confidentiality and non-disclosure
agreements.

System Acquisition, Development and Maintenance

System Acquisition, Development and Maintenance in this article is explain A.14.1 Security Requirements of
Information Systems & A.14.1.1 Information Security Requirements Analysis and Specification.

A.14.1 Security Requirements of Information Systems

Its objective is ensuring the information management for the entire lifecycle is an important part of
information systems. This also includes the information systems requirements that provide services over a
public network.

A.14.1.1 Information Security Requirements Analysis and Specification

Control- Information security requirements for new information systems or enhancements to existing
information systems should be included
 Information Security Implementation Guide PAGE 95

Implementation Guidance – Information security needs should be defined using various approaches such as
derivation of policy and regulation enforcement criteria, threat analysis, incident assessment, and the use of
thresholds of vulnerability. All stakeholders will log and review the identification results.

The business assessment of the information concerned and possible negative effects on business resulting
from lack of sufficient protection should reflect information security standards and inspections.

Early stages of projects for information systems will include the definition and management of information
security specifications and related processes. Early consideration of information security requirements can
lead, for example, to more efficient and effective solutions at the design level.

The requirements of information security should also take into account:

confidence in the claimed identity of users required to meet the requirement to obtain user authentication;
Processes for access and authorization of all business users and privileged or skilled users;
Inform users and managers of their roles and responsibilities;
the necessary protection needs of the assets concerned, including accessibility, confidentiality, and integrity;
business process specifications, such as transaction recording and monitoring, non-repudiation specifications;
Requirements required by other security controls, such as logging and monitoring interfaces or data leak
detection systems.
Dedicated controls should be considered for applications that deliver infrastructure through public networks
or that carry out transactions.

A structured testing and procurement process must be followed if goods are purchased. Supplier contracts will
meet the security requirements found. If a proposed product has no safety features, the risk identified and the
associated controls should be reconsidered before the product is purchased.

The available security configuration guidance should be evaluated and implemented for the product aligned
with the system ‘s final software / service stack.

Product acceptance criteria, e.g., in terms of functionality, should be defined to ensure that the security
criteria identified are complied with. Before acquisition, products should be assessed according to these
criteria. Further functionality should be checked in order to ensure that additional risks are not unacceptable.

Other Information – In order to identify controls to meet information security requirements, ISO / IEC 27005
and ISO 31000 provide guidance on the use of risk management processes.

Securing Application Services on Public Networks

Securing Application Services on Public Networks Information about application services which pass through
public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure,
and modification.

Implementation Guidance – Information security requirements will include the following for application
services that cross public networks:
 Information Security Implementation Guide PAGE 96

Each party requires a level of trust in the identity claimed by each other, for example, through authentication;
Authorizations for those who may authorize the content of key transnational documents, issue or sign them;
Ensure that communication parties are fully aware of their service provision or usage authorizations;
Determination and compliance with the conditions of confidentiality, integrity, proof that key documents and
contracts, for instance, related to contracts and tendering process, have been dispatched and received;
The level of trust required in key documents’ integrity;
Protection of any confidential information requirements;
Confidentiality and Integrity of any order transactions, payment details, delivery address information and
receipt confirmation;
the appropriate verification degree for the verification of a customer’s payment information;
Choosing the most appropriate form of payment settlement for fraud protection;
the extent of security required for keeping information about the order confidentiality and integrity;
Avoidance of transaction information loss or duplication;
liability for all transactions involving fraud;
Requirements for insurance.
The application of cryptographic controls will resolve many of the above concerns in compliance with legal
requirements.

An agreement that is registered and binds all parties to the agreed terms of service, including specifics of the
authorization, will help the application service arrangement between partners.

Resilience requirements should be considered against attacks that may include conditions to protect the
application servers or ensure that network interconnections required to provide the service are available.

Other Information – Applications accessible through public networks are threatened by a number of networks,
for example, fraudulent activity, contractual disputes, and public information. Detailed assessments of risk and
an appropriate range of controls are therefore important. The needed controls also involve authentication and
data transfer via cryptographic methods.

Secure authentication methods, e.g., using the public encryption key and digital signatures, can be used to
reduce risks by application services. Trusted third parties, if such services are necessary, can also be used.

Protecting Application Services Transactions

Control- ISO 27001 Annex: A.14.1.3 Protecting Application Services Transactions in order to avoid incomplete
transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized
message replication, or replay, information concerning application service transactions should be covered.

Implementation Guidance – The following should include information security considerations for application
service transactions:

The use by each party involved in the transaction of electronic signatures;

All transaction aspects, i.e., making sure:
All parties’ information about the user’s secret authentication is valid and verified;
The transaction is kept secret;
 Information Security Implementation Guide PAGE 97

Privacy is maintained with respect to all participating parties;

The route of contact between all parties concerned is encrypted;

The contact protocols used by all parties concerned are ensured;
ensuring that transaction information is stored outside a publicly accessible environment e.g., on a storage
platform on an organization intranet and that it is not retained and exposed on an internet-accessible storage
medium;
The protection is incorporated and implemented in the entire end-to-end certificate/signature management
process when a trusted authority is used (e.g., for the purpose of issuing and retaining digital signatures or
digital certificates).
Other Information – The size of the controls taken must be proportionate to the risk level of each application
service transaction.
Transactions in the jurisdiction from which the transaction is produced, processed, completed, or deposited
that need to comply with applicable laws and regulations.

Security in Development and Support Processes

Security in Development and Support Processes Its objective is ensuring the creation and implementation of
information security in the information system development process.

A.14.2.1 Secure Development Policy

Control- Regulations for software and system development should be laid down and applied to organizational
developments.

Implementation Guidance – Secure development includes a safe infrastructure, architecture, software, and
system to be developed. The following considerations should be taken into account in a stable technology
policy:

Environmental development security;

security guidelines for the life cycle of software development:
security in the methodology for software development;
Secure guidelines on code for each language of programming used;
Design-phase protection requirements;
Security control points within the milestones of the project;
secure repositories;
Version control security;
Necessary security knowledge of application;
The ability of the developers to avoid, identify and fix vulnerabilities.
secure programming technology can be used for both software development and code replication situations
where development requirements are not established or in line with existing best practices. The secure and, if
applicable, mandatory coding criteria for use should be taken into account. Developers should be trained and
their use should be verified for testing and code review.

The organization will be confident if development is outsourced that it complies with these principles of safe
development.
 Information Security Implementation Guide PAGE 98

Technical Review of Applications after Operating Platform Changes

Control- In changing operating platforms, critical applications of business should be revised and tested to
ensure no adverse impacts on business or security.

Implementation Guidance – The following points should be covered in the process:

Review of application control and processes of integrity to ensure that changes to the operating platform have
not compromised them;
Ensure that operating platform changes are communicated at the right time to enable proper tests and
reviews prior to implementation;
Ensuring that the business continuity plans are properly amended.
Other Information – Operating environments are operating systems, databases, and applications for
middleware. API modifications should also be tracked.
Restrictions on Changes to Software Packages

Control- Software package modifications should be discouraged, restricted to the modifications necessary, and
all changes controlled strictly.

Implementation Guidance – The vendor-supplied software packages should be used without alteration to the
extent necessary and feasible. The following points should be considered where a software package needs to
be modified:

the possibility of conflict with built-in controls and processes of integrity;

Whether Vendor’s consent has been obtained;
the opportunity, in regular system updates, to receive the necessary vendor changes;
impacts when the organization becomes responsible as a result of changes for the future maintenance of
software;
Additional software compatibility in use.
The original software should be kept if changes are necessary and the modifications applied to the specified
copy. To ensure that the most up to date approved patches and application updates are installed for all
permitted software, a software update management process should be implemented. All modifications should
be carefully checked and reported, in order to reapply to potential software updates if necessary. If required,
a separate evaluation body will check and verify the modifications.

Secure System Engineering Principles

Control- In the implementation of any information system implementation project, standards for secure
system engineered must be established, documented, maintained, and implemented.

Implementation Guidance – Secure IT Engineering procedures based on the principles of security engineering
should be established, documented, and applied in in-house IT Engineering. The need for data security and
accessibility should be balanced in all architecture layers (e.g., business, data, applications, and technology).
New technology for security threats needs to be evaluated and the design for documented attack patterns
should be reviewed.
 Information Security Implementation Guide PAGE 99

Such principles and the developed engineering processes should be reviewed periodically, to ensure that they
contribute effectively to improved safety standards in the engineering phase. They should also be reviewed on
a regular basis to ensure that they remain relevant as concerning the combat against any new potential
threats and remain applicable to technical advancements and implemented solutions.

Where appropriate, the established principles of security engineering should be applied to outsourced
information systems through the agreements and other binding agreements between the organization and its
suppliers to whom the organization outsources. The business must ensure that the rigor of the security
engineering standards of suppliers is comparable to its own.

Other Information – Procedures for the creation of applications which have input and output interfaces should
apply secure engineering techniques. Secure engineering techniques provide guidance on user authentication,
secure control of the session, and validation of data, sanitation and removal of debugging codes.

Secure Development Environment

Control – ISO 27001 Annex: A.14.2.6 Secure Development Environment in this Organizations should create
secure development environments and integration efforts for the entire life cycle of system development and
should be adequately protected.

Implementation Guidance – A secure development environment includes people, processes, and technology
in the development and integration of systems.

Organizations should evaluate the risks associated with the development of individual systems and establish
secure development environments for specific system development efforts, taking into account the following
points:

Sensibility of processing, storage and transmission of data through the system;

External and internal guidelines applicable, e.g. laws or policies;
Security controls already carried out by the organization that endorses the development of the system;
the reliability of personnel working in the environment;
The level of outsourcing associated with the production of the system;
The need for segregation between different environments for development;
Access control to the environment for development;
Monitoring environmental changes and the code contained in them;
Secure offsite locations of backups are stored;
Data transfers from and to the environment are controlled.
When the level of security is established for a specific development context, organizations will record and
provide the corresponding processes to all or any individual who needs them in secure development
processes.

Outsourced Development
 Information Security Implementation Guide PAGE 100

Control – The organization must monitor and monitor activity for the development of the outsourced system.

Implementation Guidance – If system development is outsourced, it is necessary to consider the following

points across the entire external supply chain of the organization;

Outsourced content licensing arrangements, code ownership and intellectual rights;

Secure design, coding and testing requirements; contractual requirements;
Providing the external developer with the approved threat model;
Quality and accuracy of deliverables acceptance testing;
Provide evidence that security criteria have been used for minimum appropriate security and privacy
standards;
provide evidence that enough testing has been applied to prevent both deliberate and unintentional malicious
content from being delivered;
provide proof that adequate research was used to defend against known vulnerabilities; collection of data;
escrow schemes, for example, when source code is no more available
Contractual right to inspect processes and controls for development;
Efficient development environment documents used to construct deliverables;
Compliance with applicable laws and monitoring effectiveness verification shall remain a responsibility of the
organization.
Other Information – Additional information on provider relations is frequently available in ISO / IEC 27036.

System Security Testing

Control – During development, security functionality test should be conducted.

Implementation Guidance – A thorough test and verification is necessary during developing processes in new
and updated systems, including the preparation of detailed business schedules and input tests and expected
outputs under various conditions. Such tests are initially to be carried out by the development team for
internal developments. Specific approval assessments (for both internal and external developments) will then
be conducted to ensure the system is functioning according to expectations and only according to
expectations. The range of research should be proportional to the relevance and complexity of the program.

System Acceptance Testing

Control- New information systems, enhancements, and updated versions should be equipped with acceptance
testing services and related requirements.

Implementation Guidance – The system acceptance tests should include information security testing and
compliance with safe system development practices. Testing of received components and integrated systems
should also be carried out. Automated tools can be used by companies,

For example, tools for code analysis, vulnerability scanners, and the correction of security-related defects
should be verified.
 Information Security Implementation Guide PAGE 101

In a realistic test environment, testing should be done to ensure the system does not introduce any
vulnerabilities and that tests are reliable in the organization’s environment.

Test data

Protection of test data

Control – Careful collection, security, and review of test data should be performed.

Implementation Guidance – It should be avoided the use of operational information containing personal
information or any other confidential information for test purposes. Where personal information or otherwise
confidential information for testing purposes is used, all sensitive information and content should be
protected either by deletion or modification.

When used for testing purposes, the following guidelines should be used for the protection of operational
data:

The access management protocols applicable to the running application systems should also refer to the
application control systems;
Every time operational information is copied to the test setting, separate authorization should be granted;
Operational information should be deleted immediately after completion of the test environment from a test
environment;
In order to include an audit trail, copying and using operational details should be logged.

Supplier Relationships

Supplier Relationships in this article explaining Information Security in Supplier Relationships, and their
policies.

A.15.1 Information Security in Supplier Relationships

Its objective is ensuring the security of assets accessible to suppliers of the organization.

A.15.1.1 Information Security Policy for Supplier Relationships

Control- The supplier should be agreed with and documented information security requirements related to
the risk mitigation of access by suppliers to organizational assets.
Implementation Guidance – In order to specifically address supplier access to information from the
organization, the organization must identify and require security information controls in its policy. These
checks should address the organization’s processing and procedures as well as the processes and procedures
to be abided by the organization, including the following points:

1. Identification and reporting of supplier forms, e.g. IT services, logistics services, financial services, IT
infrastructure components, which are accessible to the organization;
2. standardized supplier relationship management framework and lifecycle;
3. define the types of access to information allowed by distinct types of suppliers and monitor and
control the access;
 Information Security Implementation Guide PAGE 102

4. Minimum information protection standards for any category of information and method of access
to provide the basis for each supplier agreement based on the business needs and requirements
and risk profile of the organization;
5. Processes and procedure for monitoring compliance, including third-party evaluation and product
validation, with defined information security standards for any type of supplier and type of access;
6. Controls for accuracy and completeness of information and transmission received by any party to
ensure the quality of information;
7. the types of obligations applicable for providers to protect information of the organization;
8. handling of customer control events and contingencies, including company and customer
responsibilities;
9. Resilience and, if necessary, recovery and contingency plans to ensure the availability by all parties
of information or processing;
10. Training in awareness of applicable policies, processes and procedures for the organization staff
involved in acquisitions;
11. Training in awareness of how the organization’s staff interacts with supplier staff on appropriate
rules of engagement and behavior based on provider type and level of supplier access to the
system and information of the organization;
12. Conditions to document the security of information and control requirements in an agreement
signed by both parties;
13. Management and maintenance of the information security during the transition phase of the
required information changes, information processing, and everything else that needs transfer.

Addressing Security Within Supplier Agreements

Control- Any suppliers that view, process, store, communicate or provide IT infrastructure component
information for the organization should be defined and agreed with all applicable information security
requirements.

Implementation Guidance- Supplier agreements should be defined and recorded so that the organization and
the supplier do not misinterpret the obligations of the two parties to meet the applicable information security
requirements.

To meet the information security requirements identified, the following points should be considered for
inclusion in the agreements:

Description of information and methods of supply and access to the information to be provided or accessed;
classification of information by the classification scheme of an organization (see 8.2); mapping, where
possible, between the classification scheme for that organization and that for the supplier’s scheme of
classification;
legal and regulatory requirements, including data protection, copyright and intellectual property rights, and a
description of how they will be complied with;
obligation to enforce an agreed control plan, including access management, performance analysis, monitoring,
reporting and auditing for each contracting party;
Rules for acceptable use of information and, where necessary, unacceptable use;
 Information Security Implementation Guide PAGE 103

either an explicit list of providers’ staff authorized to receive or access information or procedures,
authorization conditions, and the removal, access or receipt by supplier personnel of the information of the
organization;
Information security measures relating to a specific contract;
Requirements and procedures for incident management (in particular, communication and collaboration in
the remediation of incidents);
Specific protocols and information protection criteria, such as for emergency response, authorization
protocols, training and awareness criteria;
Sub-contracting related legislation, including the controls to be applied;
Applicable business partners, like the IT contact person;
screening needs of supplier workers, including test and notification responsibilities, if there is no completion
of the test, or where the results give rise to doubts or concerns;
right to audit the contracting supplier processes and controls;
Failure to resolve and resolve conflicts;
The obligation of the supplier to submit an independent report on the efficiency of controls and the timely
correction agreement for the relevant issues raised in the report periodically;
The obligations of the supplier to meet the security requirements of the organization.

Information and Communication Technology Supply Chain

Control- Supplier agreements will contain provisions to mitigate information security risks associated with IT
Services and the product supply chain.

Implementation Guidance – For inclusion in supplier agreements on supply chain security, the following topics
should be addressed:

Defining Information security standards to refer to the IT product or service creation, in addition to provider
partnership information security generations;
Requiring suppliers to distribute security specifications across the supply chain for information and
communication technologies services, if suppliers subcontract information and communication technology
services provided to an organization;
Requiring suppliers to spread acceptable security practices through the accessibility chain for information and
communication technology goods, if such goods include purchased items from other suppliers;
Implementation of a monitoring framework and appropriate validation methods that have complied with
specified security criteria for information and communication technology products and services;
Implementation of a monitoring framework and appropriate validation methods that have complied with
specified security criteria for information and communication technology products and services;
Ensuring that essential products can be tracked across the entire supply chain and their origin;
Getting assurance that the IT products supplied function as expected without any unexpected or unwelcome
features;
define rules on information sharing and any problems and compromise between organizations and suppliers
concerning the supply chain;
 Information Security Implementation Guide PAGE 104

Implementation of detailed lifecycle and availability and related security risk protocols for the management of
information and communications technologies. This involves handling the uncertainties that components are
no longer available because suppliers no longer work or suppliers no longer supply such components because
of the advancements made in technology.

Supplier Service Delivery Management

Supplier Service Delivery Management It’s objective is to maintain, in compliance with supplier agreements,
an agreed level of information security and delivery of service.

A.15.2.1 Monitoring and Review of Supplier Services

Control- Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.

Implementation Guidance – Monitoring and review of supplier services will ensure respect for the terms and
conditions of information security of the arrangement and careful monitoring of incidents and issues related
to information security.

This will include a process of service management between the client and the supplier:

Monitor the level of service performance to verify agreement compliance;

Review the supplier’s service reports and schedule progress meetings on a regular basis as required by the
agreements;
conduct supplier audits and follow-up on reported problems in conjunction with the analysis of independent
auditor reports where available;
Facilitate and review the details regarding safety incidents as provided by agreements and any relevant
guidelines and procedures;
review the traces of the manufacturer audit and information security reports, operational issues, failures,
fault-tracking and service-related disturbances;
solving and managing any problems identified;
review the security of information aspects of the provider’s relations with their own suppliers;
Ensure that the company retains sufficient service capacity along with working plans to ensure that negotiated
rates of service reliability are maintained following significant service or catastrophe failures.

A designated entity or service management team should be entrusted with the responsibility for managing
supplier relationships. Moreover, the organization should ensure that suppliers assign responsibilities for
compliance review and implementation of the agreement requirements. There should be appropriate
technical expertise and resources to track compliance with the requirements of the Agreement, especially
with the requirements for information security. If deficiencies in the service delivery are observed, suitable
action should be taken.

To order that sensitive and essential information and information processing facilities that a company has
access, stored or controlled should be kept to full control and exposure of all security aspects. In the context
of a defined reporting procedure, the organization should retain visibility in security activities such as change
management, vulnerability identification, and incident reporting and response to information security.

A.15.2.2 Managing Changes to Supplier Services

 Information Security Implementation Guide PAGE 105

Control- Change in the provision of services by providers should be managed with the focus on the criticality
of enterprise information, systems, processes, and reassessment of risks and should include maintaining and
improving existing information security policies, procedures, and controls.

Implementation Guidance – This will take into account the following aspects:

Modifications of arrangements for suppliers;

Implementing changes by the organization:
Improvements to existing offered services;
development of all new systems and applications;
Changes or modifications to the policies and procedures of the organization;
Controls new or updated to address and enhance safety information incidents;
Implementing improvements in supplier services:
Network modification and improvement;
the use of the modern technology;
Current or older releases with existing products;
New technologies and environments for development;
Modification of service center physical location;
Supplier change;
Subcontract to another supplier.

Information Security Incident Management

Information Security Incident Management in this article explain Management of Information Security
Incidents and Improvements and their Responsibilities & Procedures.

A.16.1 Management of Information Security Incidents and Improvements

Its objective is to ensure a clear and successful strategy, including communication on security incidents and
vulnerabilities, for information security incidents management.

A.16.1.1 Responsibilities and Procedures

Control- In order to ensure a quick, efficient, and organized response to ISO 27001 Annex: A.16 Information
Security Incident Management roles and procedures should be defined.

Implementation Guidance- The following recommendations should be taken into account regarding
management roles and procedures for management of incident information security:

A. In order to ensure proper development and coordination of procedures within this organization,
management roles should be established:
– Planning and preparation procedures for incident response;
– Monitoring, identification, analysis and reporting procedures for events and incidents related to information
security;
– Logging procedures for incidents management.
– Forensic Evidence Management Procedures;
– Procedures for information security evaluation and decision making and information security vulnerability
assessment;
 Information Security Implementation Guide PAGE 106

– Response protocols include escalation measures, managed recovery from incidents and contact to internal
and external individuals or organizations;

B. The established procedures should ensure that:

Competent staff handle information security issues within the organization;
A contact point for identification and reporting of safety incidents is established;
Adequate contacts are being maintained with authorities, groups of external interest or forums that deal with
information security issues;
C. Procedures to report will include:
Preparing the ways of covering information security incidents to facilitate coverage and to help reporters
remember any steps required even in the event of an information security incident;
Procedure to be taken in the case of an information security event, e.g. immediately notice of all the
information such as a form of violation or non-compliance, failure occurring, on-screen notifications and
immediate contact reporting taking only coordinated actions;
a reference to a formal disciplinary process established to deal with employees who violate security;
Appropriate feedback processes to ensure that those who report information security events are notified of
the results following the resolution and closure of the issue.
“Being the subject of an attack incident is not a crime- but how you respond to it in the future could be. Being
prepared to respond to an incident at a business level, not just with the technology, is absolutely critical.”
– Gordon Archibald

The management objectives for the management of information security incidents should be established to
ensure that those responsible for the management of information security incidents recognize the priorities of
the organization in managing information security incidents.

Reporting Information Security Events

Control- Information security incidents should be reported as quickly as possible through appropriate
management channels.

Implementation Guidance- Both employees and contractors will be made aware of their responsibility as soon
as possible for reporting security incidents. The reporting protocols and the point of contact at which the
incidents will be reported should also be known to them.
Situation for information security incident documentation to be considered includes:
Ineffective control of security;
Breach of standards regarding quality of information, confidentiality, and availability;
Towards human mistakes;
Failure to comply with policies or guidelines;
Failed to comply with physical safeguards
A device shift controlled;
A program or device malfunctioning;
Infringements of access.
Ignorance and other anomalous device activity may signify a security attack or actual security violation and
therefore should always be identified as a security information event.

Reporting Information Security Weaknesses

 Information Security Implementation Guide PAGE 107

Control- Any information security vulnerabilities found or suspected in systems or services in which employees
and contractors are using the information systems and services of the organization should be recorded and
documented.

Implementation Guidance- To avoid accidents related to the protection of information, all employees and
contractors will send these queries to the contact point as soon as possible. The system for reporting should
be as easy, open, and usable as possible.

Other Information- This should be recommended not to attempt to show alleged security vulnerabilities for
employees or contractors. Test deficiencies may be viewed as a possible violation of the system which could
lead to harm to the information system or to the service and to legal responsibility for the individual
conducting the test.

Assessment of and Decision on Information Security Events

Control- Information security events should be analyzed and determined whether they should be listed as
incidents related to information security.

Implementation Guidance- Each information security event should be evaluated by the contact point on the
agreed security event and classification scale and whether the event should be considered as a security
incident. Incident’s detection and prioritizing can help to assess the nature and severity of an incident.

For situations where the company has an ISIRT (information security incident response team ) , the
assessment and judgment may be forwarded to ISIRT for validation or re-evaluation. Results of the assessment
and decision should be recorded intimately for the aim of future reference and verification.

Response to Information Security Incidents

Control- In the context of the documented procedures, information security incidents should be responded to.

Implementation Guidance- A nominated point of contact and other pertinent people within the organization
or external parties should be able to respond to information security incidents.

The following should be included in the response:

Gathering evidence as soon as possible after the occurrence;
Conduct forensic security information analysis where necessary;
Escalation, wherein necessary;
 Information Security Implementation Guide PAGE 108

Ensuring adequate documentation for subsequent analysis of all responses activities involved;
Communicate to other internal or external entities or organizations who need to know if an information
security incident occurs or any specific details thereof;
Addressing the weaknesses identified for information security or contributing to the incident;
The formal closing and recording of the incident until effectively concluded.
The investigation should be performed after the incident to determine the cause of the accident, if
appropriate.

Learning from Information Security Incidents

Control – To minimize the risk or effect of potential accidents, the experience obtained from the study and
mitigation of information security accidents should be used.

Implementation Guidance- Mechanisms will be in place to measure and track the forms, quantities, and costs
of events affecting information security. In order to classify recurring or high impact events, the information
obtained from the information security events assessment should be used.

Other Information- In order to minimize the occurrence, harm and expense of potential accidents, or take
account of the security policy analysis process, assessment of information security accidents that suggest that
improved or additional controls are required (refer 5.1.2).

Facts and figures from real events in the security of information can be used in user awareness training with
due consideration of confidentiality (refer 7.2.2) as examples of how these events may be handled and how to
prevent them in the future.

Collection of Evidence

Control- The organization will define, obtain, procure and retain information as documentation and
implement procedures.

Implementation Guidance- External protocols for treating evidence for administrative and legal action should
be established and tracked.

In general, the processes of defining, gathering, acquiring, and preserving the proof should be in line with
various media types, technologies, and device specifications e.g. based on or off.

The procedures will take into consideration:

Custody chain;
Evidence of security
Personnel security;
The staff’s roles and responsibilities;
Personnel competency;
Documentation;
Briefing.
Certification or all other applicable staff and instrument credentials should be pursued where possible in order
to strengthen the validity of the evidence retained.
 Information Security Implementation Guide PAGE 109

Forensic findings can extend beyond the boundaries of association or jurisdiction. In these cases, the
organization should be given the right to collect the required information as forensic proof. In order to
optimize admission opportunities across the qualified jurisdictions, the criteria of the different jurisdictions
should also be considered.

Other Information- The quest for, detection and recording of possible evidence requires identification. The
collection process is the set of physical objects which may contain potential evidence. The method of
acquisition is to create a copy of the data in a given package. Preservation is the mechanism by which
probable evidence is stored and preserved.

This may not be clear if the incident would result in legal proceedings unless an information security issue is
identified first. The risk, therefore, exists that the required proof may be intentionally or inadvertently lost
prior to the seriousness of the incident. Any legal proceedings to be taken and guidance on the facts needed is
recommended to involve lawyer or police at an early age.

Information Security Aspects of Business Continuity Management

Information Security Aspects of Business Continuity Management in this article explain Information Security
Continuity, Planning Information Security Continuity and Implementing Information Security Continuity this
controls.

A.17.1 Information Security Continuity

Its objective is the continuity of information security should be integrated into the business continuity
management processes of the organization.

A17.1.1 Planning Information Security Continuity

Control – In adverse circumstances, e.g., during a crisis or a catastrophe, the company will determine the
information security standards and consistency of information security management.

Implementation Guidance- An organization should assess whether the continuity of security is captured in the
management process of business continuity or in the disaster recovery process. In business continuity
preparation and disaster recuperation, information security standards will be determined.

The Information Security Management should assume that information security requirements remain the
same in unfavorable situations as normal operational conditions without a formal business continuity and
disaster recovery plan. In order to define security criteria related to adverse circumstances, an organization
may also carry out a business effect analysis for information security issues.

Other Information- It is advised to capture the security aspects of information within the standard business
continuity or disaster recovery management business impact analysis to minimize the time and expense of an
external business impact analysis for information security. That means, in business continuity management or
disaster recovery management systems, the criteria for continuity information protection are specifically
formulated.
 Information Security Implementation Guide PAGE 110

A.17.1.2 Implementing Information Security Continuity

Control- In order to ensure the necessary degree of consistency of information security to adverse
circumstances, the company should define, document, execute, and maintain processes, procedures, and
controls.

Implementation Guidance- An organization should make sure that:

Adequate management structure is in place with the authority, experience, and competence to plan, mitigate
and respond to disruptive events with the workforce necessary;
Incident response personnel are nominated for incident management and information security with the
necessary responsibility, authority, and competence;
It develops and approves the documented plans, response and recovery procedures detailing how the
organizations manage a disruptive event and maintain their security of information to a pre-set level based on
the information security continuity objectives approved through management.
The organization should establish, record, execute, and maintain the information security continuity
requirements:
Controlling of information security, processes and support systems and equipment, as well as business
continuity or disaster recovery process.
Processes, procedures and changes in implementation in an adverse situation in order to maintain existing
information security controls;
Compensating information security management mechanisms that can not be enforced under adverse
circumstances.

Verify, Review and Evaluate Information Security Continuity

Control- ISO 27001 Annex: A.17.1.3 Verify, Review and Evaluate Information Security Continuity In order to
ensure accurate and productive to adverse circumstances, the company must review on-going controls on
safety information defined and enforced at regular intervals.

Implementation Guidance- Changes in organizational, technological, administrative and procedures, whether

operational or framework, will lead to changes in the criteria for the continuity of information security. In such
cases, the continuity of information security processes, procedures and controls against these changed
requirements should be reviewed.

Organizations will track the consistency of their management of information security by:

Exercise and test the reliability of systems, procedures, and controls for the protection of information in
compliance with objectives of information continuity;
Exercise and test expertise and routine in the systems, procedures and controls of information security
continuity to ensure that its output is in line with the objectives for information security continuity;
Continuity of information infrastructure, information security mechanisms, policies and controls, and business
continuity management/disaster recovery methods and strategies tests the quality and efficacy of information
security initiatives.

Compliance
 Information Security Implementation Guide PAGE 111

Compliance in this article explain Compliance with Legal and Contractual Requirements, Identification of
Applicable Legislation and Contractual Requirements and Intellectual Property Rights this controls.

A.18.1 Compliance with Legal and Contractual Requirements

Its objective is to protect against violation of legal, statutory, regulatory, or contractual obligations relating to
information security and any other security requirements.

A.18.1.1 Identification of Applicable Legislation and Contractual Requirements

Control- Each of these information systems and organizations should specifically identify, document, and
update all relevant statutory, regulatory, contractual requirements, and the approach of the organization
towards compliance with these requirements.

Implementation Guidance- There must also be identification and documentation of basic controls and
individual obligations to fulfill those criteria.

In order to satisfy the criteria for their business form, administrators should recognize all the legislation that
relates to their organization. If the organization is operating in other countries, managers in all related
countries will ensure compliance.

A.18.1.2 Intellectual Property Rights

Control- Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions
relating to ownership of intellectual property and the use of proprietary software products are complied upon.

Implementation Guidance- In order to protect any material regarded as intellectual property, the following
guidelines should be adopted:

Publish a guideline for the legitimate use of software and information products in line with intellectual
property rights;
To purchase software so that copies are not breached, software only from known and reputable sources;
Maintaining awareness and notifying the intention to take disciplinary steps against personnel who violate
intellectual property rights policy;
Maintain adequate registers of assets and identify all assets with intellectual rights protection requirements;
Maintaining evidence and evidence of license ownership, master disks, manuals, etc.;
Implement controls to ensure that no maximum number of approved users is exceeded;
Conduct reviews to check that product and software installed are solely licensed;
Provide a policy for the enforcement of appropriate conditions of license;
Provide an information disposal/transfer of strategy to others;
Compliance with software terms and conditions and public network information;
Not replicate, transform, or extract from commercial (film, audio) recordings, other than those permitted
under the law of copyright;
Books, articles, reports, or other documents not fully or partially copied except as permitted by copyright
legislation.

Protection of Records
 Information Security Implementation Guide PAGE 112

Control- ISO 27001 Annex : A.18.1.3 Protection of Records shall, in accordance with the provisions to
legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification,
and unauthorized access and unauthorized release.

Implementation Guidance- The related classification based on the organization’s classification scheme is to be
taken into account when determining whether to secure relevant organizational documents. Categorized
records in the following types of records, such as accounting records, database records, transaction records,
audit logs, and operating procedures, should include details on retention periods and the type of media
permitted for storage, such as paper, microfiche, magnetic, optical. Any associated encryption keys and
programs related to encrypted or digital signatures (see Clause 10) must also be stored so that records are
decrypted for a period of time during which records are kept.

The possibility of media deterioration used for record storage should be taken into consideration. In
accordance with the manufacturer ‘s recommendations, storage and handling procedures should be
implemented.

When electronic storage media are selected, protocols should be developed in order to protect against loss
due to potential technical changes to ensure access for data (either media or format readability) over the
retention period.

Data storage systems should be assigned so that the data required can be recovered, depending on the
requirements to be fulfilled, in a time and format acceptable.

The storage and handling system should, if appropriate, ensure that records and their retention periods are
known as specified in national or regional laws. After that period, if records are not required by the
organization, this system should allow appropriate destruction.

The following steps should be taken by an organization in order to achieve these record safeguarding goals:

Guidelines should be provided with regard to documents and information processing, storage, handling and
disposal;
A schedule for retention of records and the period for which they should be retained should be defined.
An inventory of main information sources should be maintained.

Other Information- Those documents need to be maintained safely to satisfy legislative, regulatory, or
contractual requirements and to maintain key business operations. Examples include documents that might
be necessary to show the legislative or regulatory operation of an entity to protect it from the potential civil or
criminal acts of the public and to clarify to shareholders, external parties, and auditors the financial position of
an organization. The period of time and data content for the retention of information may be determined by
national law or regulation. More information on organizational record management is available in ISO 15489.

Privacy and Protection of Personally Identifiable Information

 Information Security Implementation Guide PAGE 113

Control- Privacy and protection of personal data should be guaranteed, as required, in applicable laws and
regulations.

Implementation Guidance- A data policy of the organization should be developed and implemented to
protect the privacy and personal information identifiable. This policy should be communicated to everyone
involved in personal information processing.

Compliance with this policy and all the relevant legislation and regulations regarding privacy and personal
information protection requires a proper management structure and control. This is often best achieved by
appointing a responsible person like a security officer, who should give management, users and service
providers guidance on their responsibilities and specific procedures. Responsibility should be taken in
compliance with applicable laws and regulations for managing personally identifiable information and
awareness of the information security principles. Suitable technical and organizational measures should be
implemented to protect personal information.

Other Information- In the information and communications technology frameworks, ISO / IEC 29100 offers a
high-level mechanism to safeguard personally identifiable information. Many countries have legislation
introduced to monitor the collection, processing, and transmission of personal information (usually personal
identifiable information on living persons). Such controls could impose duties, depending on the respective
national laws, on those who collect, process, and distribute personally identifiable information and could also
limit the ability to transfer information that can be identified by themselves to other countries.

Regulation of Cryptographic Controls

Control- In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must
be used.

Implementation Guidance- In accordance with the relevant agreements, laws, and regulations, the following
points should be considered:

Restrictions on the import or export of computer hardware and software for the performance of
cryptographic functions;
Restrictions on the import or export of hardware and software designed to have cryptographic functions
applied to it;
Restrictions on the use of encryption;
Mandatory or discretionary methods of access to information encrypted by hardware or software for the
protection of content by the country authorities.
Legal advice will be sought in order to ensure compliance with the applicable laws and regulations. Legal
advice should also be taken before encrypted information or cryptographic checks are transferred across
jurisdictional boundaries.

Protection of Records
 Information Security Implementation Guide PAGE 114

Control- ISO 27001 Annex : A.18.1.3 Protection of Records shall, in accordance with the provisions to
legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification,
and unauthorized access and unauthorized release.

Implementation Guidance- The related classification based on the organization’s classification scheme is to be
taken into account when determining whether to secure relevant organizational documents. Categorized
records in the following types of records, such as accounting records, database records, transaction records,
audit logs, and operating procedures, should include details on retention periods and the type of media
permitted for storage, such as paper, microfiche, magnetic, optical. Any associated encryption keys and
programs related to encrypted or digital signatures (see Clause 10) must also be stored so that records are
decrypted for a period of time during which records are kept.

The possibility of media deterioration used for record storage should be taken into consideration. In
accordance with the manufacturer ‘s recommendations, storage and handling procedures should be
implemented.

When electronic storage media are selected, protocols should be developed in order to protect against loss
due to potential technical changes to ensure access for data (either media or format readability) over the
retention period.
Data storage systems should be assigned so that the data required can be recovered, depending on the
requirements to be fulfilled, in a time and format acceptable.

The storage and handling system should, if appropriate, ensure that records and their retention periods are
known as specified in national or regional laws. After that period, if records are not required by the
organization, this system should allow appropriate destruction.

The following steps should be taken by an organization in order to achieve these record safeguarding goals:

Guidelines should be provided with regard to documents and information processing, storage, handling and
disposal;
A schedule for retention of records and the period for which they should be retained should be defined.
An inventory of main information sources should be maintained.

Privacy and Protection of Personally Identifiable Information

Control- Privacy and protection of personal data should be guaranteed, as required, in applicable laws and
regulations.

Implementation Guidance- A data policy of the organization should be developed and implemented to
protect the privacy and personal information identifiable. This policy should be communicated to everyone
involved in personal information processing.

Compliance with this policy and all the relevant legislation and regulations regarding privacy and personal
information protection requires a proper management structure and control. This is often best achieved by
appointing a responsible person like a security officer, who should give management, users and service
 Information Security Implementation Guide PAGE 115

providers guidance on their responsibilities and specific procedures. Responsibility should be taken in
compliance with applicable laws and regulations for managing personally identifiable information and
awareness of the information security principles. Suitable technical and organizational measures should be
implemented to protect personal information.

Regulation of Cryptographic Controls

Control- In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must
be used.

Implementation Guidance- In accordance with the relevant agreements, laws, and regulations, the following
points should be considered:

Restrictions on the import or export of computer hardware and software for the performance of
cryptographic functions;
Restrictions on the import or export of hardware and software designed to have cryptographic functions
applied to it;
Restrictions on the use of encryption;
Mandatory or discretionary methods of access to information encrypted by hardware or software for the
protection of content by the country authorities.
Legal advice will be sought in order to ensure compliance with the applicable laws and regulations. Legal
advice should also be taken before encrypted information or cryptographic checks are transferred across
jurisdictional boundaries.

Information Security Reviews

Its objective is to ensure that information security is enforced and managed in compliance with organizational
policies and procedures.

A.18.2.1 Independent Review of Information Security

Control- A proposed or major improvement should be taken into account internally for the organization’s
approach to information security management and execution, (i.e. control objectives, controls, policies,
processes, and procedures for information security).

Implementation Guidance

The independent review will be conducted by the board. Such an independent review is required to ensure
that the organization ‘s approach to information security management remains consistent, appropriate, and
efficient. The analysis will include an assessment of improvement opportunities and the need to change the
security approach, including policy and control objectives. Such a review would need to be conducted by
people independently of the area being reviewed, e.g., an internal audit function, an independent manager, or
a specialized external party organization. Those who conduct these reviews should have the skills and
experience needed. The independent review results must be recorded and reported to the management
responsible for initiating the review. These records are to be maintained. When, for example, the defined aims
and objectives and needs of the company are not met in compliance with the guiding principle for security of
 Information Security Implementation Guide PAGE 116

information as set out in the information security policy (Refer 5.1.1), management should pursue corrective
measures.

Other Information

In addition, the guidance on carrying out an independent review is provided by ISO/27007, the Guidelines on
Information Security Management Systems Auditing and ISO / IEC TR 27008 Guidelines for Auditors on
Information security controls.

Information security clauses and their implementation, i.e., controls which should be implemented by the
organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical,
sensitive information in a secure manner it will help you to understand and recognize the full scope of your
organization’s security checks to protect your organization’s activities and information equipment (assets)
from attacks, and ensure privacy and also ensure that information-security is enforced and managed in
compliance with organizational policies and procedures.

A.18.2.2 Compliance with Security Policies and Standards

Control
Managers will review on a regular basis compliance with relevant security policies, guidelines, and other
security specifications of information processing and procedures within their field of responsibility.

Implementation Guidance

Managers will determine how information security criteria identified in policies, standards, and other
regulations are to be assessed. For efficient routine analysis, automated measuring and reporting tools should
be considered.

If any failure to comply results from the review are detected, managers should: -

Identify the reasons of failure to comply;

Assess the need for compliance measures;
Implement effective remedial measures;
Review the steps taken to verify their efficiency and recognize any deficiencies or vulnerabilities.
Details of the managers’ assessments and disciplinary measures should be reported and documented. If an
independent review takes place within its area of responsibility, administrators will report the findings to
individuals conducting independent reviews (see 18.2.1).

Also Read: ISO 27001 Annex: A.18.1.3 Protection of Records, A.18.1.4 Privacy and Protection of Personally
Identifiable Information and A.18.1.5 Regulation of Cryptographic Controls

Other Information
 Information Security Implementation Guide PAGE 117

Operational system usage monitoring is entailed in 12.4

A.18.2.3 Technical Compliance Review

Control

Information systems for compliance with the Information Security Policies and practices of an organization
should be periodically reviewed.

Implementation Guidance

In order to achieve a subsequent interpretation by a technical specialist, technical compliance should be

preferably assessed with the assistance of automated tools. Alternatively, an experienced system engineer
could carry out manual reviews (supported by appropriate software tools, if necessary). Caution should be
used when penetration tests or vulnerability assessments are used as these practices can lead to a system
security compromise. Such tests should be planned, documented, and replicated. Any professional assessment
of enforcement should only be conducted by or under the supervision of qualified, approved persons.