Security Policy: Difference between revisions
Jump to navigation
Jump to search
m →General |
No edit summary |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 10: | Line 10: | ||
The organization shall determine: | The organization shall determine: | ||
:1. Interested parties that are relevant to the information security management system; and | |||
:2. The requirements of these interested parties relevant to information security. | |||
<small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small> | <small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small> | ||
| Line 20: | Line 20: | ||
When determining this scope, the organization shall consider: | When determining this scope, the organization shall consider: | ||
:1. the external and internal issues referred to in [[Security_Policy#Understanding_the_organization_and_its_context|1.1]] | |||
:2. the requirements referred to in [[Security_Policy#Understanding_the_needs_and_expectations_of_interested_parties|1.2]] | |||
:3. interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. | |||
Link to [https://docs.google.com/document/d/1UxPyur5i9tH6FAoKAYOgSSHHg8RsOX8UKOFirMGGHWI/edit?usp=sharing Scope of the ISMS] | Link to [https://docs.google.com/document/d/1UxPyur5i9tH6FAoKAYOgSSHHg8RsOX8UKOFirMGGHWI/edit?usp=sharing Scope of the ISMS] | ||
| Line 36: | Line 36: | ||
Top management shall demonstrate leadership and commitment with respect to the information security management system by: | Top management shall demonstrate leadership and commitment with respect to the information security management system by: | ||
:1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; | |||
:2. Ensuring the integration of the information security management system requirements into the organization’s processes; | |||
:3. Ensuring that the resources needed for the information security management system are available; | |||
:4. Communicating the importance of effective information security management and of conforming to the information security management system requirements; | |||
:5. Ensuring that the information security management system achieves its intended outcome(s); | |||
:6. Directing and supporting persons to contribute to the effectiveness of the information security management system; | |||
:7. Promoting continual improvement; and | |||
:8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. | |||
Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO] | Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO] | ||
| Line 52: | Line 52: | ||
:1. Is appropriate to the purpose of the organization; | :1. Is appropriate to the purpose of the organization; | ||
:2. Includes information security objectives (see [[Security_Policy#information_security_objectives_and_planning_to_achieve_them| | :2. Includes information security objectives (see [[Security_Policy#information_security_objectives_and_planning_to_achieve_them|3.2]]) or provides the framework for setting information security objectives; | ||
:3. Includes a commitment to satisfy applicable requirements related to information security; and | :3. Includes a commitment to satisfy applicable requirements related to information security; and | ||
:4. Includes a commitment to continual improvement of the information security management system. | :4. Includes a commitment to continual improvement of the information security management system. | ||
| Line 105: | Line 105: | ||
::(b) identify the risk owners; | ::(b) identify the risk owners; | ||
:4. Analyses the information security risks: | :4. Analyses the information security risks: | ||
::(a) assess the potential consequences that would result if the risks identified were to materialize; | ::(a) assess the potential consequences that would result if the risks identified in [[Security_Policy#Information_security_risk_assessment|3.1.2]].3 (a) were to materialize; | ||
::(b) assess the realistic likelihood of the occurrence of the risks identified; and | ::(b) assess the realistic likelihood of the occurrence of the risks identified in [[Security_Policy#Information_security_risk_assessment|3.1.2]].3 (a); and | ||
::(c)determine the levels of risk; | ::(c) determine the levels of risk; | ||
:5. Evaluates the information security risks: | :5. Evaluates the information security risks: | ||
::(a) compare the results of risk analysis with the risk criteria established; and | ::(a) compare the results of risk analysis with the risk criteria established in [[Security_Policy#Information_security_risk_assessment|3.1.2]].1; and | ||
::(b) prioritize the analysed risks for risk treatment. | ::(b) prioritize the analysed risks for risk treatment. | ||
The organization shall retain documented information about the information security risk assessment process. | The organization shall retain documented information about the information security risk assessment process. | ||
Link to [https://docs.google.com/document/d/1tTJzghkaG3uAAKIh5ITfGod7U8Q1MFsHjlOUYvCzWa0/edit Risk Assessment and Risk Treatment Methodology] | |||
==== Information security risk treatment==== | ==== Information security risk treatment==== | ||
| Line 120: | Line 122: | ||
:2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen; | :2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen; | ||
<small>NOTE Organizations can design controls as required, or identify them from any source. </small> | <small>NOTE Organizations can design controls as required, or identify them from any source. </small> | ||
:3. Compare the controls determined above with those in Annex A of ISO/IEC 27001:2013 and verify that no necessary controls have been omitted; | :3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3.]]2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted; | ||
<small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. | <small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. | ||
| Line 126: | Line 128: | ||
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small> | NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small> | ||
:5. Produce a Statement of Applicability that contains the necessary controls | :5. Produce a Statement of Applicability that contains the necessary controls (see [[Security_Policy#Information_security_risk_treatment|3.1.3.]] 2 and 3 and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; | ||
:6. Formulate an information security risk treatment plan; and | :6. Formulate an information security risk treatment plan; and | ||
:7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. | :7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. | ||
| Line 161: | Line 163: | ||
The organization shall: | The organization shall: | ||
:1. determine the necessary competence of person(s) doing work under its control that affects its information security performance; | |||
:2. ensure that these persons are competent on the basis of appropriate education, training, or experience; | |||
:3. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and | |||
:4. retain appropriate documented information as evidence of competence. | |||
<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small> | |||
<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small> | |||
=== Awareness=== | === Awareness=== | ||
| Line 173: | Line 174: | ||
Persons doing work under the organization’s control shall be aware of: | Persons doing work under the organization’s control shall be aware of: | ||
:1. the information security policy; | |||
:2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and | |||
:3. the implications of not conforming with the information security management system requirements. | |||
===Communication=== | ===Communication=== | ||
| Line 181: | Line 182: | ||
The organization shall determine the need for internal and external communications relevant to the information security management system including: | The organization shall determine the need for internal and external communications relevant to the information security management system including: | ||
:1. on what to communicate; | |||
:2. when to communicate; | |||
:3. with whom to communicate; | |||
:4. who shall communicate; and | |||
:5. the processes by which communication shall be effected. | |||
=== Documented information=== | === Documented information=== | ||
| Line 205: | Line 206: | ||
When creating and updating documented information the organization shall ensure appropriate: | When creating and updating documented information the organization shall ensure appropriate: | ||
:1. identification and description (e.g. a title, date, author, or reference number); | |||
:2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and | |||
:3. review and approval for suitability and adequacy. | |||
====Control of documented information==== | ====Control of documented information==== | ||
| Line 230: | Line 231: | ||
=== Operational planning and control=== | === Operational planning and control=== | ||
The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 3.1. The organization shall also implement plans to achieve information security objectives determined in 3.2. | The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in [[Security_Policy#Actions_to_address_risks_and_opportunities|3.1]]. The organization shall also implement plans to achieve information security objectives determined in [[Security_Policy#Information_security_objectives_and_planning_to_achieve_them|3.2]]. | ||
The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. | The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. | ||
| Line 240: | Line 241: | ||
=== Information security risk assessment=== | === Information security risk assessment=== | ||
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 3.1.2.1. | The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in [[Security_Policy#Information_security_risk_assessment|3.1.2.]]1. | ||
The organization shall retain documented information of the results of the information security risk assessments. | The organization shall retain documented information of the results of the information security risk assessments. | ||
| Line 342: | Line 343: | ||
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system | The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system | ||
== Apenndix == | |||
{| class="wikitable" | |||
|- | |||
! Clause !! Requirement | |||
|- | |||
| 1.3 || Scope of the ISMS | |||
|- | |||
| 2.2 & 3.2 || IS Policy & Objectives | |||
|- | |||
| 3.1.2 || Risk Assessment & Risk Treatment Methodology | |||
|- | |||
| 3.1.3.d || Statement of Applicability | |||
|- | |||
| 3.1.3.5 & 3.2 || Risk treatment plan | |||
|- | |||
| 5.2 || Risk assessment report | |||
|- | |||
| A.7.1.2 & A.13.2.4 || Definition of Security Roles and Responsibilities | |||
|- | |||
| A.8.1.1 || Inventory of Assets | |||
|- | |||
| A.8.1.3 || Acceptable Use of Assets | |||
|- | |||
| A.9.1.1 || Access Control Policy | |||
|- | |||
| A.12.1.1 || Operating Procedures for IT Management | |||
|- | |||
| A.14.2.5 || Secure System Engineering Principles | |||
|- | |||
| A.15.1.1 || Supplier Security Policy | |||
|- | |||
| A.16.1.5 || Incident Management Procedure | |||
|- | |||
| A.17.1.2 || Business Continuity Procedures | |||
|- | |||
| A.18.1.1 || Statutory, Regulatory, and Contractual Requirements | |||
|- | |||
| 4.2 || Records of Training, Skills, Experience and Qualifications | |||
|- | |||
| 6.1 || Monitoring and Measurement Results | |||
|- | |||
| 6.2 || Internal Audit Program | |||
|- | |||
| 6.2 || Results of Internal Audits | |||
|- | |||
| 6.3 || Results of the Management Review | |||
|- | |||
| 7.1 || Results of Corrective Actions | |||
|- | |||
| A.12.4.1 & 12.4.3 || Logs of User Activities, Exceptions, and Security Events | |||
|- | |||
| 4.5 || Procedure for document control | |||
|- | |||
| 4.5 || Controls for managing records | |||
|- | |||
| 6.2 || Procedure for internal audit | |||
|- | |||
| 7.1 || Procedure for corrective action | |||
|- | |||
| A.6.2.1 || Bring your own device (BYOD) policy | |||
|- | |||
| A.6.2.1 || Mobile device and teleworking policy | |||
|- | |||
| A.8.2.1-3 || Information classification policy | |||
|- | |||
| A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, & A.9.4.3 || Password policy | |||
|- | |||
| A.8.3.2 & A.11.2.7 || Disposal and destruction policy | |||
|- | |||
| A.11.1.5 || Procedures for working in secure areas | |||
|- | |||
| A.11.2.9 || Clear desk and clear screen policy | |||
|- | |||
| A.12.1.2 & A.14.2.4 || Clear desk and clear screen policy | |||
|- | |||
| A.12.3.1 || Backup policy | |||
|- | |||
| A.13.2.1-3 || Information transfer policy | |||
|- | |||
| A.17.1.1 || Business impact analysis | |||
|- | |||
| A.17.1.3 || Exercising and testing plan | |||
|- | |||
| A.17.1.3 || Maintenance and review plan | |||
|- | |||
| A.17.2.1 || Business continuity strategy | |||
|} | |||
== See also== | |||
[[Security_Appendix | Security Appendix]] | |||