Security Policy: Difference between revisions

Jump to navigation Jump to search
← Older edit
No edit summary
 
(7 intermediate revisions by the same user not shown)
Line 10: Line 10:
The organization shall determine:
The organization shall determine:


# Interested parties that are relevant to the information security management system; and  
:1. Interested parties that are relevant to the information security management system; and  
# The requirements of these interested parties relevant to information security.  
:2. The requirements of these interested parties relevant to information security.  
     <small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small>
     <small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small>


Line 36: Line 36:
Top management shall demonstrate leadership and commitment with respect to the information security management system by:
Top management shall demonstrate leadership and commitment with respect to the information security management system by:


#Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
:1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
#Ensuring the integration of the information security management system requirements into the organization’s processes;
:2. Ensuring the integration of the information security management system requirements into the organization’s processes;
#Ensuring that the resources needed for the information security management system are available;
:3. Ensuring that the resources needed for the information security management system are available;
#Communicating the importance of effective information security management and of conforming to the information security management system requirements;
:4. Communicating the importance of effective information security management and of conforming to the information security management system requirements;
#Ensuring that the information security management system achieves its intended outcome(s);
:5. Ensuring that the information security management system achieves its intended outcome(s);
#Directing and supporting persons to contribute to the effectiveness of the information security management system;
:6. Directing and supporting persons to contribute to the effectiveness of the information security management system;
#Promoting continual improvement; and
:7. Promoting continual improvement; and
#Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
:8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.


   Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO]  
   Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO]  
Line 113: Line 113:


The organization shall retain documented information about the information security risk assessment process.
The organization shall retain documented information about the information security risk assessment process.
  Link to [https://docs.google.com/document/d/1tTJzghkaG3uAAKIh5ITfGod7U8Q1MFsHjlOUYvCzWa0/edit Risk Assessment and Risk Treatment Methodology]


==== Information security risk treatment====
==== Information security risk treatment====
Line 161: Line 163:


The organization shall:
The organization shall:
:1. determine the necessary competence of person(s) doing work under its control that affects its information security performance;
:2. ensure that these persons are competent on the basis of appropriate education, training, or experience;
:3. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
:4. retain appropriate documented information as evidence of competence.


#determine the necessary competence of person(s) doing work under its control that affects its information security performance;
  <small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>
#ensure that these persons are competent on the basis of appropriate education, training, or experience;
#where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
#retain appropriate documented information as evidence of competence.
 
<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>


=== Awareness===
=== Awareness===
Line 173: Line 174:
Persons doing work under the organization’s control shall be aware of:
Persons doing work under the organization’s control shall be aware of:


#the information security policy;
:1. the information security policy;
#their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
:2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
#the implications of not conforming with the information security management system requirements.
:3. the implications of not conforming with the information security management system requirements.


===Communication===
===Communication===
Line 181: Line 182:
The organization shall determine the need for internal and external communications relevant to the information security management system including:
The organization shall determine the need for internal and external communications relevant to the information security management system including:


#on what to communicate;
:1. on what to communicate;
#when to communicate;
:2. when to communicate;
#with whom to communicate;
:3. with whom to communicate;
#who shall communicate; and
:4. who shall communicate; and
#the processes by which communication shall be effected.
:5. the processes by which communication shall be effected.


=== Documented information===
=== Documented information===
Line 205: Line 206:
When creating and updating documented information the organization shall ensure appropriate:
When creating and updating documented information the organization shall ensure appropriate:


#identification and description (e.g. a title, date, author, or reference number);
:1. identification and description (e.g. a title, date, author, or reference number);
#format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
:2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
#review and approval for suitability and adequacy.
:3. review and approval for suitability and adequacy.


====Control of documented information====
====Control of documented information====
Line 342: Line 343:


The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system
== Apenndix ==
{| class="wikitable"
|-
! Clause !! Requirement
|-
| 1.3 || Scope of the ISMS
|-
| 2.2 & 3.2 || IS Policy & Objectives
|-
| 3.1.2 || Risk Assessment & Risk Treatment Methodology
|-
| 3.1.3.d || Statement of Applicability
|-
| 3.1.3.5 & 3.2 || Risk treatment plan
|-
| 5.2 || Risk assessment report
|-
| A.7.1.2 & A.13.2.4 || Definition of Security Roles and Responsibilities
|-
| A.8.1.1 || Inventory of Assets
|-
| A.8.1.3 || Acceptable Use of Assets
|-
| A.9.1.1 || Access Control Policy
|-
| A.12.1.1 || Operating Procedures for IT Management
|-
| A.14.2.5 || Secure System Engineering Principles
|-
| A.15.1.1 || Supplier Security Policy
|-
| A.16.1.5 || Incident Management Procedure
|-
| A.17.1.2 || Business Continuity Procedures
|-
| A.18.1.1 || Statutory, Regulatory, and Contractual Requirements
|-
| 4.2 || Records of Training, Skills, Experience and Qualifications
|-
| 6.1 || Monitoring and Measurement Results
|-
| 6.2 || Internal Audit Program
|-
| 6.2 || Results of Internal Audits
|-
| 6.3 || Results of the Management Review
|-
| 7.1 || Results of Corrective Actions
|-
| A.12.4.1 & 12.4.3 || Logs of User Activities, Exceptions, and Security Events
|-
| 4.5 || Procedure for document control
|-
| 4.5 || Controls for managing records
|-
| 6.2 || Procedure for internal audit
|-
| 7.1 || Procedure for corrective action
|-
| A.6.2.1 || Bring your own device (BYOD) policy
|-
| A.6.2.1 || Mobile device and teleworking policy
|-
| A.8.2.1-3 || Information classification policy
|-
| A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, & A.9.4.3 || Password policy
|-
| A.8.3.2 & A.11.2.7 || Disposal and destruction policy
|-
| A.11.1.5 || Procedures for working in secure areas
|-
| A.11.2.9 || Clear desk and clear screen policy
|-
| A.12.1.2 & A.14.2.4 || Clear desk and clear screen policy
|-
| A.12.3.1 || Backup policy
|-
| A.13.2.1-3 || Information transfer policy
|-
| A.17.1.1 || Business impact analysis
|-
| A.17.1.3 || Exercising and testing plan
|-
| A.17.1.3 || Maintenance and review plan
|-
| A.17.2.1 || Business continuity strategy
|}
== See also==
[[Security_Appendix | Security Appendix]]
Retrieved from "https://wiki.officience.com/Security_Policy"