Security Policy: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (23 intermediate revisions by the same user not shown) | |||
| Line 10: | Line 10: | ||
The organization shall determine: | The organization shall determine: | ||
:1. Interested parties that are relevant to the information security management system; and | |||
:2. The requirements of these interested parties relevant to information security. | |||
<small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small> | <small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small> | ||
| Line 20: | Line 20: | ||
When determining this scope, the organization shall consider: | When determining this scope, the organization shall consider: | ||
:1. the external and internal issues referred to in [[Security_Policy#Understanding_the_organization_and_its_context|1.1]] | |||
:2. the requirements referred to in [[Security_Policy#Understanding_the_needs_and_expectations_of_interested_parties|1.2]] | |||
:3. interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. | |||
Link to [https://docs.google.com/document/d/1UxPyur5i9tH6FAoKAYOgSSHHg8RsOX8UKOFirMGGHWI/edit?usp=sharing Scope of the ISMS] | Link to [https://docs.google.com/document/d/1UxPyur5i9tH6FAoKAYOgSSHHg8RsOX8UKOFirMGGHWI/edit?usp=sharing Scope of the ISMS] | ||
| Line 36: | Line 36: | ||
Top management shall demonstrate leadership and commitment with respect to the information security management system by: | Top management shall demonstrate leadership and commitment with respect to the information security management system by: | ||
:1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; | |||
:2. Ensuring the integration of the information security management system requirements into the organization’s processes; | |||
:3. Ensuring that the resources needed for the information security management system are available; | |||
:4. Communicating the importance of effective information security management and of conforming to the information security management system requirements; | |||
:5. Ensuring that the information security management system achieves its intended outcome(s); | |||
:6. Directing and supporting persons to contribute to the effectiveness of the information security management system; | |||
:7. Promoting continual improvement; and | |||
:8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. | |||
Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO] | Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO] | ||
| Line 52: | Line 52: | ||
:1. Is appropriate to the purpose of the organization; | :1. Is appropriate to the purpose of the organization; | ||
:2. Includes information security objectives (see [[Security_Policy#information_security_objectives_and_planning_to_achieve_them| | :2. Includes information security objectives (see [[Security_Policy#information_security_objectives_and_planning_to_achieve_them|3.2]]) or provides the framework for setting information security objectives; | ||
:3. Includes a commitment to satisfy applicable requirements related to information security; and | :3. Includes a commitment to satisfy applicable requirements related to information security; and | ||
:4. Includes a commitment to continual improvement of the information security management system. | :4. Includes a commitment to continual improvement of the information security management system. | ||
| Line 80: | Line 80: | ||
==== General==== | ==== General==== | ||
When planning for the information security management system, the organization shall consider the issues referred to [[ | When planning for the information security management system, the organization shall consider the issues referred to [[Security_Policy#Understanding_the_organization_and_its_context|1.1]] and the requirements referred to in [[Security_Policy#Understanding_the_needs_and_expectations_of_interested_parties|1.2]] and determine the risks and opportunities that need to be addressed to: | ||
:1. ensure the information security management system can achieve its intended outcome(s); | :1. ensure the information security management system can achieve its intended outcome(s); | ||
| Line 105: | Line 105: | ||
::(b) identify the risk owners; | ::(b) identify the risk owners; | ||
:4. Analyses the information security risks: | :4. Analyses the information security risks: | ||
::(a) assess the potential consequences that would result if the risks identified were to materialize; | ::(a) assess the potential consequences that would result if the risks identified in [[Security_Policy#Information_security_risk_assessment|3.1.2]].3 (a) were to materialize; | ||
::(b) assess the realistic likelihood of the occurrence of the risks identified; and | ::(b) assess the realistic likelihood of the occurrence of the risks identified in [[Security_Policy#Information_security_risk_assessment|3.1.2]].3 (a); and | ||
::(c)determine the levels of risk; | ::(c) determine the levels of risk; | ||
:5. Evaluates the information security risks: | :5. Evaluates the information security risks: | ||
::(a) compare the results of risk analysis with the risk criteria established; and | ::(a) compare the results of risk analysis with the risk criteria established in [[Security_Policy#Information_security_risk_assessment|3.1.2]].1; and | ||
::(b) prioritize the analysed risks for risk treatment. | ::(b) prioritize the analysed risks for risk treatment. | ||
The organization shall retain documented information about the information security risk assessment process. | The organization shall retain documented information about the information security risk assessment process. | ||
Link to [https://docs.google.com/document/d/1tTJzghkaG3uAAKIh5ITfGod7U8Q1MFsHjlOUYvCzWa0/edit Risk Assessment and Risk Treatment Methodology] | |||
==== Information security risk treatment==== | ==== Information security risk treatment==== | ||
| Line 120: | Line 122: | ||
:2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen; | :2. Determine all controls that are necessary to implement the information security risk treatment option(s) chosen; | ||
<small>NOTE Organizations can design controls as required, or identify them from any source. </small> | <small>NOTE Organizations can design controls as required, or identify them from any source. </small> | ||
:3. Compare the controls determined above with those in Annex A of ISO/IEC 27001:2013 and verify that no necessary controls have been omitted; | :3. Compare the controls determined in [[Security_Policy#Information_security_risk_treatment|3.1.3.]]2 above with those in Annex A of [https://drive.google.com/file/d/0B98VxoZqj8C6R0Jva0pSWTFyQzA/view ISO/IEC 27001:2013] and verify that no necessary controls have been omitted; | ||
<small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. | <small>NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. | ||
| Line 126: | Line 128: | ||
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small> | NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.</small> | ||
:5. Produce a Statement of Applicability that contains the necessary controls | :5. Produce a Statement of Applicability that contains the necessary controls (see [[Security_Policy#Information_security_risk_treatment|3.1.3.]] 2 and 3 and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; | ||
:6. Formulate an information security risk treatment plan; and | :6. Formulate an information security risk treatment plan; and | ||
:7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. | :7. Obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. | ||
| Line 161: | Line 163: | ||
The organization shall: | The organization shall: | ||
:1. determine the necessary competence of person(s) doing work under its control that affects its information security performance; | |||
:2. ensure that these persons are competent on the basis of appropriate education, training, or experience; | |||
:3. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and | |||
:4. retain appropriate documented information as evidence of competence. | |||
<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small> | |||
<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small> | |||
=== Awareness=== | === Awareness=== | ||
| Line 173: | Line 174: | ||
Persons doing work under the organization’s control shall be aware of: | Persons doing work under the organization’s control shall be aware of: | ||
:1. the information security policy; | |||
:2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and | |||
:3. the implications of not conforming with the information security management system requirements. | |||
===Communication=== | ===Communication=== | ||
| Line 181: | Line 182: | ||
The organization shall determine the need for internal and external communications relevant to the information security management system including: | The organization shall determine the need for internal and external communications relevant to the information security management system including: | ||
:1. on what to communicate; | |||
:2. when to communicate; | |||
:3. with whom to communicate; | |||
:4. who shall communicate; and | |||
:5. the processes by which communication shall be effected. | |||
=== Documented information=== | === Documented information=== | ||
| Line 205: | Line 206: | ||
When creating and updating documented information the organization shall ensure appropriate: | When creating and updating documented information the organization shall ensure appropriate: | ||
:1. identification and description (e.g. a title, date, author, or reference number); | |||
:2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and | |||
:3. review and approval for suitability and adequacy. | |||
====Control of documented information==== | ====Control of documented information==== | ||
| Line 230: | Line 231: | ||
=== Operational planning and control=== | === Operational planning and control=== | ||
The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 3.1. The organization shall also implement plans to achieve information security objectives determined in 3.2. | The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in [[Security_Policy#Actions_to_address_risks_and_opportunities|3.1]]. The organization shall also implement plans to achieve information security objectives determined in [[Security_Policy#Information_security_objectives_and_planning_to_achieve_them|3.2]]. | ||
The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. | The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. | ||
| Line 240: | Line 241: | ||
=== Information security risk assessment=== | === Information security risk assessment=== | ||
The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 3.1.2.1. | The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in [[Security_Policy#Information_security_risk_assessment|3.1.2.]]1. | ||
The organization shall retain documented information of the results of the information security risk assessments. | The organization shall retain documented information of the results of the information security risk assessments. | ||
| Line 282: | Line 283: | ||
:3. plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; | :3. plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; | ||
:4. define the audit criteria and scope for each audit; | :4. define the audit criteria and scope for each audit; | ||
:5. select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; | :5. select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; | ||
:6. ensure that the results of the audits are reported to relevant management; and | :6. ensure that the results of the audits are reported to relevant management; and | ||
:7. retain documented information as evidence of the audit programme(s) and the audit results. | :7. retain documented information as evidence of the audit programme(s) and the audit results. | ||
| Line 298: | Line 295: | ||
:1. the status of actions from previous management reviews; | :1. the status of actions from previous management reviews; | ||
:2. changes in external and internal issues that are relevant to the information security management system; | :2. changes in external and internal issues that are relevant to the information security management system; | ||
:3. feedback on the information security performance, including trends in: | :3. feedback on the information security performance, including trends in: | ||
::(a) nonconformities and corrective actions; | ::(a) nonconformities and corrective actions; | ||
::(b) monitoring and measurement results; | ::(b) monitoring and measurement results; | ||
::(c) audit results; and | ::(c) audit results; and | ||
::(d) fulfilment of information security objectives; | ::(d) fulfilment of information security objectives; | ||
:4. feedback from interested parties; | :4. feedback from interested parties; | ||
:5. results of risk assessment and status of risk treatment plan; and | :5. results of risk assessment and status of risk treatment plan; and | ||
:6. opportunities for continual improvement. | :6. opportunities for continual improvement. | ||
| Line 327: | Line 317: | ||
When a nonconformity occurs, the organization shall: | When a nonconformity occurs, the organization shall: | ||
:1. react to the nonconformity, and as applicable: | |||
::(a) take action to control and correct it; and | |||
::(b) deal with the consequences; | |||
:2. evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: | |||
::(a) reviewing the nonconformity; | |||
::(b) determining the causes of the nonconformity; and | |||
::(c) determining if similar nonconformities exist, or could potentially occur; | |||
:3. implement any action needed; | |||
:4. review the effectiveness of any corrective action taken; and | |||
:5. make changes to the information security management system, if necessary. | |||
Corrective actions shall be appropriate to the effects of the nonconformities encountered. | |||
The organization shall retain documented information as evidence of: | |||
:6. the nature of the nonconformities and any subsequent actions taken, and | |||
:7. the results of any corrective action. | |||
=== Continual improvement=== | |||
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system | |||
== Apenndix == | |||
{| class="wikitable" | |||
|- | |||
! Clause !! Requirement | |||
|- | |||
| 1.3 || Scope of the ISMS | |||
|- | |||
| 2.2 & 3.2 || IS Policy & Objectives | |||
|- | |||
| 3.1.2 || Risk Assessment & Risk Treatment Methodology | |||
|- | |||
| 3.1.3.d || Statement of Applicability | |||
|- | |||
| 3.1.3.5 & 3.2 || Risk treatment plan | |||
|- | |||
| 5.2 || Risk assessment report | |||
|- | |||
| A.7.1.2 & A.13.2.4 || Definition of Security Roles and Responsibilities | |||
|- | |||
| A.8.1.1 || Inventory of Assets | |||
|- | |||
| A.8.1.3 || Acceptable Use of Assets | |||
|- | |||
| A.9.1.1 || Access Control Policy | |||
|- | |||
| A.12.1.1 || Operating Procedures for IT Management | |||
|- | |||
| A.14.2.5 || Secure System Engineering Principles | |||
|- | |||
| A.15.1.1 || Supplier Security Policy | |||
|- | |||
| A.16.1.5 || Incident Management Procedure | |||
|- | |||
| A.17.1.2 || Business Continuity Procedures | |||
|- | |||
| A.18.1.1 || Statutory, Regulatory, and Contractual Requirements | |||
|- | |||
| 4.2 || Records of Training, Skills, Experience and Qualifications | |||
|- | |||
| 6.1 || Monitoring and Measurement Results | |||
|- | |||
| 6.2 || Internal Audit Program | |||
|- | |||
| 6.2 || Results of Internal Audits | |||
|- | |||
| 6.3 || Results of the Management Review | |||
|- | |||
| 7.1 || Results of Corrective Actions | |||
|- | |||
| A.12.4.1 & 12.4.3 || Logs of User Activities, Exceptions, and Security Events | |||
|- | |||
| 4.5 || Procedure for document control | |||
|- | |||
| 4.5 || Controls for managing records | |||
|- | |||
| 6.2 || Procedure for internal audit | |||
|- | |||
| 7.1 || Procedure for corrective action | |||
|- | |||
| A.6.2.1 || Bring your own device (BYOD) policy | |||
|- | |||
| A.6.2.1 || Mobile device and teleworking policy | |||
|- | |||
| A.8.2.1-3 || Information classification policy | |||
|- | |||
| A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, & A.9.4.3 || Password policy | |||
|- | |||
| A.8.3.2 & A.11.2.7 || Disposal and destruction policy | |||
|- | |||
| A.11.1.5 || Procedures for working in secure areas | |||
|- | |||
| A.11.2.9 || Clear desk and clear screen policy | |||
|- | |||
| A.12.1.2 & A.14.2.4 || Clear desk and clear screen policy | |||
|- | |||
| A.12.3.1 || Backup policy | |||
|- | |||
| A.13.2.1-3 || Information transfer policy | |||
|- | |||
| A.17.1.1 || Business impact analysis | |||
|- | |||
| A.17.1.3 || Exercising and testing plan | |||
|- | |||
| A.17.1.3 || Maintenance and review plan | |||
|- | |||
| A.17.2.1 || Business continuity strategy | |||
|} | |||
== See also== | |||
[[Security_Appendix | Security Appendix]] | |||