Security Policy: Difference between revisions

Jump to navigation Jump to search
← Older edit
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 114: Line 114:
The organization shall retain documented information about the information security risk assessment process.
The organization shall retain documented information about the information security risk assessment process.


Link to [https://docs.google.com/document/d/1tTJzghkaG3uAAKIh5ITfGod7U8Q1MFsHjlOUYvCzWa0/edit Risk Assessment and Risk Treatment Methodology]
  Link to [https://docs.google.com/document/d/1tTJzghkaG3uAAKIh5ITfGod7U8Q1MFsHjlOUYvCzWa0/edit Risk Assessment and Risk Treatment Methodology]


==== Information security risk treatment====
==== Information security risk treatment====
Line 168: Line 168:
:4. retain appropriate documented information as evidence of competence.
:4. retain appropriate documented information as evidence of competence.


<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>
  <small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>


=== Awareness===
=== Awareness===
Line 343: Line 343:


The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system
== Apenndix ==
{| class="wikitable"
|-
! Clause !! Requirement
|-
| 1.3 || Scope of the ISMS
|-
| 2.2 & 3.2 || IS Policy & Objectives
|-
| 3.1.2 || Risk Assessment & Risk Treatment Methodology
|-
| 3.1.3.d || Statement of Applicability
|-
| 3.1.3.5 & 3.2 || Risk treatment plan
|-
| 5.2 || Risk assessment report
|-
| A.7.1.2 & A.13.2.4 || Definition of Security Roles and Responsibilities
|-
| A.8.1.1 || Inventory of Assets
|-
| A.8.1.3 || Acceptable Use of Assets
|-
| A.9.1.1 || Access Control Policy
|-
| A.12.1.1 || Operating Procedures for IT Management
|-
| A.14.2.5 || Secure System Engineering Principles
|-
| A.15.1.1 || Supplier Security Policy
|-
| A.16.1.5 || Incident Management Procedure
|-
| A.17.1.2 || Business Continuity Procedures
|-
| A.18.1.1 || Statutory, Regulatory, and Contractual Requirements
|-
| 4.2 || Records of Training, Skills, Experience and Qualifications
|-
| 6.1 || Monitoring and Measurement Results
|-
| 6.2 || Internal Audit Program
|-
| 6.2 || Results of Internal Audits
|-
| 6.3 || Results of the Management Review
|-
| 7.1 || Results of Corrective Actions
|-
| A.12.4.1 & 12.4.3 || Logs of User Activities, Exceptions, and Security Events
|-
| 4.5 || Procedure for document control
|-
| 4.5 || Controls for managing records
|-
| 6.2 || Procedure for internal audit
|-
| 7.1 || Procedure for corrective action
|-
| A.6.2.1 || Bring your own device (BYOD) policy
|-
| A.6.2.1 || Mobile device and teleworking policy
|-
| A.8.2.1-3 || Information classification policy
|-
| A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, & A.9.4.3 || Password policy
|-
| A.8.3.2 & A.11.2.7 || Disposal and destruction policy
|-
| A.11.1.5 || Procedures for working in secure areas
|-
| A.11.2.9 || Clear desk and clear screen policy
|-
| A.12.1.2 & A.14.2.4 || Clear desk and clear screen policy
|-
| A.12.3.1 || Backup policy
|-
| A.13.2.1-3 || Information transfer policy
|-
| A.17.1.1 || Business impact analysis
|-
| A.17.1.3 || Exercising and testing plan
|-
| A.17.1.3 || Maintenance and review plan
|-
| A.17.2.1 || Business continuity strategy
|}
== See also==
[[Security_Appendix | Security Appendix]]
Retrieved from "https://wiki.officience.com/Security_Policy"