This presentation gives brief introduction about A6 control of ISO 27001:2013 which explains organization of information security. It is prepared by Priyank Patel.
Courtesy:
http://www.ifour-consultancy.com
http://www.ifourtechnolab.com
2. The administrative structure of the organization and its relationships with external parties
must promote effective management of all aspects of information security.
Includes maintaining the security of the organization's information, its processing facilities,
and any information or facilities that are accessed, processed, communicated to or
managed by external parties.
A.6 Organization of Information Security
1. Internal Organization
2. Mobile Devices and Teleworking
Software Development Companies in India
3. A.6.1 Internal Organization
Objective: To establish a management
framework to initiate and control the
implementation and operation of
information security within the
organization.
Executive
Committee
Chaired by the Chief
Executive Officer
Audit Committee
Chaired by Head of
Audit
Security Committee
Chaired by Chief
Security Officer CSO
Information Security
Manager
Security
Administration
Policy & Compliance
Risk & Contingency
Management
Security Operations
Local Security
Committees
One per location
Information Asset
Owners (IAOs)
Site Security
Managers
Security Guards
Facilities
Management
Risk Committee
Chaired by Risk
Manager
NOTE: This is a generic structure chart. One should
replace it by one describing a particular
Organization’s actual management structure for
information security.
Software Development Companies in India
4. A.6.1 Internal Organization (Conti…)
A.6.1.1 Information
security roles and
responsibilities
A.6.1.2 Segregation of
duties
A.6.1.3 Contact with
authorities
A.6.1.4 Contact with
special interest groups
A.6.1.5 Information
security in project
management
Software Development Companies in India
5. A.6.1.1 Information Security Roles and Responsibilities
Control: All information security responsibilities
shall be defined and allocated.
Identification of the
individual/individuals responsible for
security of each information facility
Clear definition and identification of
assets and associated security
controls for each information facility
Note: Before defining
and allocating
responsibility to
individuals company
should create
Organizational chart.
Software Development Companies in India
6. A.6.1.2 Segregation of Duties
Control: Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or unintentional
modification or misuse of the organization’s assets.
The first is the prevention of conflict of interest, the appearance of conflict
of interest, wrongful acts, fraud, abuse and errors.
The second is the detection of control failures that include security
breaches, information theft, and circumvention of security controls.
Two Primary Objectives:
Software Development Companies in India
7. Control: Appropriate contacts with relevant authorities
shall be maintained.
A.6.1.3 Contact with Authorities
Following points could be included:
Specification of the manner and timing in
which breaches shall be communicated to
external authorities so as to ensure
appropriate reporting
Development of procedures, policies and
contact lists that specify by whom and
when external authorities should be
contacted
Software Development Companies in India
8. Control: Appropriate contacts with special interest groups
or other specialist security forums and professional
associations shall be maintained.
A.6.1.4 Contact with Special Interest Groups
Software Development Companies in India
9. Control-set out the
basics of how
information security
should be considered
as part of the overall
framework of the
project management
with organization
creation of “mini-
ISMS” within the
project to ensure that
risks are identified
and managed
A.6.1.5 Information Security in Project Management
Control: Information security shall be addressed in project
management, regardless of the type of the project.
Software Development Companies in India
10. A.6.2 Mobile Devices and Teleworking
Objective: To ensure the security of teleworking and use of
mobile devices.
Applicability
Mobile Phones
Desktop computers used
off-premises
Notebook, palmtop
computers and
laptop
Media and portable storage
devices
Software Development Companies in India
11. A.6.2.1 Mobile Device Policy
Control: A policy and supporting security measures shall be adopted to
manage the risks introduced by using mobile devices.
Regular data
backups for
stored sensitive
data
Physical security
measures
Secure
communication
methods for
transmitted
data such as
Virtual Private
Network
Updates for
operating
system and
other software
updating
Access control
and
appropriate
user
authentication
(biometric-
based)
Cryptographic
methods for
sensitive data
Protective
software such
as anti-virus and
others
Software Development Companies in India
12. A.6.2.2 Teleworking Policy
Control: A policy and supporting security measures shall be
implemented to protect information accessed, processed or stored at
teleworking sites
Environmental and physical security measures
Policies concerning safety of private property used at the site
Appropriate user access control and authentication
Security measures for wireless and wired network configurations at the site
Cryptographic techniques for communications from/to the site and data storage
Data backup at regular intervals and security measures for those backup copies
Software Development Companies in India
13. Management Commitments
Visible support and
clear direction for
information security
initiatives which
includes providing
appropriate resources
for information security
controls
Assurance of
formulation, review and
approval of appropriate
organization-wide
information security
policy;
Coordination of
information security
efforts all over the
organization, including
committee(s) and
designation of
information security
officer(s)
Appropriate
management controls
over new information
capabilities, systems
and facilities including
the planning for the
facilities
Reviews at regular
intervals of the
effectiveness of
information security
policy, including
updating of the policy
as needed and external
review as appropriate.
Software Development Companies in India
14. References
1. http://it.med.miami.edu/x2227.xml
2. http://it.med.miami.edu/x1771.xml
3. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rj
a&uact=8&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.iso27001security.com
4. iFour Consultancy’s ISMS policy documentation – http://www.ifour-
consultancy.com
5. http://www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-
security.html
Software Development Companies in India
Editor's Notes
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com
ISO for Software Development Companies in India – http://www.ifour-consultancy.com