Clause 6 of ISO 27001 concerns the organization of information security. It contains two main clauses - Clause A.6.1 deals with internal organization and defines information security roles, segregation of duties, and contacts with authorities and interest groups. Clause A.6.1 also requires information security to be addressed in project management. Clause A.6.2 concerns mobile devices and teleworking, requiring policies on mobile device and teleworking security including controls for access, backups, and encryption.

1. iFour ConsultancyISMS Framework: Clause 6 – Organization of Information Security

2.  ISO 27001:2013 has classified the Organization of Information Security into:
Clause A.6.1: Internal Organization
Clause A.6.2: Mobile devices and Teleworking
Organization of Information Security – ISMS Requirements
ISO for Software Outsourcing Companies in India

3.  To establish a management framework to initiate and control the implementation operation of
information security within the organization.
Clause A.6.1: Internal Organization
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management

4. Identification of the individual/individuals responsible for security of each
information facility
Clear definition and identification of assets and associated security controls for each
information facility
A.6.1.1 Information Security Roles and Responsibilities
ISO for Software Outsourcing Companies in India
• All information security responsibilities shall be defined and allocated.

5. A.6.1.2 Segregation of Duties
The first is the prevention of conflict of interest, the appearance of conflict of interest,
wrongful acts, fraud, abuse and errors.
The second is the detection of control failures that include security breaches,
information theft, and circumvention of security controls.
• Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization’s assets.

6. A.6.1.3 Contact with Authorities
Specification of the manner and timing in which breaches shall be communicated to
external authorities so as to ensure appropriate reporting
Development of procedures, policies and contact lists that specify by whom and when
external authorities should be contacted
• Appropriate contacts with relevant authorities shall be maintained.

7. A.6.1.4 Contact with Special Interest Groups
• Control: Appropriate contacts with special interest groups or other specialist security forums and
professional associations shall be maintained.

8. A.6.1.5 Information Security in Project Management
set out the basics of how information security should be considered as part of the
overall framework of the project management with organization
creation of “mini-ISMS” within the project to ensure that risks are identified and
managed
• Information security shall be addressed in project management, regardless of the type of the
project.

9.  To ensure the security of teleworking and use of mobile devices.
A.6.2 Mobile Devices and Teleworking
A.6.2.1 Mobile Device Policy
A.6.2.2 Teleworking Policy

10. A.6.2.1 Mobile Device Policy
Regular data backups for stored sensitive data
Physical security measures
Secure communication methods for transmitted data such as Virtual Private Network
Updates for operating system and other software updating
Access control and appropriate user authentication (biometric-based)
Cryptographic methods for sensitive data
Protective software such as anti-virus and others

11. A.6.2.2 Teleworking Policy
Environmental and physical security measures
Policies concerning safety of private property used at the site
Appropriate user access control and authentication
Security measures for wireless and wired network configurations at the site
Cryptographic techniques for communications from/to the site and data storage
Data backup at regular intervals and security measures for those backup copies

12.  https://spaces.internet2.edu/display/2014infosecurityguide/Asset+Management
 http://it.med.miami.edu/x2227.xml
 http://it.med.miami.edu/x1771.xml
 https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&
uact=8&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.iso27001security.com
 http://www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-
security.html
References
ISO for Software Outsourcing Companies in India

13. Visit our websites :
 http://www.ifour-consultancy.com
 http://www.ifourtechnolab.com
For more details :
ISO for Software Outsourcing Companies in India