ISO 27001 and The Annex A Clauses - Clause A6
Clause A6, Organisation of Information Security, of the ISO 27001 is about providing guidance on the management framework of your Information Security Management System (ISMS). Clause A6 is split into two sections, A6.1 covers the Internal Organisation while clause A6.1 covers Mobile Devices and Teleworking (remote working) which is particularly on topic in the time of Covid 19.
Clause A6.1 Internal Organisation
The Objective of the Annex A Clause A6.1 is:
"To establish a management framework to initiate and control the implementation and operation of information security within the organisation."
Now if that objective sounds like the entire point of ISO27001 you are probably not too far wrong, after all the standard is about Information Security management Systems, however the clause gives you 5 areas to think about and some great pointers in terms for direction across the gamut of the organisation and with those you interact with. Here are the 5 controls to think about here:
It makes sense that the roles and responsibilities of your organisation with respect to your information security management system are documented and assigned to the various roles within your organisation. If you followed the requirement of clause 5.3 there you are probably doing well here.
Here the standard is requiring you to think a little harder about those responsibilities and look at where you could have a conflict of interest or a risk that someone could abuse their position. This is where the segregation of duties come in, you would not allow a person in the finance team to order products, book them into the warehouse then pay the invoice right? It is the same around your information, think about the duties within your system and which ones, when linked together, could expose your organisation to risk.
Here the standard is asking you to think about a few things, firstly you should think what exactly an appropriate contact is and who the relevant authorities are. You should consider who within the organisation has the authority to talk to say the police, the newspaper, the stock market, IT vendors, customers and so forth. This is designed to help ensure only the right information is supplied to the right places.
When people think about special interest groups, they typically think about lobbying groups but that is not what the standard means. Think about it more in line with local industry groups, forums, support networks that can help you keep abreast of what is happening in the information security space, what new risks are around, what new technologies are out there to help with those risks.
When it comes to project management, typically the project is focused on delivery of what ever the project is, information security can sometimes take a back seat. It needs to be considered, think about how you put out tenders, what information you give out or collect, who gets that information, if you are using subcontractors have you checked their information security systems.
Clause A6.2 Mobile Devices and Teleworking
The Objective of the Annex A Clause A6.2 is:
In today's world or remote working due to Covid organisations have had to rapidly adapt their systems to allow the ability to work from home effectively to ensure that business can keep going. Typically, that has focused on technical solutions: the right laptop, video camera, the software, fibre installs for some it was fire walls and what should be opened, but the reality is it is a little bit more than that and it has been around long before Covid and will be around long after. Clause A6.2 of the ISO 27001 standard is broken into 2 sections. Mobile Device Policy and Teleworking.
Mobile Device Policy
The standard is looking for more than just a policy, it is looking for you to implement security measures that will effectively manage the risks that you have identified around using mobile devices. Those devices can include phones, laptops, iPad, Chromebooks and even desktops that have been moved from the office to the home. Think about it like this, if you can access company data on it away from the office it is a mobile device. What controls will you put in place to limit access to only those who should, even then is it full access or reduced? If the mobile device is lost or stolen, can you trace it, can you block it or even better wipe it remotely?
Teleworking:
By the end of Clause A6 you are going to be left with a set of policies and supporting procedures that are designed to build a great framework around your Information security management System.
Copyright
© Many Caps Consulting | All Rights Reserved
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/
Comments