ISO 27001 and The Annex A Clauses - Clause A6

ISO 27001 and The Annex A Clauses - Clause A6 - Organisation of Information Security

Clause A6, Organisation of Information Security, of the ISO 27001 is about providing guidance on the management framework of your Information Security Management System (ISMS). Clause A6 is split into two sections, A6.1 covers the Internal Organisation while clause A6.1 covers Mobile Devices and Teleworking (remote working) which is particularly on topic in the time of Covid 19.

Clause A6.1 Internal Organisation

The Objective of the Annex A Clause A6.1 is:

Now if that objective sounds like the entire point of ISO27001 you are probably not too far wrong, after all the standard is about Information Security management Systems, however the clause gives you 5 areas to think about and some great pointers in terms for direction across the gamut of the organisation and with those you interact with. Here are the 5 controls to think about here:

It makes sense that the roles and responsibilities of your organisation with respect to your information security management system are documented and assigned to the various roles within your organisation. If you followed the requirement of clause 5.3 there you are probably doing well here.

Here the standard is requiring you to think a little harder about those responsibilities and look at where you could have a conflict of interest or a risk that someone could abuse their position. This is where the segregation of duties come in, you would not allow a person in the finance team to order products, book them into the warehouse then pay the invoice right? It is the same around your information, think about the duties within your system and which ones, when linked together, could expose your organisation to risk.

Here the standard is asking you to think about a few things, firstly you should think what exactly an appropriate contact is and who the relevant authorities are. You should consider who within the organisation has the authority to talk to say the police, the newspaper, the stock market, IT vendors, customers and so forth. This is designed to help ensure only the right information is supplied to the right places.

When people think about special interest groups, they typically think about lobbying groups but that is not what the standard means. Think about it more in line with local industry groups, forums, support networks that can help you keep abreast of what is happening in the information security space, what new risks are around, what new technologies are out there to help with those risks.

When it comes to project management, typically the project is focused on delivery of what ever the project is, information security can sometimes take a back seat. It needs to be considered, think about how you put out tenders, what information you give out or collect, who gets that information, if you are using subcontractors have you checked their information security systems.

Clause A6.2 Mobile Devices and Teleworking  

The Objective of the Annex A Clause A6.2 is:

In today's world or remote working due to Covid organisations have had to rapidly adapt their systems to allow the ability to work from home effectively to ensure that business can keep going. Typically, that has focused on technical solutions: the right laptop, video camera, the software, fibre installs for some it was fire walls and what should be opened, but the reality is it is a little bit more than that and it has been around long before Covid and will be around long after. Clause A6.2 of the ISO 27001 standard is broken into 2 sections. Mobile Device Policy and Teleworking.

  Mobile Device Policy

The standard is looking for more than just a policy, it is looking for you to implement security measures that will effectively manage the risks that you have identified around using mobile devices. Those devices can include phones, laptops, iPad, Chromebooks and even desktops that have been moved from the office to the home. Think about it like this, if you can access company data on it away from the office it is a mobile device. What controls will you put in place to limit access to only those who should, even then is it full access or reduced? If the mobile device is lost or stolen, can you trace it, can you block it or even better wipe it remotely?

  Teleworking:
Again, here you need both a policy and a set of measures you are going to take to minimise the risk of remote working. That remote location could be anywhere, and each brings different risks. Working from home may be easy but who else has access to the device, what about working at the airport or the local coffee shop? What new risks do these remote locations entail and how will you manage them. Can you force stronger passwords, limit what is installed remotely, plan regular scans, block certain IP types, the list goes on!

By the end of Clause A6 you are going to be left with a set of policies and supporting procedures that are designed to build a great framework around your Information security management System.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo

Simplify ISO27001 with Mango

Stop waiting time with multiple different systems, see how Mango can manage all of your ISO27001 requirements in one fully integrated solution.

Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Mango QHSE Compliance Software made simple
Reclaim your precious time
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.

Copyright

© Many Caps Consulting | All Rights Reserved

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

AS9100 and the Leadership Clause
Lean and The Product Path Diagram
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 14 December 2024

By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/

Subscribe to Our Newsletter

To Get Regular Updates on ISO | Lean | Free Resources
Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Invalid Input