ISO 27001 Annex: A.6 Organization of Information Security
-
- 3 July 2021
6.1 Internal Organization
This document aims to create a management framework for initiating and managing IT security efforts within the organization.
6.1.1 Information Security Roles and Responsibilities
Control– The responsibilities regarding information security should be clearly defined.
Implementation Guidance– Responsibility for information security should be assigned under the information security policies (See A.5.1). Information security procedures must be defined, including who will be responsible for the safety of individual assets. There should be a clear definition of responsibility for information security risk management activities and for accepting residual risks. Additional guidance may be necessary for specific locations and information processing facilities to fulfil these responsibilities. The local responsibilities for protecting assets and implementing security processes need to be defined. A person assigned responsibility for information security may delegate his or her duties to others. In any event, they are still accountable for the tasks they delegate and shall decide whether or not they are completed correctly
It is important to define the areas in which each individual is accountable. As a result, the following should occur:
1. It is essential to identify and well-defined assets and information security processes;
2. Each asset and information security process should be assigned to an individual candidate, and the details of their responsibilities should be documented;
3. Authority levels must be outlined and documented;
4. Appointed persons should have appropriate expertise in this area, and be provided with the opportunity to conform to responsibilities in the information security field;
5. A documented method should be identified and documented for coordination and monitoring of information security aspects of supplier relationships.
Other Information– Organizations typically assign an information security officer to oversee the development and implementation of the security program as well as help recognize access to the system. In many instances, it will be up to the management to allocate resources and implement controls. The practise is to name an owner for each asset who is responsible for keeping it secured regularly.
6.1.2 Diversification of duties
Control– The division of responsibilities and tasks between departments should reduce the chances of changing or misusing the organization’s assets without permission or intention.
Implementation Guidance– No access, modification, or use of assets shall be allowed without permission or authorization. Using this method, one can distinguish execution from authorization of occurrences. When designing the controls, one should consider the likelihood of collusion. In smaller organizations, task division may not be possible, but the principle should be implemented as far as is practicable and feasible. For situations in which segregation is difficult, other measures like task reporting, audit trails, and management supervision should be examined.
Other Information– The separation of duties can potentially reduce the risk of an organization’s assets being unintentionally or intentionally misused.
6.1.3 Contact with the authorities
Control– It is important to keep in touch with the appropriate authorities.
Implementation Guidance– Companies should have procedures in place that specify when and how officials (for example, law enforcement, regulatory bodies, supervisory officials) may communicate, as well as how violation of information security policies will be recorded (for example, if the law has been violated).
Other Information– Organizations that have been attacked via the Internet may require authorities to take measures against them. Additionally, maintaining these connections may be necessary to ensure the continuity of business operations or to plan for contingency plans in information security. It is also important for organizations to engage regulatory bodies in anticipation and preparation of possible changes in laws and regulations that they need to enforce. There will also be contacts with utilities, emergency services, suppliers of energy, safety, and protection such as fire departments, telecommunications (routing and accessibility) providers, and water (for cooling equipment).
6.1.4 Getting in touch with interest groups
Control– Professional associations and special interest organizations may be contacted to establish connections.
Implementation Guidance- By becoming a member of community groups or forums, you can:
1. Be up-to-date on best practices and skills related to safety;
2. Ensure that an understanding of information security is current and complete;
3. Be notified of threats and vulnerabilities, and receive updates and patches;
4. Facilitate advice from experts in the field of information security;
5. Promote the sharing and exchange of information about new products, technology, threats, or vulnerabilities;
6. Identify the appropriate liaison points for information security events.
Other Information– There can be agreements regarding information sharing to boost cooperation on security issues. Confidential information security requirements will be defined in these agreements.
6.1.5 Information Security in Project Management
Control– Regardless of the type of project, the confidentiality of information should be discussed during project management
Implementation Guidance– Information security should be integrated with the project management method(s) of an organization to review and manage threats to information security during the project implementation process. No matter what project it is for, it will use this methodology, whether it’s a core business process project, IT, facilities management, or another supporting process.
Methods of project management should include:
1. The project is committed to keeping information secure as part of its goals;
2. Measuring the information security risk early on in the project to ensure the controls are adequate;
3. Projects involving information security are included at all stages;
All programs will discuss and review information security issues regularly. As specified in project management methods, information security responsibilities should be defined and assigned to different roles.
Related Questions
1. What exactly is Annex A.6 Organization of Information Security?
2. Describe Implementation Guidance for Information Security Roles and Responsibilities.
3. What do you mean by Segregation of Duties?
4. What are the advantages of ISO 27001 Annex: A.6 Organization of Information Security?
3. Explain Information Security in Project Management.
6. Can you explain Annex A.6 Organization of Information Security?
7. What controls are defined in ISO 27001 Annex: A.6 Organization of Information Security?
