Iso 27001

ISO/IEC 27001- ISMS
BY BOBBY SHARON
WHY ISO 27001
 ISO 27001 is the global standard for effective information management. It helps organizations avoid potentially
costly security breaches. ISO 27001-certified organizations can show customers, partners and shareholders that
they have taken steps to protect data in the event of a breach.
ISO/IEC 27001- ISMS BY BOBBY SHARON 2

14 CONTROL DOMAINS OF ISO 27001
1. Information Security Policies

2. Organization of Information Security
3. Human Resources Security
4. Asset Management
5. Access Control
6. Cryptography
7. Physical and Environmental Security
8. Operational Security
9. Communications Security
10. Systems Acquisition, Development and Maintenance
11. Supplier Relationships
12. Information Security Incident Management
13. Information Security aspects of Business Continuity Management
14. Compliance

BREAKDOWN OF ANNEX A CONTROL SETS
Focus Area Annex A control category

Organisational issues (24 controls) A.5, A.6, A.8, A.15
HR (6 Controls) A.9, A.10, A.12, A.13, A.14, A.16, A.17
IT (61 Controls) A.9, A.10, A.12, A.13, A.14, A.16, A.17
Physical Security (15 Controls) A.11
Legal Issues (8 controls) A.18

ANNEX A.5 - INFORMATION SECURITY POLICIES | 2 CONTROLS
 Objective:
• To ensure that policies regarding information security are written in accordance with your organization's
requirements.

ANNEX A.5 - INFORMATION SECURITY POLICIES | 2 CONTROLS
Clause Section Title Control objective
5.1 Management direction for Management direction for Does management provide direction and support for information security in
information security information security accordance with business requirements and relevant laws and regulations?
Is there an information security policy document, or set of policies, that has been
defined, approved by management, and has it been published and communicated to all
Management direction for Policies for information employees and relevant external parties?
5.1.1 information security security
Does it contain objectives, define infosec, assign roles and point to a "process for
handling deviations and exceptions"?
Is there a procedure for the information security policy, or policies, to be reviewed at
Management direction for Review of the policies for planned intervals or if significant changes occur, and does this process ensure its
5.1.2
information security information security continuing suitability, adequacy, and effectiveness, and is there evidence that the policy
(or policies) is applied?

ANNEX A.6 - ORGANIZATION OF INFORMATION SECURITY | 7
CONTROLS
 Objective:
• To establish a management framework and assign information security roles for how the controls will be
implemented.
• To adopt security guidelines for when employees access, process and store information while working out-of-
office.

ANNEX A.6 - ORGANIZATION OF INFORMATION SECURITY
7 CONTROLS
Is there a management framework to initiate and control the implementation and operation of information security within
6.1 Internal organisation Internal organisation
the organization?
Have all information security responsibilities been defined and allocated?

E.g. assets and info sec processes identified
6.1.1 Internal organisation Information security roles and asset owners responsibilities defined
responsibilities authorization levels defined and documented
maintaining/acquiring competencies
info sec aspects of supplier relationships
Have conflicting duties and areas of responsibility been segregated to reduce opportunities for unauthorized or
6.1.2 Internal organisation Segregation of duties unintentional modification or misuse of the organization's assets?
If SME and can't segregate, are other controls in place like monitoring of activities, audit trails and mgt supervision?
Does the organization maintain appropriate contacts with relevant authorities?
Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement,
6.1.3 Internal organisation Contact with authorities
regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be
reported in a timely manner (e.g. if it is suspected that laws may have been broken).
Does the organization maintain appropriate contact with special interest groups or other specialist security forums and
professional associations?
E.g. to keep up with best practice knowledge, receive warnings of alerts, advisories, patches, vulnerabilities
6.1.4 Internal organisation Contact with special interest groups
have access with specialist information security advice
share inf about new technology, products, threats or vulnerabilities
provide liaison points when dealing with incidents
Does the organization address information security in project management, regardless of the type of project?
Information security in project a) information security objectives are included in project objectives;
6.1.5 Internal organisation
management b) an information security risk assessment is conducted at an early stage of the project to identify necessary controls;
c) information security is part of all phases of the applied project methodology.

ANNEX A.6 - ORGANIZATION OF INFORMATION SECURITY | 7
CONTROLS
Mobile devices Mobile devices and
6.2 and teleworking teleworking Does the organisation ensure the security of teleworking and use of mobile devices?
Does the organization have a policy and supporting security measures to manage the risks
introduced by the use of mobile devices?
The mobile device policy should cover:
a) registration of mobile devices;
b) requirements for physical protection;
c) restriction of software installation;
Mobile devices d) requirements for mobile device software versions and for applying patches;
6.2.1 and teleworking Mobile device policy e) restriction of connection to information services;
f) access controls;
g) cryptographic techniques;
h) malware protection;
i) remote disabling, erasure or lockout;
j) backups;
k) usage of web services and web apps.
Mobile devices Does the organization have a policy and supporting security measures to protect information
6.2.2 Teleworking
and teleworking accessed, processed or stored at teleworking sites?

ANNEX A.7 - HUMAN RESOURCE SECURITY
6 CONTROLS
 Objective:
• To ensure that all parties (employees and contractors) understand their requirements and responsibilities before,
during and after their term of employment.
• This involves conducting background checks, adhering to information security policies, conducting necessary
training and implementing a formal disciplinary process in order to protect the organisation’s interests.

6 CONTROLS
Prior to Does the organisation ensure that employees and contractors understand their responsibilities
7.1 employment Prior to employment and are suitable for the roles for which they are considered?
Does the organization conduct background verification checks on all candidates for employment,
Prior to in accordance with relevant laws, regulations and ethics, and are these checks sufficient
7.1.1 employment Screening considering the business requirements, the classification of the information to be accessed and
the related risks?
Do contractual agreements with employees and contractors state their and the organization's
7.1.2 Prior to Terms and conditions of responsibilities for information security? e.g. confidentiality agreement, respecting information
employment employment classification requirements, responsibilities when handling 3rd party information, obligations
beyond termination?

6 CONTROLS
Prior to Does the organization ensure that employees and contractors understand their responsibilities
7.1 employment Prior to employment and are suitable for the roles for which they are considered?
Does the organization conduct background verification checks on all candidates for employment,
Prior to in accordance with relevant laws, regulations and ethics, and are these checks sufficient
7.1.1 employment Screening considering the business requirements, the classification of the information to be accessed and
the related risks?
Do contractual agreements with employees and contractors state their and the organization's
7.1.2 Prior to Terms and conditions of responsibilities for information security? e.g. confidentiality agreement, respecting information
employment employment classification requirements, responsibilities when handling 3rd party information, obligations
beyond termination?

6 CONTROLS
Termination and Termination and change of Does the organization protect its interests as part of the process of changing or terminating
7.3 change of
employment employment employment?
Does the organization define and enforce information security responsibilities and duties that
Termination and Termination or change of remain valid after termination or change of employment, and are these communicated to the
7.3.1 change of employment responsibilities employee or contractor? For example, continuing contractual clauses beyond termination (e.g.
employment
confidentiality) and how an internal move should be considered as a termination and re-hiring.

ANNEX A.8 - ASSET MANAGEMENT
10 CONTROLS
 Objective:
• To identify, classify and prevent the disclosure of information and assets.
• This involves defining acceptable use, implementing a classification scheme, outlining procedures for handling
assets and implementing procedures to securely dispose of media.

10 CONTROLS
Responsibility for Has the organisation identified organisational assets and defined appropriate protection
8.1 assets Responsibility for assets responsibilities?
Has the organisation identified assets associated with information and information processing
facilities, and has an inventory of these assets been drawn up and maintained?
Responsibility for
8.1.1 assets Inventory of assets The asset inventory should be accurate, up to date, consistent and aligned with other inventories.
For each of the identified assets, ownership of the asset should be assigned (see 8.1.2) and the
classification should be identified (see 8.2).
Responsibility for
8.1.2 Ownership of assets Have owners of the assets maintained in the asset inventory been identified?
assets
8.1.3 Responsibility for Acceptable use of assets Has the organisation identified, documented and implemented rules for the acceptable use of
assets information and of assets associated with information and information processing facilities?
8.1.4 Responsibility for Return of assets Are all employees and external party users required to return all of the organizational assets in
assets their possession upon termination of their employment, contract or agreement?

10 CONTROLS
Information Does the organisation ensure that information receives an appropriate level of protection in
8.2 classification Information classification accordance with its importance?
Does the organization classify information? Do classification levels consider legal requirements,
Information value, criticality and sensitivity to unauthorized disclosure or modification?
8.2.1 classification Classification of information The "value" should be built into the classification levels which should be incremental, e.g. in
terms of confidentiality, integrity and availability requirements.
Information Has an appropriate set of procedures been developed and implemented for information labelling
8.2.2 classification Labelling of information in accordance with the information classification scheme?
Has the organization developed and implemented procedures for handling assets in accordance
Information
8.2.3 Handling of assets with the information classification scheme? For example covering access restrictions, transfer
classification methods, storage location or media for each level of classification.

10 CONTROLS
Does the organisation prevent unauthorised disclosure, modification, removal or destruction of
8.3 Media handling Media handling information stored on media?
Management of removable Are there procedures for the management of removable media in accordance with the
8.3.1 Media handling media classification scheme?
8.3.2 Media handling Disposal of media Are there formal procedures for the disposal of media securely when no longer required?
Are there procedures to protect media containing information against unauthorized access,
8.3.3 Media handling Physical media transfer misuse or corruption during transportation?

ANNEX A.9 - ACCESS CONTROL
14 CONTROLS
 Objective:
• To limit access to and prevent unauthorized access of information, and hold individuals accountable for protecting
authentication information (such as PINs and passwords).
• This involves implementing an access control policy, controlling access rights, defining the use of secret
authentication information and restricting any programs with override capabilities.

14 CONTROLS
Business Business requirements of
9.1 requirements of Does the organisation limit access to information and information processing facilities?
access control access control
Business Is there an established, documented and reviewed access control policy based on business and
9.1.1 requirements of Access control policy information security requirements?
access control
Business Access to networks and Are users restricted to access only those networks and network services that they have been
9.1.2 requirements of
access control network services specifically authorised to use?

14 CONTROLS
User access Are there processes in place to ensure only authorised users have access and to prevent
9.2 management User access management unauthorised access to systems and services?
Is there a formal user registration and de-registration process to enable assignment of access
User access User registration and de- rights?
9.2.1 management registration Does it ensure only unique user IDs are used to enable users to be linked to and held responsible
for their actions? Are leavers' user IDs immediately disabled or removed?
User access Is there a formal user access provisioning process to assign or revoke access rights for all user
9.2.2 management User access provisioning types to all systems and services?
User access Management of privileged
9.2.3 Is the allocation and use of privileged access rights restricted and controlled?
management access rights
Is there a formal management process to control the allocation of secret authentication
User access Management of secret information? [Passwords are a commonly used type of secret authentication information and are
9.2.4 management authentication information of a common means of verifying a user’s identity. Other types of secret authentication information
users are cryptographic keys and other data stored on hardware tokens (e.g. smart cards) that produce
authentication codes.]
9.2.5 User access Review of user access rights Do asset owners review users' access rights at regular intervals? Does it consider both access and
management permissions?
User access Removal or adjustment of Are access rights of employees and external party users to information and processing facilities
9.2.6
management access rights removed upon termination (or change) of their employment, contract or agreement?

14 CONTROLS
System and
9.4 application access System and application access Does the organization prevent unauthorized access to systems and applications?
control
control
System and
Is access to information and application system functions restricted in accordance with the access
9.4.1 application access Information access restriction
control policy?
control
System and
Is there a secure log-on procedure to control access to systems and applications where required
9.4.2 application access Secure log-on procedures
control by the access control policy?
System and
9.4.3 application access Password management system Are the password management systems interactive and do they ensure quality passwords?
control
System and Use of privileged utility Are there quidelines for the use of utility programs that might be capable of overriding system
9.4.4 application access
control programs and application controls? Are their use restricted and tightly controlled?
System and Access control to program Is access to program source code restricted? Is access to associated items (such as designs,
9.4.5 application access
control source code specifications, verification plans and validation plans) restricted?

ANNEX A.10 - CRYPTOGRAPHY
2 CONTROLS
 Objective:
• To ensure encryption and key management is used to maintain the confidentiality, integrity and authenticity of
important information.
• This involves outlining, through a cryptographic policy, the use and validity period of cryptographic keys.

ANNEX A.10 - CRYPTOGRAPHY
2 CONTROLS
Cryptographic Is cryptography properly and effectively used to protect the confidentiality, authenticity and/or
10.1 controls Cryptographic controls integrity of information?
Cryptographic Policy on the use of Has a policy on the use of cryptographic controls for protection of information been developed
10.1.1 controls cryptographic controls and implemented?
Cryptographic
10.1.2 Key management Has a policy on the management of cryptographic keys been developed and implemented?
controls

ANNEX A.11 - PHYSICAL AND ENVIRONMENTAL SECURITY
15 CONTROLS
 Objective:
• To prevent unauthorized access to information that may cause loss or interruption to operations.
• To prevent the compromise of assets through loss, damage or theft.
• This involves defining and implementing a physical security perimeter, securing areas involved in transport (such
as loading bays), regularly servicing equipment and protecting equipment when taken off office premises.

15 CONTROLS
Does the organisation prevent unauthorised physical access, damage and interference to the
11.1 Secure areas Secure areas organisation's information and information processing facilities?
11.1.1 Secure areas Physical security perimeter Have physical security perimeters been defined, and are they used to protect areas that contain
either sensitive or critical information and information processing facilities?
Are secure areas protected by appropriate entry controls to ensure that only authorised
11.1.2 Secure areas Physical entry controls personnel are allowed access?
Securing offices, rooms and
11.1.3 Secure areas facilities Have physical security mechanisms for offices, rooms and facilities been considered and applied?
Have you designed and applied physical protection against natural disasters, malicious attacks
Protecting against external and and accidents?
11.1.4 Secure areas
environmental threats
You should seek specialist advice on how to avoid damage from fire, flood, earthquake, explosion,
civil unrest and other forms of natural or man-made disaster.
11.1.5 Secure areas Working in secure areas Have procedures for working in secure areas been designed and applied?
Are access points such as delivery and loading areas controlled or isolated? Or other points where
11.1.6 Secure areas Delivery and loading areas
unauthorized persons could enter the premises unchallenged/unnoticed?

15 CONTROLS
Does the organisation prevent loss, damage, theft and compromise of assets and interruption to the
11.2 Equipment Equipment organisation's operations?
Equipment siting and Is equipment located and protected to reduce the risks from environmental threats and hazards, and
11.2.1 Equipment
protection opportunities for unauthorised access?
Is equipment protected from power failures and other disruptions caused by failures in supporting
11.2.2 Equipment Supporting utilities
utilities?
Are power and telecommunication cables carrying data or supporting information services protected
11.2.3 Equipment Cabling security
from interception, interference and damage?
11.2.4 Equipment Equipment maintenance Is equipment maintained correctly/regularly to ensure continued availability and integrity?
Are equipment, information and software prevented from being taken off-site without prior
11.2.5 Equipment Removal of assets
authorisation?
11.2.6 Equipment Security of equipment and Is security applied to assets when off-site? Does this take into account the different risks of working
assets off-premises outside the organization's premises?
Secure disposal or re-use of Are there procedures to verify that equipment containing storage media has had any sensitive data and
11.2.7 Equipment licensed software removed or securely overwritten prior to disposal or re-use?
equipment
Are all users made aware of security requirements and procedures to ensure that unattended
11.2.8 Equipment Unattended user equipment equipment has appropriate protection?
11.2.9 Equipment Clear desk and clear screen Is there a clear desk policy for papers and removable storage media, and a clear screen policy for
policy information processing facilities?

ANNEX A.12 - OPERATIONAL SECURITY
14 CONTROLS
 Objective:
• To ensure the integrity of information processing facilities and operational systems, protecting these facilities from
malware, preventing the loss of data, maintaining consistency across activity logs, mitigating potential technical
risks and minimizing disruptions brought on by audit activities.
• This involves documenting operating procedures (such as changes to organizational processes), separating
operational environments, implementing anti-malware software and making users aware of what constitutes
acceptable use, following an agreed backup policy, monitoring software installation and regularly evaluating risks.

15 CONTROLS
Operational Operational procedures and
12.1 procedures and Does the organisation ensure correct and secure operations of information processing facilities?
responsibilities responsibilities
Are there documented IT operating procedures and are they made available to all users who need
Operational them?
12.1.1 procedures and Documented operating For example, procedures to cover the installation and configuration of systems, backups, job
procedures
responsibilities scheduling, error/alert handling and other exceptional conditions, system restart and recovery
etc.
Operational Is there a change management/control procedure? Are changes to the organisation, business
12.1.2 procedures and Change management processes, information processing facilities and systems that affect information security approved
responsibilities and implemented in a controlled way?
Operational
Is resource usage monitored and tuned, and are projections made of future capacity
12.1.3 procedures and Capacity management requirements, to ensure the required system performance?
responsibilities
Operational Separation of development,
12.1.4 procedures and testing and operational Are the development, testing and operational environments separated to reduce the risks of
responsibilities environments unauthorized access and changes to the operational environment?

15 CONTROLS
Protection from
12.2 malware Protection from malware Are information and information processing facilities protected against malware?
12.2.1 Protection from Controls against malware Are there detection, prevention and recovery controls in place to protect against malware? Is this
malware combined with appropriate user awareness education/training?
12.3 Backup Backup Does the organisation protect against loss of data?
Is there an agreed backup policy, and are backup copies of information, software and system
12.3.1 Backup Information backup images taken and tested regularly in accordance with this policy? Are backups included in the
retention policy?

15 CONTROLS
Logging and
12.4 monitoring Logging and monitoring Does the organisation record events and generate evidence?
12.4.1 Logging and Event logging Are required event logs identified, produced, kept and regularly reviewed or alerts configured?
monitoring Do they record user activities, exceptions, faults and information security events?
Logging and
12.4.2 monitoring Protection of log information Are logging facilities and log information protected against tampering and unauthorised access?
Are system administrator and system operator activities logged, and are the logs protected and
Logging and Administrator and operator regularly reviewed?
12.4.3 monitoring logs
Privileged user account holders may be able to manipulate the logs under their control, therefore
it is crucial to protect and review the logs to maintain accountability for privileged users.
12.4.4 Logging and Clock synchronisation Are the clocks of all relevant information processing systems within an organization or security
monitoring domain synchronized with a single reference time source?

15 CONTROLS
Control of operational Control of operational
12.5 software software Is the integrity of operational systems ensured?
12.5.1 Control of operational Installation of software Are procedures implemented to control the installation of software on operational systems?
software on operational systems
Technical vulnerability Technical vulnerability
12.6 management management Does the organisation prevent the exploitation of technical vulnerabilities?
Is timely information about technical vulnerabilities of information systems being used obtained,
Technical vulnerability Management of technical
12.6.1 is the organisation’s exposure to such vulnerabilities evaluated, and are the appropriate measures
management vulnerabilities
taken to address the associated risk?
Technical vulnerability Restrictions on software
12.6.2 Have rules governing the installation of software by users been established and implemented?
management installation
12.7 Information systems Information systems Does the organization minimize the impact of audit activities on operational systems?
audit considerations audit considerations
Information systems Information systems Are audit activities involving verification of operational systems carefully planned and agreed to
12.7.1 audit considerations audit controls minimize disruptions to business processes?

ANNEX A.13 - COMMUNICATIONS SECURITY
7 CONTROLS
 Objective:
• To monitor the internal and external transfer of information.
• This involves implementing information transfer policies across all communication facilities (such as email, social
media and internal messaging platforms).

7 CONTROLS
Network security Does the organisation protect information in networks and supporting information processing
13.1 management Network security management facilities?
13.1.1 Network security Network controls Are networks managed and controls to protect information in connected systems and
management applications?
Network security Are security features, service levels and management requirements of all network services
13.1.2 Security of network services identified and included in network services agreements, whether provided in-house or
management
outsourced?
Network security
13.1.3 management Segregation in networks Are information services, users and information systems segregated into groups on networks?

7 CONTROLS
Information Is the security of information transferred within the organisation and with any external entity
13.2 transfer Information transfer maintained?
Information Information transfer policies Are there formal transfer policies, procedures and controls in place to protect information during
13.2.1 transfer? Do they cover all transfer methods? Do they consider your information classification
transfer and procedures scheme?
13.2.2 Information Agreements on information Do agreements (e.g. with clients, suppliers, partners). cover the secure transfer of information
transfer transfer between the organisation and external parties?
Information Is information involved in electronic messaging appropriately protected? E.g. covering email,
13.2.3 Electronic messaging
transfer electronic data interchange, social media
Information Confidentiality or non- Are requirements for the use of confidentiality or non-disclosure agreements identified, regularly
13.2.4
transfer disclosure agreements reviewed and documented?

ANNEX A.14 - SYSTEM ACQUISITION, DEVELOPMENT AND
MAINTENANCE | 13 CONTROLS
 Objective:
• To ensure that information security requirements are established across the lifecycle of information systems and
included when updating existing systems or implementing new systems.
• To ensure that data being used for testing is only accessed by authorized personnel.
• This involves protecting information that passes through public networks to prevent misrouting, alteration or
unauthorized disclosure, establishing secure development areas and regularly testing security facilities.

Security requirements of Security requirements of Does the organisation ensure that security is an integral party of information systems, including
14.1 information systems information systems those information systems that provide services over public networks?
Security requirements of Information security When defining requirements for new information systems and/or enhancements to existing
14.1.1 requirements analysis
information systems and specification information systems, are information security related requirements considered and included?
Securing application
Security requirements of Is information involved in application services passing over public networks protected from
14.1.2 information systems services on public fraudulent activity, contract dispute and unauthorized disclosure and modification?
networks
Security requirements of Protecting application Is information involved in application service transactions protected to prevent incomplete
14.1.3 transmission, mis-routing, unauthorized message alteration, unauthorized disclosure,
information systems services transactions unauthorized message duplication and replay?

Security in development and Security in development and
14.2 support processes support processes Is information security designed and implemented within the development lifecycle of information systems?
14.2.1 Security in development and Secure development policy Are there established rules for the development of software and systems, and are they applied to developments within your
support processes control, i.e. within the organization or sub-contracted?
14.2.2 Security in development and System change control Are there formal change control procedures built within the development lifecycle to control changes to systems ?
support processes procedures
14.2.3 Security in development and Technical review of applications When operating systems are changed, are business critical applications reviewed and tested to ensure there is no adverse impact
support processes after operating platform changes on organisational operations or security?
14.2.4 Security in development and Restrictions on changes to Are modifications to vendor-supplied software packages discouraged, limited to necessary changes and are all changes strictly
support processes software packages controlled?
14.2.5 Security in development and Secure system engineering Have principles for engineering secure systems been established, documented and maintained, and are they applied?
support processes principles
Are development environments for system development and integration efforts in place and appropriately protected? Are they
14.2.6 Security in development and Secure development used throughout the development lifecycle?
support processes environment A secure development environment includes people, processes and technology associated with system development and
integration.
14.2.7 Security in development and Outsourced development Do you supervise and monitor the activity of outsourced system development?
support processes
Is security functionality testing conducted during development? Including the preparation of a detailed schedule of activities and
Security in development and test inputs and expected outputs under a range of conditions. For in-house developments, such tests should initially be performed
14.2.8 support processes System security testing by the development team. Independent acceptance testing should then be undertaken (both for in-house and for outsourced
developments) to ensure that the system works as expected and only as expected. The extent of testing should be in proportion to
the importance and nature of the system.
14.2.9 Security in development and System acceptance criteria Are there acceptance testing programs? Are acceptance criteria been established for new information systems, upgrades and new
support processes versions? Do they include testing of information security requirements?

14.3 Test data Test data Is data used for testing protected?
14.3.1 Test data Protection of test data Is test data selected appropriately? Is it protected and controlled?

ANNEX A.15 - SUPPLIER RELATIONSHIPS
5 CONTROLS
 Objective:
• To ensure that information security requirements are established across the lifecycle of information systems and
included when updating existing systems or implementing new systems.
• To ensure that data being used for testing is only accessed by authorized personnel.
• This involves protecting information that passes through public networks to prevent misrouting, alteration or
unauthorized disclosure, establishing secure development areas and regularly testing security facilities.

5 CONTROLS
Information security in Information security in
15.1 supplier relationships supplier relationships Are the organisation's assets accessible by suppliers protected?
Information security in Information security Are information security requirements for mitigating the risks associated with supplier's access to
15.1.1 policy for supplier
supplier relationships relationships the organization's assets agreed with the supplier and documented?
Addressing security Are all relevant information security requirements established and agreed with each supplier that
Information security in
15.1.2 supplier relationships within supplier may access, process, store, communicate, or provide IT infrastructure for, the organisation's
agreements information?
Information security in Information and Do agreements with suppliers include requirements to address the information security risks
15.1.3 communication
supplier relationships technology supply chain associated with information and communications technology services and product supply chain?

5 CONTROLS
Supplier service delivery Supplier service delivery Does the organisation maintain an agreed level of information security and service delivery in line
15.2 management management with supplier agreements?
15.2.1 Supplier service delivery Monitoring and review Does the organisation regularly monitor, review and audit supplier service delivery?
management of supplier services
Does the organization manage changes to the provision of services by suppliers, including
Supplier service delivery Managing changes to maintaining and improving existing information security policies, procedures and controls, taking
15.2.2
management supplier services account of the criticality of business information, systems and processes involved, and re-
assessment of risks?

ANNEX A.16 - INFORMATION SECURITY INCIDENT
MANAGEMENT 7 CONTROLS
 Objective:
• To ensure that any information security incidents are managed effectively and consistently.
• This involves reporting any weaknesses through the appropriate management channels as quickly as possible,
responding to these incidents in line with established procedures and preserving evidence.

ANNEX A.16 - INFORMATION SECURITY INCIDENT
MANAGEMENT 7 CONTROLS
Management of information Management of information
Does the organisation ensure that a consistent and effective approach is applied to the management of
16.1 security incidents and security incidents and information security incidents, including communication on security events and weaknesses?
improvements improvements
Management of information
Responsibilities and Has the organisation established management responsibilities and procedures to ensure a quick, effective and
16.1.1 security incidents and
improvements procedures orderly response to information security incidents?
16.1.2 security incidents and Reporting information Are information security events reported through appropriate management channels as quickly as possible?
security events
improvements
Reporting information Does the organisation require employees and contractors using the organisation's information systems and
16.1.3 security incidents and security weaknesses services to note and report any observed or suspected information security weaknesses in systems or services?
improvements
Management of information Assessment of and decision
Does the organisation assess information security events and make decisions as to whether they are classified as
16.1.4 security incidents and on information security information security incidents?
improvements events
Management of information Response to information
16.1.5 security incidents and Are information security incidents responded to in accordance with the documented procedures?
improvements security incidents
Learning from information Does the organisation use knowledge gained from analysing and resolving information security incidents to
16.1.6 security incidents and security incidents reduce the likelihood or impact of future incidents?
improvements
Management of information Has the organisation defined and applied procedures for the identification, collection, acquisition and
16.1.7 security incidents and Collection of evidence
improvements preservation of information that can serve as evidence?

ANNEX A.17 - INFORMATION SECURITY ASPECTS OF BUSINESS
CONTINUITY MANAGEMENT | 4 CONTROLS
 Objective:
• To ensure the continuation of information security and that these measures are in line with your organisation's
continuity plans.
• To ensure the availability of information processing facilities.

ANNEX A.17 - INFORMATION SECURITY ASPECTS OF BUSINESS
CONTINUITY MANAGEMENT | 4 CONTROLS
Information security Information security Is information security continuity embedded in the organisation business continuity management
17.1 continuity continuity systems?
17.1.1 Information security Planning information Has the organisation determined its requirements for information security and the continuity of
continuity security continuity information security management in adverse situations (e.g. during a crisis or disaster)?
Information security Implementing Has the organization established, documented implemented and maintained processes,
17.1.2 information security procedures and controls that ensure the required level of continuity for information security
continuity
continuity during an adverse situation?
Verify, review and
Information security Does the organisation verify the established and implemented information security continuity
17.1.3 continuity evaluate information controls at regular intervals, ensuring that they are valid and effective during adverse situations?
security continuity
17.2 Redundancies Redundancies Is the availability of information processing facilities ensured?
Availability of Are information processing facilities implemented with redundancy sufficient to meet availability
17.2.1 Redundancies information processing
facilities requirements?
Information security Information security Is information security continuity embedded in the organisation business continuity management
17.1
continuity continuity systems?
Information security Planning information Has the organization determined its requirements for information security and the continuity of
17.1.1
continuity security continuity information security management in adverse situations (e.g. during a crisis or disaster)?

ANNEX A.18 - COMPLIANCE
8 CONTROLS
 Objective:
• To avoid information security breaches of a legal, statutory, regulatory or contractual nature, and ensure that
information security is carried out according to organizational requirements
• This involves identifying compliance requirements, protecting against any implications (loss, theft etc)
according to these requirements, ensuring the protection of sensitive information and regularly reviewing the
compliance of information systems.

8 CONTROLS
Compliance with legal Compliance with legal Does the organisation avoid breaches of legal, statutory, regulatory and contractual obligations
18.1 and contractual and contractual
requirements requirements related to information security and of any security requirements?
Identification of
Compliance with legal applicable legislation Have all relevant legislative, statutory, regulatory and contractual requirements and the
18.1.1 and contractual and contractual organization’s approach to meet these requirements been explicitly identified and documented,
requirements and is it kept up to date for each information system and the organization?
requirements
Compliance with legal Have appropriate procedures been implemented to ensure compliance with legislative,
Intellectual property
18.1.2 and contractual rights (IPR) regulatory and contractual requirements related to intellectual property rights and use of
requirements proprietary software products?
Compliance with legal
18.1.3 and contractual Protection of records Are records protected from loss, destruction, falsification, unauthorised access and unauthorised
release, in accordance with legislatory, regulatory, contractual and business requirements?
requirements
Compliance with legal Privacy and protection of
Does the organisation ensure privacy and protection of personally identifiable information as
18.1.4 and contractual personally identifiable
requirements information required in relevant legislation and regulations?
Compliance with legal
18.1.5 and contractual Regulation of Are cryptographic controls used in compliance with all relevant agreements, legislation and
requirements cryptographic controls regulations?

8 CONTROLS
Information security Information security Does the organisation ensure that information security is implemented and operated in
18.2 reviews reviews accordance with the organisational policies and procedures?
18.2.1 Information security Independent review of Is the organisation's approach to managing information security and its implementation reviewed
reviews information security independently and at planned intervals or when significant changes occur?
Information security Compliance with Do managers regularly review the compliance of information processing and procedures within
18.2.2 security policies and their area of responsibility with the appropriate security policies, standards and other security
reviews
standards requirements?
Information security Technical compliance Are information systems regularly checked for compliance with the organization's information
18.2.3
reviews review security policies and standards?

THANK YOU

Iso 27001

Uploaded by

Copyright:

Available Formats

Iso 27001

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 27001

Uploaded by

Copyright:

Available Formats

ISO/IEC 27001- ISMS

ISO/IEC 27001- ISMS BY BOBBY SHARON 2

1. Information Security Policies

ISO/IEC 27001- ISMS BY BOBBY SHARON 3

Focus Area Annex A control category

HR (6 Controls) A.9, A.10, A.12, A.13, A.14, A.16, A.17

Physical Security (15 Controls) A.11

Legal Issues (8 controls) A.18

ISO/IEC 27001- ISMS BY BOBBY SHARON 4

ISO/IEC 27001- ISMS BY BOBBY SHARON 5

ISO/IEC 27001- ISMS BY BOBBY SHARON 6

ISO/IEC 27001- ISMS BY BOBBY SHARON 7

Have all information security responsibilities been defined and allocated?

ISO/IEC 27001- ISMS BY BOBBY SHARON 8

ISO/IEC 27001- ISMS BY BOBBY SHARON 9

ISO/IEC 27001- ISMS BY BOBBY SHARON 10

ISO/IEC 27001- ISMS BY BOBBY SHARON 11

ISO/IEC 27001- ISMS BY BOBBY SHARON 12

ISO/IEC 27001- ISMS BY BOBBY SHARON 13

ISO/IEC 27001- ISMS BY BOBBY SHARON 14

ISO/IEC 27001- ISMS BY BOBBY SHARON 15

ISO/IEC 27001- ISMS BY BOBBY SHARON 16

ISO/IEC 27001- ISMS BY BOBBY SHARON 17

ISO/IEC 27001- ISMS BY BOBBY SHARON 18

ISO/IEC 27001- ISMS BY BOBBY SHARON 19

ISO/IEC 27001- ISMS BY BOBBY SHARON 20

ISO/IEC 27001- ISMS BY BOBBY SHARON 21

ISO/IEC 27001- ISMS BY BOBBY SHARON 22

ISO/IEC 27001- ISMS BY BOBBY SHARON 23

ISO/IEC 27001- ISMS BY BOBBY SHARON 24

ISO/IEC 27001- ISMS BY BOBBY SHARON 25

ISO/IEC 27001- ISMS BY BOBBY SHARON 26

ISO/IEC 27001- ISMS BY BOBBY SHARON 27

ISO/IEC 27001- ISMS BY BOBBY SHARON 28

ISO/IEC 27001- ISMS BY BOBBY SHARON 29

ISO/IEC 27001- ISMS BY BOBBY SHARON 30

ISO/IEC 27001- ISMS BY BOBBY SHARON 31

ISO/IEC 27001- ISMS BY BOBBY SHARON 32

ISO/IEC 27001- ISMS BY BOBBY SHARON 33

ISO/IEC 27001- ISMS BY BOBBY SHARON 34

ISO/IEC 27001- ISMS BY BOBBY SHARON 35

ISO/IEC 27001- ISMS BY BOBBY SHARON 36

ISO/IEC 27001- ISMS BY BOBBY SHARON 37

ISO/IEC 27001- ISMS BY BOBBY SHARON 38

ISO/IEC 27001- ISMS BY BOBBY SHARON 39

ISO/IEC 27001- ISMS BY BOBBY SHARON 40

ISO/IEC 27001- ISMS BY BOBBY SHARON 41

ISO/IEC 27001- ISMS BY BOBBY SHARON 42

ISO/IEC 27001- ISMS BY BOBBY SHARON 43

ISO/IEC 27001- ISMS BY BOBBY SHARON 44

ISO/IEC 27001- ISMS BY BOBBY SHARON 45

ISO/IEC 27001- ISMS BY BOBBY SHARON 46

ISO/IEC 27001- ISMS BY BOBBY SHARON 47

ISO/IEC 27001- ISMS BY BOBBY SHARON 48

You might also like