Doc01 - ISO 27001-2013 ISMS Manual TOP

Download as pdf or txt
Download as pdf or txt
You are on page 1of 29

ISO 27001:2013 ISMS Manual

preteshbiswas Uncategorized January 8, 2020 175 Minutes


https://isoconsultantkuwait.com/2020/01/08/iso-270012013-isms-manual/

1 Introduction
This section presents the Scope of the Information Security Management System (ISMS). This
includes the purpose and the application of ISMS.

1.0 Scope

The Scope of the ISMS covers, XXX, its Server room and its management related to business
applications, to implement the IT services provided to internal and external customers from its
office location at XXXXXXX.

(Note: refer to Latest version of ‘ISO 27001-2013-SOA .xlsx’for exclusions)

1.1 General

This ISMS manual specifies the requirements for establishing, implementing, monitoring,
reviewing, maintaining, and improving documented ISMS within the context of the .’ overall
Business requirements. It specifies the implementation of security controls customized to the needs
of XXX.

The ISMS is designed to ensure adequate and appropriate security controls that maintain
Confidentiality, Integrity and Availability (CIA) of information assets.

For applicability (with rationale) and exclusion (with justification) of controls refer Statement of
Applicability (SOA). The SOA as applicable to XXX is enclosed. As certain controls are not
applicable at project sites, project site specific SOA is also made.

1.2 References

The following documents were referred for the creation of this document. These include:

 ISO/IEC 27001:2013, Information technology – Security techniques – Information security


management systems – Requirements

1.3 Terms and Definitions

 Asset – Anything that has a value to the organization.


 Availability – The property of being accessible and useable upon demand by an authorized
entity.
 Business Continuity Plan (BCP) – A plan to build-in proper redundancies and avoid
contingencies to ensure continuity of Business.
 Computer Media – Includes all devices that can electronically store information. This
includes but not limited to diskettes, CD’s, tapes, cartridges, and portable hard disks.
 Confidentiality – Ensuring that information is accessible only to those authorized to have
access.
 Continual Improvement – Continual Improvement refers to stage improvement programs
that facilitate rapid improvement phases with intermediate stabilized phases.
 Control – A mechanism or procedure implemented to satisfy a control objective
 Control Objective – A statement of intent with respect to a domain over some aspects of
an organization’s resources or processes. In terms of a management system, control
objectives provide a framework for developing a strategy for fulfilling a set of security
requirements.
 Disaster Recovery (DR) – A plan for the early recovery of Business operations in the event
of an incident that prevents normal operation.
 Fallback – Provisions to provide service in the event of failure of computing or
communications facilities.
 Information Security – Security preservation of Confidentiality, Integrity and Availability
of Information.
 Information Security Event – An identified occurrence of a system, service or network
state indicating a possible breach of information security policy or failure of safeguards, or
a previously unknown situation that may be involved.
 Information Security Incident – A single or series of unwanted or unexpected information
security events that have a significant probability of compromising business operations and
threatening information security.
 Information Security Management System (ISMS) – That part of overall management
system based on business risk approach, to establish, implement, operate, monitor, review,
maintain, and improve information security. The management system includes
organizational structure, policies, planning activities, responsibilities, practices,
procedures, processes and resources.
 Integrity – Safeguarding the accuracy and completeness of information and processing
methods.
 Organization – Refers to XXX unless specified otherwise.
 Risk – The combination of the probability of an event and its consequence.
 Residual Risk – The risk remaining after risk treatment.
 Risk Acceptance – Decision to accept risk.
 Risk Analysis – Systematic use of information to identify sources and to estimate the risk.
 Risk Assessment – Overall process of risk analysis and risk evaluation.
 Risk Evaluation – Process of comparing the estimated risk against given risk criteria to
determine the significance of the risk.
 Risk Management – Coordinated activities to direct and control an organization with
regard to risk.
 Risk Treatment – Process of selection and implementation of measures to modify risk.
 Statement of Applicability – Document describing the control objectives and controls that
are relevant and applicable to XXX’s ISMS, based on the results and conclusions of the
Risk Assessment and Risk Treatment Processes. It should clearly indicate exclusions with
appropriate reasons.
2 About the Manual
This section presents a brief overview of the Information Security Management System (ISMS)
manual of XXX.

2.1 Organization of the Manual

The ISMS manual is intended as a reference document describing the security framework adopted
by XXX. It is organized as per the Table of Contents.

2.2 Document Availability

This document is available to all employees of the XXX in the form of web page on the intranet.
This is a read-only copy and the relevant part of the documentation is available to only authorized
users based on their business requirements.

2.3 Document Control Information

It is the responsibility of the XXX to release an approved document for the XXX.

3 Organization Overview
This section presents an overview of the XXX and its operations. XXX mission is to fulfill the
promise of applying technology to enable the success of customer business by performing at a level
of trust, partnership, and innovation that far exceed what you have come to expect from technology
services providers. In the same way, we know that to achieve that aspiration, we must exceed what
our professionals have come to expect from technology services employers.
4 Context of the Organization
4.1 Understanding the Organization and it’s Context

XXX shall determine external and internal issues that are relevant for delivering the services from
Server Room and Business Operation that affect its ability to achieve the intended results of ISMS.
The issues which are considered necessary for delivering the services to internal and external
stakeholders are given in the table after section 4.2.

4.2 Understanding the Needs and Expectation from Interested Parties

XXX shall determine the following:

1. Interested parties that are relevant to ISMS – All customers (Internal and External),
Vendors, Supporting the Infrastructure in Server Room & other Business operation, All
employees providing & getting services to Server Room & other Business operation.
2. The requirement of these interested parties relevant to Information Security The needs and
expectations from external as well as internal customers are considered as under, and will
be reviewed and updated over a period of time as part of continual improvement.

Internal Stake holders Issues


Governance, Resource availability, organization structure, roles
Management
and accountabilities, Policies, objectives, and the strategies
Fulfillment of commitments, adherence to organization policies,
processes and guidelines and to ensure seamless / uninterrupted
Employees
operations. Expectation of employees in terms of commitment
made by the organization need to be fulfilled.
Relationship with, and perceptions and values of, internal
Shareholders
stakeholder’s
Maintaining commitment to customers, goodwill and repute of
Board of Directors the organization, and maintaining return on investment committed
on the business, in totality
Corporate requirements Standards, guidelines and models adopted by the organization
Information technology related requirements to the organization
Users / Other
such as access right, IT infra availability to internal users and other
departments
departments.
Resource availability, resource competence, training, background
HR
verification etc.,
Finance Approval of financial commitments
Vetting of Legal contracts and protecting the organization from
Legal
non-compliance of legal, regulatory and contractual requirements
External Customers Service delivery
Supply of goods and services to enable the organization to meet
Customers
the requirement of the customer
Risk Assessment & Risk Treatment Procedure for assessment the
Customer
risk for internal as well as external customer
For managing the customer related security aspects, the
organization has deployed few policies, process and procedure
such as Password Policy, IT Access control Policy, VPN-Virtual
Private Network Policy, IEM-Internet & Electronic Messaging
Customer
Usage Policy, Antivirus Policy, Information Classification,
Labeling and Handling Policy, Asset Handling Process, Business
Continuity Plan Process, Physical Security Management
Procedure and many more.
Information technology related requirements to the organization
Users / Public such as access right, IT infra availability to internal users and other
departments.
Submission of desired reports and statements and approvals to
Government carry out the business. Fulfilling the legal, and regulatory
requirement.
Natural and competitive environment, Key drives and trends
Society and
having impact on the objectives of the organization, Political,
environment
financial status of the country.

4.3 Determining the scope of the Information security management System

The Scope of the ISMS covers,

 The XXX Server Room, Business Operation and its management


 To implement the IT services provided to internal and external customers

Server room is located at XXX


(Note: refer to SOA for exclusions)

4.4 Information Security Management System

XXX shall establish, implement, Maintained and continually improve an information security
management system, in accordance with the requirements of ISO 27001:2013.
5 Leadership
This section presents the XXX’s initiative and commitment to effective implementation and
operation of ISMS. In addition, this section highlights the roles and responsibilities associated with
ISMS operation.

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the information
Security management system by:

1. Ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organization;
2. Ensuring the integration of the information security management system requirements into
the organization’s processes;
3. Ensuring that the resources needed for the information security management system are
available;
4. Communicating the importance of effective information security management and of
conforming to the information security management system requirements;
5. Ensuring that the information security management system achieves its intended
outcome(s);
6. Directing and supporting persons to contribute to the effectiveness of the information
security management system;
7. Promoting continual improvement; and supporting other relevant management roles to
demonstrate their leadership as it applies to their areas of responsibility.

5.2 ISMS Policy

XXX is committed to maintain high quality standards in delivering timely and cost effective
solutions to our customers by continual improvement of our processes, instilling quality
consciousness amongst all employees and recognizing the confidentiality, integrity and
availability of information assets to relevant stakeholders including our customers. Risk
management will be done as per ‘CP-05-ISMS-RART-Risk Assessment & Risk Treatment
Procedure’ and the risk will be evaluated based on asset value, threat and vulnerabilities. If risk
value is high, adequate controls will be implemented.

Action Guideline:

1. XXX prevents leakage, destruction, and illegal use of all information relating to the
customers, vendors, management etc. and builds the system to secure the confidentiality,
integrity and availability of the information for daily operations.
2. Company recognizes the value of the private information of all staff and secures it.
3. XXX establishes a contingency plan to secure continuation of the business, assuming
occurrences of a natural disaster, terrorism, a large scale infection disease etc.
4. Company provides all staff with proper education and training to maintain and improve the
effectiveness of the information security management system
5. Company builds and manages an organization which grasps incidents, audits its operations
and effectiveness of the information security management system, and attempts its
continuous improvement.

To secure its information assets and its customer, XXX shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets

Business objectives and goals of XXX are

1. Key Objective 1: Provide high quality services to our clients.

 Goal 1 – Client Satisfaction Score of more than 90 %


 Goal 2 – On time Delivery >80%
 Goal 3 – No defects of showstopper/critical type in first release to the client.

2. Key Objective 2: Continuous focus on employee satisfaction and competency


development so as to reduce and stabilize employee attrition.

 Goal 1 – A minimum of 3 man days training in a year per employee.


 Goal 2 – Overall attrition rate <15% in year
 Goal 3 – Employee satisfaction survey score of greater than 75%

3. Key Objective 3: Continual improvement of services to our internal & external customers.

 Goal 1 – Key process performance improvement of at least 10% per annum in all
departments

4. Key Objective 4: To secure its information assets and of its customers, NST shall deploy
procedures to maintain confidentiality, integrity and availability of all information assets.

 Goal 1 – Number of security incidents of high severity to be less than 5% of total security
incidents.

5. Key Objective 5: To have year on year revenue increase while maintaining profitability

 Goal 1 – Revenue growth of >=40% with respect to the previous financial year
 Goal 2 – Profit before Tax to be >=20%

To meet these business goals, ISMS objective are defined. Which are given in section 6.2

5.3 Organizational Roles, Responsibilities & Authority for Information Security

XXX is committed to security. The management has constituted Information System Security
Committee, which is responsible for defining and improving the ISMS. Management provides
evidence of its commitment to the establishment, implementation, operation, monitoring, review,
maintenance and improvement of the ISMS as defined in ISMS documentation, by
1. Establishing an information security policy;
2. Ensuring that information security objectives and plans are established;
3. Establishing roles and responsibilities for information security;
4. Communicating to the organization the importance of meeting information security
objectives and conforming to the information security policy, its responsibilities under the
law and the need for continual improvement;
5. Providing sufficient resources to establish, implement, operate, monitor, review, maintain
and improve the ISMS;
6. Deciding the criteria for accepting risks and the acceptable level of risk;
7. Ensuring that internal ISMS audits are conducted;
8. Conducting management reviews of the ISMS.

1.SPONSOR

 Establishing an ISMS policy & integrated quality policy


 Ensuring that ISMS objectives and plans are established.
 Establishing roles and responsibilities for information security.
 Communicating to the organization the importance of meeting information security
objectives and conforming to the information security policy, its responsibilities under the
law and the need for continual improvement:
 Providing sufficient resources to establish, implement, operate, monitor, review, maintain
and improve the ISMS.
 Deciding the criteria for accepting risks and the acceptable levels of risk.
 Ensuring that internal ISMS audits are conducted
 Conducting security Committee meetings of the ISMS

2. CHIEF INFORMATION SECURITY OFFICER

 Responsible for defining ISMS Framework.


 Responsible for implementing ISMS Framework
 Responsible for Publishing ISMS Manual
 Responsible for ensuring that security incidents are handled and resolved in efficient
manner.
 Define specific roles and responsibilities of information security across the XXX.

3. INFORMATION SYSTEM SECURITY COMMITTEE

 Develop, maintain, and implement ISMS policies and procedures


 Develop and maintain Business Continuity Management Plan for the region.
 Approve and review the risk treatment plan, and accept residual risk
 Design and deliver awareness program
 Evaluate, implement and ensure utilization of up-to-date security technology and
techniques
 Review and monitor information security incidents
 Ensure ISMS is in line with new legal, administrative, and business requirements
 Ensures that security is part of the information planning process
 Decide specific methodologies and processes for information security. For e.g. risk
assessment, security classification system etc.
 Drive XXX wide information security initiative
 Assess new system and services for security before absorbing them into the system and
identify and implement appropriate security controls

4. MANAGEMENT REPRESENTATIVE

 Responsible for defining policies and processes


 Responsible for owning the security policy and reviewing and evaluating the same at least
once in a year.
 Responsible for reviewing current implementation of policies and processes and improving
them if required
 Responsible for reviewing security incidents and vulnerabilities and decide action to be
taken on them
 Responsible for reviewing any kind of hacking attacks and action taken to control them
 Reviewing security audit reports and action taken to resolve NCs
 Reviewing disciplinary action taken against employee (if there is any such case)
 Review Backup audit reports and action taken on them.
 Member of Information system Security Committee.
 Co-ordinates with Information System Security Committee.
 Organize security reviews and audits, with internal and external resources
 Ensure implementation and tracking of ISMS plan
 Organize management reviews of ISMS
 To promote awareness amongst employees on ISMS.

5. MANAGER IT

 Heading IT
 Heading IT processes
 Follow up daily tasks and tickets
 Handling system security incidents and vulnerabilities
 Handling virus attacks and hacking attacks and reporting them to Security Committee
 Responsible for reviewing current implementation of policies and processes and
improving them if required
 Responsible for reviewing any kind of hacking attacks and action taken to control them
 Reviewing security audit reports and action taken to resolve NCs
 Reviewing disciplinary action taken against employee (if there is any such case)
 Review Backup audit reports and take action on it
 Member of Security Committee
 Managing IT resources
 To review and prioritize significant information Assets and security threats
 Incidents Reporting

6. Sr.executive- HR

 Heading HR Processes
 Follow up daily tasks and HR Issues
 Handling employee related incidents (misconducts, policy violations and other offences)
and taking appropriate action against employees if required and reporting them to security
Committee.
 Take care of Human resource security clauses prior to employment, during employment
and Termination or change of employment.

7. Admin Assistant

 Heading Admin Processes


 Follow up daily tasks and Admin Issues
 Handling employee related admin issue (misconducts, policy violations and other offences)
and taking appropriate action against employees if required and reporting them to security
Committee
 Managing Admin resources
 Physical Security and Physical Access Control

8. MANAGER IT NETWORKS

 Planning and monitoring networks


 Handling network issues
 Network setup and management
 Reviewing server logs (which includes operator and administrator logs)
 Client servers Monitoring support
 Antivirus support
 Handling network security incidents
 Handling virus attacks and hacking attacks and reporting them to Information System
Security Committee
 Managing Network resources

9. System administrator

 Ticket assignment
 Ticket escalations from engineers
 IMS Management
 Data Backups
 Server usage tracking
 Helpdesk
 Reports Management

10. Network Engineer

 Ticket assignment, Ticket Handling


 Desktop Issues
 Maintaining Spare Parts details
 Maintaining Software upgrade
 Operating System patch management
11. Vendors

 Provide services as per defined SLA


 Provide Technical Support
 Provide resources for upkeep of Data Center

11. Users

 Will follow the ISMS Policies


 Will not share passwords
 Will use application as per the scopes and access provided
 Will maintain assets in good condition

The Security Committee will meet once every month, support and supervise the activities of the
NST (P) LTD., taking informed decisions. It will be held responsible for achieving measurable
progress. Process measurement metrics will be monitored to achieve continuous improvement.

12. Risk Assessment and BCP CORE TEAM

Review, test and reassess the strategy plan to determine the overall approach to business continuity.
Responsible for reviewing security incidents and vulnerabilities and decide action to be taken on
them

 Identify and define plans to protect critical business process from the major failure of
information system or disasters and to ensure timely resumptions of business activity
 Review, test and reassess the strategy plan to determine the overall approach to business
continuity.
 Responsible for reviewing security incidents and vulnerabilities and decide action to be
taken on them
 Carry out RA and prepare RTP

Note: – Any two of the four members are mandatory to carry out this activity.

In addition, the group helps reduce the risk of disruption of business operation by providing advice
on all aspects of security including:

 Security Awareness
 Data Confidentiality and Privacy
 Logical Access
 Data Communications
 Systems and Data Integrity
 Physical Security
 Personal and Procedural Controls
 Contingency and Disaster Recovery Planning

13. EMPLOYEES
Expected to follow security policy, processes, and procedures as documented in ISMS.

5.3.1 Security Domains addressed by ISMS

Following are the domains being addressed by ISMS:

 Security Policy (A.5): Management direction and support for IS in accordance with
business requirements and relevant laws and regulations.
 Organization of Information Security (A.6): Maintain security of information within the
organization and its processing facilities that are accessed, processed, communicated to, or
managed by external parties.
 Human Resources Security (A.7): Clear roles and responsibilities, IS awareness and
trainings, exiting the organization in an orderly manner.
 Asset Management (A.8): To appropriately classify and protect the organizational assets.
 Access Control (A.9): Prevent unauthorized access to information systems, networked
services, operating systems, application systems, and ensure IS when using mobile
computing and teleworking facilities.
 Cryptography (A10) deals with cryptographic controls.
 Physical and Environmental Security (A.11): Preventing unauthorized physical access
in the premises and loss/damage/theft of equipment’s.
 Operational security (A12) Ensuring secured networks, maintaining appropriate third-
party service delivery agreements, minimize risk of systems failures, and protect software
and information integrity.
 Communication Security (A13) Deals with Network communication, Information transfer
and communication with suppliers.
 Systems Acquisition, Development and Maintenance (A.14): Prevent errors, loss,
unauthorized modification or misuse of information in applications, ensure security of
system files and software, and reduce risks resulting from exploitation of published
technical vulnerabilities.
 Supplier Relationship (A.15) Information security in supplier relationship and
supplier agreements
 Information Security Incident Management (A.16): Timely communication of IS events
and weaknesses and taking corrective actions.
 Information Security aspects in Business Continuity Management (A.17): Counteract
interruptions to business and protect critical business processes from effects of major
failures or disaster, and to ensure timely resumption
 Compliance (A.18): Complying with legal requirements, security policy and standards.
6 Planning
6.1 Actions to address risks and opportunities

6.1.1 General

When planning for the information security management system, XXX shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:

1. Ensure the information security management system can achieve its intended outcome(s);
2. relent, or reduce, undesired effects; and
3. Achieve continual improvement.

XXX shall plan:

1. Actions to address these risks and opportunities; and


2. How to
1. Integrate and implement the actions into its information security management
system processes; and
2. Evaluate the effectiveness of these actions.

6.1.2 Information security risk assessment

XXX shall define and apply an information security risk assessment process that:

1. establishes and maintains information security risk criteria that include:


1. the risk acceptance criteria; and
2. criteria for performing information security risk assessments;
2. ensures that repeated information security risk assessments produce consistent, valid and
comparable results;
3. identifies the information security risks:
1. apply the information security risk assessment process to identify risks associated
with the loss of confidentiality, integrity and availability for information within the
scope of the information security management system; and
2. identify the risk owners;
4. analyses the information security risks:
1. assess the potential consequences that would result if the risks identified were to
materialize;
2. assess the realistic likelihood of the occurrence of the risks identified; and
3. determine the levels of risk;
5. evaluates the information security risks:
1. compare the results of risk analysis with the risk criteria established and
2. Prioritize the analyzed risks for risk treatment.

XXX shall retain documented information about the information security risk assessment process.
6.1.3 Information security risk treatment

XXX shall define and apply an information security risk treatment process to:

1.
1. select appropriate information security risk treatment options, taking account of the
risk assessment results;
2. determine all controls that are necessary to implement the information security risk
treatment option(s) chosen;
XXX can design controls as required, or identify them from any source.
3. compare the controls determined in 6.1.3 b) above with those in Annex A of the
standard ISO 27001:2013 and verify that no necessary controls have been omitted;

NOTE 1 Annex A of the standard ISO 27001:2013 contains a comprehensive list of control
objectives and controls. Users of this International Standard are directed to Annex A of the standard
ISO 27001:2013 to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives
and controls listed in Annex A of the standard ISO 27001:2013 are not exhaustive and additional
control objectives and controls may be needed.

1. Produce a Statement of Applicability that contains the necessary controls and justification
for inclusions, whether they are implemented or not, and the justification for exclusions of
controls from Annex A;
2. Formulate an information security risk treatment plan; and
3. Obtain risk owners’ approval of the information security risk treatment plan and acceptance
of the residual information security risks. The organization shall retain documented
information about the information security risk treatment process.

The details of the RA process can be referred from ‘PROCEDURE FOR RISK ASSESSMENT
AND TREATMENT’
The outputs of the RA process include:

 Risk Assessment Report


 Risk Treatment Plan
 Statement of Applicability (inclusion with rationale /exclusion with justification)

Based on the RA report, Information System Security Council prepares the RTP, which includes
selection of controls. The XXX then obtains management approval for RTP implementation and
acceptance of residual risk.

6.2 Information security objectives and planning to achieve them

XXX Shall establish information security objectives at relevant functions and levels. The
information security objectives shall:

 be consistent with the information security policy;


 be measurable (if practicable);
 take into account applicable information security requirements, and results from risk
assessment and risk treatment;
 be communicated; and
 Be updated as appropriate.

XXX shall retain documented information on the information security objectives. Following are
the ISMS Objectives established by senior management:

ISMS Objectives

1. Protect information from deliberate or unintentional unauthorized acquisition or


unauthorized access
2. Maintain confidentiality of information.
3. Maintain integrity of information by protecting it from unauthorized modification.
4. Availability of information to authorized users when needed
5. Meet regulatory and legislative requirements
6. Produce, maintain and test Business Continuity plans as far as practicable.
7. Train all staff on information security
8. Report and investigate all breaches of information security and suspected weaknesses
9. Monitor Risk Treatment Plan and measure effectiveness of selected controls.

When planning how to achieve its information security objectives, the organization shall monitor

 Uptime of servers and Networks


 Achievement of preventive maintenance planned schedule
 Closure of Non conformities in defined time frame
 Conducting of defined no of awareness program as per the process
 Monitoring of security incidents as per process of incident Management
 Mock drills of BCP as per process and achievement of targets :
 Review of risks as per defined process and closure of actions as per last review.

The templates for each one of them is defined and frequency and thresholds for each of them is
defined in the template. For monitoring and analysis following

1. Monitoring and measurement of the controls shall be done as per process mentioned in the
template..
2. System Administrator either himself or shall make one of the data center employee
responsible for monitor and measurement of controls.
3. The results from monitoring and measurement shall be analyzed and evaluated at least on
monthly basis. However this analysis can be made early depending on the exigencies and
system administrator shall decide the same.; and
4. System Administrator shall analyses and evaluate these results.

7.Support
7.1 Resources

The management provides resources for the implementation, maintenance, and review of the ISMS.
The resources include funds, tools, human resources and any other resources that may be required
for the efficient performance of the ISMS. Periodically the XXX. evaluates resource requirements
for improvements in security infrastructure based on RA, review /audit records. Based on resource
requirements, the Management approves/ allocates the required resources.

7.2 Competence

Personnel who have experience and expertise in the application domain and in information security
concepts are assigned to manage ISMS. Whenever feasible, experienced individuals are available
and allocated appropriate responsibilities. When the required levels of skill and expertise are not
available, trainings are provided to ensure skill / knowledge enhancement as per the XXX training
process. The ISMS training should form an integral part of training curriculum of HR Dept. in
association with Co-ordination Team. Refer ‘PR-10-TRA-Training Process’

 Identifying what training is needed, and how frequently, for specific positions.
 Identifying qualified individuals/agency to conduct the training program.
 Organizing the training program.
 Maintaining attendance records, course outlines and course feedback of all trainings
conducted.

The XXX maintains records of all training programs as mentioned in the training process.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:

 the information security policy;


 their contribution to the effectiveness of the information security management system,
including the benefits of improved information security performance; and
 The implications of not conforming to the information security management system
requirements.
 All updates in organization policies & procedure, which are relevant to their job function

7.4 Communication

Users shall be made aware about the risk of Information Security while exchanging information
through Voice, Email, Fax, and Video Communication facility.

Processes by which
What to When to With whom to Who shall
communication shall
communicate communicate communicate communicate
be effected.
To seek clarification,
communicate
Delivery Manager Email / Video
Technical Matters execution and Customer
/ Technical Lead Call/Phone
discussing options of
delivery
Non-Technical when communicating
Email / Video
Business upgrades / updates Customer Account Manager
Call/Phone
Development and offers of NST
Financial
Information such as
As and when the Accounts Email / Video
Invoices, Payment Customer
event takes place Manager Call/Phone
reminder, Proposal,
upgrade offer etc.
To get the action
Accounts
initiated on Delivery Manager Email / Video
Technical Matters Manager /
completion of / Technical Lead Call/Phone
Business Head
delivery
Account Manager
PPT / Word / Excel –
Performance Report Monthly / quarterly Business Head and Delivery
Email/Phone
Manager
As and when the Project PPT / Word / Excel –
Technical Matters Developer/Tester
event takes place Manager Email/Phone
Network Security As and when the Email/ Phone/ Face to
IT Team Employees
Matters event takes place Face
Server Security As and when the Email/ Phone/ Face to
IT Team Employees
Matters event takes place Face
Application Security As and when the Email/ Phone/ Face to
IT Team or PM Employees
Matters event takes place Face
Physical Security As and when the Email/ Phone/ Face to
Admin Employees
Matters event takes place Face

7.5 Documented information

7.5.1 General

The organization’s information security management system shall include:

1. Documented information required by this International Standard; and


2. Documented information determined by the organization as being necessary for the
effectiveness of the information security management system.

NOTE: The extent of documented information for an information security management system can
differ from one organization to another due to:
1. The size of organization and its type of activities, processes, products and services;
2. The complexity of processes and their interactions; and
3. The competence of persons.

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:

1. Identification and description (e.g. a title, date, author, or reference number);


2. Format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
3. Review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:

1. it is available and suitable for use, where and when it is needed; and
2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).

For the control of documented information, the organization shall address the following
activities, as applicable:

1. distribution, access, retrieval and use;


2. storage and preservation, including the preservation of legibility;
3. control of changes (e.g. version control); and
4. Retention and disposition.

Documented information of external origin, determined by the organization to be necessary for the
planning and operation of the information security management system, shall be identified as
appropriate, and controlled. Access implies a decision regarding the permission to view the
documented information only, or the permission and authority to view and change the documented
information, etc. To meet the requirement of 7.5, the documentation structure of Information
security management System is as detailed below:
The components of ISMS Documentation are:
Level – 0 Corporate Information System Security Policy): It is the Top-level security policy of
the XXX.
Level – 1 ISMS Manual): This document includes requirements of the ISO/IEC 27001:20132013
standard, and describes how the defined ISMS meet the requirements. The document details the
XXX. approach towards management and implementation of ISMS.
Level – 2 Supporting Policies & Guidelines A complete set of supporting technical policies and
guidelines as identified and defined by the XXX. within the scope of ISMS.
Level – 3 Procedures and Processes – Contains processes and procedures required for
implementing and supporting the defined policies & guidelines.
Level – 4 Templates and Forms –XXX standard templates/forms used in the processes /
procedures. These are used to streamline the operation of ISMS and form a basis for records.

Control of Documents

All documents related to ISMS requirements are controlled as per CP-03-ISMS-DRM-Document


& Record Management Procedure. This includes:

 Review and approval of documents for adequacy prior to issue / use


 Updating, review and approval of necessary changes in controlled documents
 Availability of current revisions of necessary documents
 Withdrawal of obsolete documents from all points of issue or use to ensure guarding against
unintended use.
 All security documents are available on the Intranet for reference and use based on need-
to-know requirements.
 Any document if printed is considered obsolete. However, this excludes all the documents
related to ‘Business Continuity Plan

Control of Records

Records are identified within each procedure in the ISMS to provide evidence of conformance to
requirements and effective functioning of the ISSC. Master list of records is maintained. Refer ‘List
of Format-Content Master’. Other attributes shall be as per ‘PO-12-ISMS-CLH-Information
Classification, Labeling and Handling Policy.docx’

8 Operation
8.1 Operational planning and control

8.1.1 Implement and Operate the ISMS

Selected control objectives, and controls that are a part of RTP are implemented effectively in XXX
and they are also capable of enabling prompt detection of and response to security incidents.
XXX ensures that proper training and awareness on ISMS are conducted, and appropriate resources
are assigned to manage ISMS. XXX maintains a suitable matrix of risk / incidence reduction
against its major controls identified every year for monitoring purposes to ensure effectiveness of
selected controls. Logs of risk reduction and/or incidence reduction are maintained for results
comparison and reproduction.

8.1.2 Monitor and Review the ISMS

XXX. ensures that ISMS is properly monitored and reviewed periodically.

1. For monitoring incidents, the XXX. has a well-defined Incident Management Procedure,
which ensures that all problems, errors identified during processing of any information are
handled promptly and effectively, and breach of security is appropriately addressed. Refer
‘ISMS-IMP-Incident Management Process’.
2. A process for conducting Management Reviews and audit procedure of ISMS exists. The
focus of the review is to ensure that ISMS is effective, and all policies, controls and security
objectives are in line with business requirements. The audit focuses on the compliance of
XXX’s practices as defined in ISMS. Refer ‘SEPG & ISMS Plan’
3. Information System Security Committee reviews the level of residual and acceptable risks
based on the changes in the deployed technology, new threats and vulnerabilities and
business objectives. Refer CP-05-ISMS-RART-Risk Assessment & Risk Treatment
Procedure’
4. The controls at appropriate intervals are monitored against the logs generated to arrive at
the current risk exposure. This is compared with previous risk level to verify the
effectiveness of controls. Refer ‘CEM-Control Effectiveness Measurement Process’

8.1.3 Maintain and Improve the ISMS

Based on the review reports and audit findings, appropriate corrective and preventive actions, as
approved by the Information System Security Committee are implemented and incorporated into
the ISMS. Inputs for improvement can be from:

 Audit Reports
 Management Review Reports
 Incident Reports
 RA report
 Business Changes (Objectives, process, industry practices, legal/regulatory, etc)
 Environmental Change (New threats and vulnerabilities, technology Changes, etc.)

XXX. maintains all inputs in an improvement database available for internal use’s XXX.
consolidates the inputs, and reviews the ISMS for applicable improvements. For changes to be
made, XXX prepares an action plan and communicates the results to all interested /affected parties.
All improvements should be directed towards predefined organizational Business objectives.

8.2 Information security risk assessment

The organization shall perform information security risk assessments at planned intervals or when
significant changes are proposed or occur, taking account of the criteria established . The
organization shall retain documented information of the results of the information security risk
assessments.

8.3 Information security risk treatment

The organization shall implement the information security risk treatment plan. The organization
shall retain documented information of the results of the information security risk treatment.

9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation

XXX shall evaluate the information security performance and the effectiveness of the
information security management system. XXX shall determine:

1. what needs to be monitored and measured, including information security processes and
controls;
2. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure
valid results;
3. The details of what needs to be measured is given in. The methods selected should produce
comparable and reproducible results to be considered valid.
4. Monitoring and measurement of the controls shall be done on daily basis.
5. System Administrator either himself or shall make one of the data center employee
responsible for monitor and measurement of controls.
6. The results from monitoring and measurement shall be analyzed and evaluated at least on
monthly basis. However this analysis can be made early depending on the exigencies and
system administrator shall decide the same.; and
7. System Administrator shall analyze and evaluate these results.

XXX shall retain appropriate documented information as evidence of the monitoring and
measurement results. The templates where these evidences are maintained are defined in ‘ISMS-
CEM-Control Effectiveness Measurement Process.docx’
9.2 Internal Audits

MR conducts internal ISMS audits quarterly to verify the adherence to ISMS. The audits are
conducted to ensure that ISMS:

 Conforms to the requirements of the ISO/IEC 27001:2013 standard


 Ensure compliance with relevant legal, statutory and contractual requirements
 Conform to the identified information security requirements
 ISMS is effectively implemented and maintained
 Performs as expected

Security Audits are conducted in accordance with the audit procedure defined in ‘NST-CP-06-
ISMS-IAP-Internal Audit Procedure’. Trained personnel, not having direct responsibility of the
activity being audited, shall conduct audits. MR with the help of HODs will ensure that any non-
conformance found is closed. MR is responsible for planning, scheduling, organizing and
maintaining records of these audits.

9.3 Management Review

Top management shall review information security management system once every three months,
or on an event-driven basis, to ensure its continuing suitability, adequacy and effectiveness. The
management review shall include consideration of:

1. The status of actions from previous management reviews;


2. Changes in external and internal issues that are relevant to the information security
management system;
3. Feedback on the information security performance, including trends in:
4. nonconformities and corrective actions;
5. monitoring and measurement results;
6. audit results; and
7. Fulfilment of information security objectives;
8. feedback from interested parties;
9. Results of risk assessment and status of risk treatment plan; and
10. Opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system. XXX
shall retain documented information as evidence of the results of management reviews.

10 Improvement
10.1 Non conformity and Corrective Action

When a nonconformity occurs, XXX shall:

1. react to the nonconformity, and as applicable:


1. take action to control and correct it; and
2. deal with the consequences;
2. evaluate the need for action to eliminate the causes of nonconformity, in order that it does
not recur or occur elsewhere, by:
1. reviewing the nonconformity;
2. determining the causes of the nonconformity; and
3. determining if similar nonconformities exist, or could potentially occur;
3. implement any action needed;
4. Review the effectiveness of any corrective action taken; and
5. Make changes to the information security management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered. The
organization shall retain documented information as evidence of:

1. The nature of the nonconformities and any subsequent actions taken, and
2. The results of any corrective action.

The procedure is created, for implementing and tracking the correcting action. Refer ‘CAPA-
Corrective & Preventive Action Procedure’.

10.2 Continual Improvement

XXX is responsible for continual improvement of the ISMS for suitability and effectiveness. Inputs
to continual improvement can be:

 Change in security policies and objectives


 Audit results and Management Review Reports
 Incident Reports
 Analysis of monitored events
 Corrective and Preventive Actions
 Business Changes
 Environmental Change (New threats and vulnerabilities)
 Best practices of industry

11 ISMS Controls
This section describes the selection and implementation of controls by xxx. The control objectives
and controls listed in this section are directly derived from the ISO/IEC 27001:2013 standard, based
on ‘Section 5.3.1 – Security Domains addressed in ISMS’ ’ of this document. Controls applicable
to XXX. have been mentioned and addressed in this section. Controls not applicable to XX. are
mentioned in this section and exclusion with justification given in SOA. Refer ‘ISO27001-2013-
SOA-V2.0.xlsx’

A.5 Information Security policies


The Information Security Policy establishes requirements to ensure that information security
controls remain current as business needs evolve and technology changes. This policy is published
and communicated to all employees and relevant external parties.

A.5.1 Management Direction for Information Security

The Chief Information Officer is responsible for establishing, issuing and monitoring information
security policies.

Control Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.

A.5.1.1 Information Security Policy Document

A Corporate Information System Security Policy document approved by the management


exists. Information security policy has been published and communicated to all employees of XXX
through the Intranet and mails, training and induction programs.The Information Security Policy
contains operational policies, standards, guidelines and metrics intended to establish minimum
requirements for the secure delivery of our Products/ services. Secure service delivery requires the
assurance of confidentiality, integrity, availability and privacy of information assets through:

 Management and business processes that include and enable security processes;
 Ongoing employee awareness of security issues;
 Physical security requirements for information systems;
 Governance processes for information technology;
 Defining security responsibilities;
 Identifying, classifying and labelling assets;
 Ensuring operational security, protection of networks and the transfer of information;
 Safe-guarding assets utilized by third parties;
 Reporting information security incidents and weaknesses;
 Creating and maintaining business continuity plans; and,
 Monitoring for compliance.

The Chief Information Officer recognizes that information security is a process, which to be
effective, requires executive and management commitment, the active participation of all
employees and ongoing awareness programs.

A.5.1.2 Review of the policies for information security

The Information Security Policy must be reviewed on an annual basis and updated when required.
The Purpose is too ensure information security policies remain current with evolving business
needs, emerging risks and technological changes.

XXX. is responsible for the creation, maintenance and updating of the policy. Information System
Security Committee approves the policy prior to release. The review and evaluation of ISMS policy
is conducted at least once in a year. The review guidelines state that the policy is to be reviewed
against its effectiveness, compliance to business process, and compliance to technology changes.
The Chief Information Officer is responsible for reviewing information security policies, standards
and guidelines on an annual basis. Policies and standards reviews must be initiated:

 In conjunction with legislative, regulatory or policy changes which have information


security implications;
 During planning and implementation of new or significantly changed technology;
 Following a Security Threat and Risk Assessment of major initiatives (e.g., new
information systems or contracting arrangements);
 When audit reports or security risk and controls reviews identify high risk exposures
involving information systems;
 If threat or vulnerability trends produced from automated monitoring processes indicate the
probability of significantly increased risk;
 After receiving the final report of investigation into information security incidents;
 Prior to renewing third party access agreements which involve major programs or services;
 When industry, national or international standards for information security are introduced
or significantly revised to address emerging business and technology issues; and,
 When associated external agencies (e.g., Information and Privacy Commissioner, Ministry
on Information Technology) issue reports or identify emerging trends related to information
security.

A.6 Organization of Information Security

This describes the management structure needed to coordinate information security activities,
including who coordinates them and what agreements are required. Coordination of information
security activities requires the support of a network of contacts in the information security
community to elicit advice, monitor trends and deal with other external factors.

A.6.1 Internal organization

Control Objective: To manage information security within XXX.

A.6.1.1 – Information Security Roles and responsibilities

The Purpose is to ensure employees are informed of their information security roles and
responsibilities. Security roles and responsibilities of employees, contractors and third party users
are defined and documented in accordance with the organization’s information security policy.
Security roles and responsibilities for employees must be documented.
a) Security roles and responsibilities
b) Communication of security roles and responsibilities

a) Security roles and responsibilities


Employees must be aware of their information security roles and responsibilities. Information
Owners and Information Custodians must:
 Document information security roles and responsibilities for employees in job descriptions,
standing offers, contracts, and information use agreements where relevant; and,
 Review and update information security roles and responsibilities when conducting staffing
or contracting activities.

b) Communication of security roles and responsibilities


Supervisors must ensure employees are informed of their security roles and responsibilities by
establishing processes for communicating security roles and responsibilities to protect information
assets

A.6.1.2 – Segregation of duties

The Purpose is to reduce risk of loss, fraud, error and unauthorized changes to information. In
XXX duties have been segregated in order to reduce the risk of accidental or deliberate system
misuse. Different individuals are responsible for their respective areas, and proper controls exist
that take care of possibility of fraud in areas of single responsibility without being detected.
Different areas and associated responsibilities are defined as per Roles and Responsibilities. Day
to day administration & maintenance of IT Infrastructure is done by IT Department & HOF/IT
review different logs & conduct periodic VA. Duties and areas of responsibility must be segregated
to reduce opportunities for unauthorized or unintentional modification or misuse of information
systems.
a) Segregation of duties
b) Critical or sensitive information systems.

a) Segregation of duties
Information Owners must reduce the risk of disruption of information systems by:

 Requiring complete and accurate documentation for every information system;


 Requiring that no single individual has access to all operational functions of an information
system (e.g., operating system administrators must not also have application administrator
privileges);
 Rotating job duties periodically to reduce the opportunity for single individuals to have sole
control and oversight on key systems;
 Automating functions to reduce the reliance on human intervention for information
systems;
 Requiring that individuals authorized to conduct sensitive operations do not audit the same
operations;
 Requiring that individuals responsible for initiating an action are not also responsible for
authorizing that action; and,
 Implementing security controls to minimize opportunities for collusion.

b) Critical or sensitive information systems


Where supported by a Security Threat and Risk Assessment or other formal assessment,
Information Owners must employ two-person access control to preserve the integrity of the
information system.
A.6.1.3– Contact with authorities

The Purpose is to facilitate timely response from and co-ordination with outside authorities during
information security incidents or investigations. Appropriate contacts shall be maintained with
local law enforcement authorities, emergency support employees.Appropriate contacts/
agreements are maintained with the following but not limited to:

Services Responsibility

 Internet Service Provider (ISP) Head/IT


 Hardware Maintenance contracts Head/IT
 Telecom services department Head/IT
 Electricity services department Admin/HR
 Local Enforcement Agencies like Police, Fire Admin/HR

Responsibility for any other services which fall under Information Security preview, but not
mentioned above, is assigned to Head/IT. This is necessary to ensure that appropriate actions can
be promptly taken, and advice obtained in the event of any security incident. Organization’s legal
department is consulted for all third party contracts and agreements. The Chief Information
Security Officer must ensure that outside authorities, emergency support employees can be
contacted by:

 Maintaining and distributing as appropriate, a list of internal and external organizations and
service providers.
 Documenting emergency and non-emergency procedures for contacting authorities as
required during information security incidents or investigations.

A.6.1.4 – Contact with special interest groups

The Purpose is to promote and further employee knowledge of information security industry trends,
best practices, new technologies and threats or vulnerabilities. Appropriate contacts shall be
maintained with specialist security forums and professional associations. Information security
advice is obtained from vendors, legal advisors and technical experts on security matters to
maximize the effectiveness of the ISMS. Internally MR shall act as Security Advisor. External
advice shall only be sought by MR if required. All security incidents and breaches are reported to
MR for necessary corrective and preventive actions. Information security specialists must maintain
their knowledge of information security industry trends, best practices, new technologies and
threats or vulnerabilities by:

 Participating in information exchange forums regarding best practices, industry standards


development, new technologies, threats, vulnerabilities, early notice of potential attacks,
and advisories;
 Maintaining and improving knowledge regarding information security best practices; and
 Creating a support network of other security specialists.
The Chief Information Security Officer must promote professional certification and membership
in professional associations for information security specialists throughout the organization.

A.6.1.5 – Information Security in Project Management

The Purpose is to ensure that information security risks are identified and addressed throughout the
project life-cycle. Project Planning, Where projects involve information or information technology
assets the information security is addressed in project management. Information Owners and
Information Custodians must integrate information security into every phase of the organization’s
project management method(s) to ensure that information security risks are identified early and
addressed as part of the entire project. The project management methods in use should require
that:

 Information security objectives are included in project objectives;


 An information Security Threat and Risk Assessment is conducted at an early stage of the
project to identify necessary controls;
 Information security is part of all phases of the applied project methodology.

Information security implications should be reviewed regularly in all projects. Responsibilities for
information security should be defined and allocated to specified roles defined in project
management methods.

A.6.2 Mobile Devices and Tele Working

Control Objective: To ensure information security when using mobile computing and teleworking
facilities.

A.6.2.1 – Mobile Device Policy

The Purpose is to protect information stored on mobile devices from loss or unauthorized access.
XXX. has well defined policy and guidelines on the use of laptops. Refer ‘PR-17-ISMS-AHP-
Asset Handling Process.docx’.Appropriate controls must be implemented to mitigate security risks
associated with the use of mobile devices.
a) Information protection paramount
b) Service-specific risks and practices
c) Protection of credentials
d) Protection of network endpoint and physical device
e) Human factors
f) Risk assessment factors

a) Information protection paramount


The use of mobile devices such as laptops, tablets or smartphones to access, store, or process
information increases the risk of information compromise. Mobile devices are typically small and
portable, used in uncontrolled public environments, and easily lost, stolen or damaged. Information
Owners must ensure that use of mobile devices is managed and controlled. To ensure that sufficient
safeguards are implemented to mitigate risks mobile devices must be enrolled in Mobile Device
Management Service. Users of mobile devices must protect the information and information
technology assets in their custody or control.

b) Service-specific risks and practices


Providers of mobile computing services (such as Technology Services Division) must perform
regular risk assessments to identify service-specific risks (e.g., perform or update the risk
assessments on an annual basis). Information Owners and Information Custodians must develop,
document and maintain policies, standards, practices and guidelines that address these risks, and
communicate them to employees.

c) Protection of credentials
User identifiers and user credentials must be protected to reduce the risk of unauthorized access to
information and information technology assets. In particular, employees must protect against visual
eavesdropping of passwords, PINs and other credentials, especially when in public places.

d) Protection of network endpoint and physical devices


Mobile devices are typically used to store information or remotely access the networks and
services. The policies and procedures governing remote access apply to mobile devices. Where
Remote Access services are used, the mobile device must be configured to prevent its use as a
conduit between the different networks (e.g., VPN split tunneling must be disabled). Network
access to mobile devices from unathorized networks must be blocked by implementation of
firewall or filtering technologies to protect against attack (e.g., to prevent network attacks against
the mobile device). Mobile devices must be protected against mobile and malicious code. Mobile
devices must be locked and/or secured when unattended to prevent unauthorized use or theft (e.g.,
use device locks, cable locks, physical container locks, PINs or screensaver locks).

e) Human factors
Information Owners and Information Custodians must provide employees using mobile devices
with security awareness training to ensure that they are:

 Aware of the additional risks and responsibilities inherent in mobile computing and when
using mobile devices;
 Familiar with operation of the protection technologies in use; and,
 Familiar with the Information Incident Management Process.

f) Risk assessment factors


The Security Threat and Risk Assessment must consider threats to information and information
technology assets, such as:

 Physical theft;
 Use of mobile devices to remotely access the networks and systems;
 Data interception;
 Credential theft;
 Unauthorized device use;
 Device disposal;
 Information disposal;

You might also like