Doc01 - ISO 27001-2013 ISMS Manual TOP
Doc01 - ISO 27001-2013 ISMS Manual TOP
Doc01 - ISO 27001-2013 ISMS Manual TOP
1 Introduction
This section presents the Scope of the Information Security Management System (ISMS). This
includes the purpose and the application of ISMS.
1.0 Scope
The Scope of the ISMS covers, XXX, its Server room and its management related to business
applications, to implement the IT services provided to internal and external customers from its
office location at XXXXXXX.
1.1 General
This ISMS manual specifies the requirements for establishing, implementing, monitoring,
reviewing, maintaining, and improving documented ISMS within the context of the .’ overall
Business requirements. It specifies the implementation of security controls customized to the needs
of XXX.
The ISMS is designed to ensure adequate and appropriate security controls that maintain
Confidentiality, Integrity and Availability (CIA) of information assets.
For applicability (with rationale) and exclusion (with justification) of controls refer Statement of
Applicability (SOA). The SOA as applicable to XXX is enclosed. As certain controls are not
applicable at project sites, project site specific SOA is also made.
1.2 References
The following documents were referred for the creation of this document. These include:
The ISMS manual is intended as a reference document describing the security framework adopted
by XXX. It is organized as per the Table of Contents.
This document is available to all employees of the XXX in the form of web page on the intranet.
This is a read-only copy and the relevant part of the documentation is available to only authorized
users based on their business requirements.
It is the responsibility of the XXX to release an approved document for the XXX.
3 Organization Overview
This section presents an overview of the XXX and its operations. XXX mission is to fulfill the
promise of applying technology to enable the success of customer business by performing at a level
of trust, partnership, and innovation that far exceed what you have come to expect from technology
services providers. In the same way, we know that to achieve that aspiration, we must exceed what
our professionals have come to expect from technology services employers.
4 Context of the Organization
4.1 Understanding the Organization and it’s Context
XXX shall determine external and internal issues that are relevant for delivering the services from
Server Room and Business Operation that affect its ability to achieve the intended results of ISMS.
The issues which are considered necessary for delivering the services to internal and external
stakeholders are given in the table after section 4.2.
1. Interested parties that are relevant to ISMS – All customers (Internal and External),
Vendors, Supporting the Infrastructure in Server Room & other Business operation, All
employees providing & getting services to Server Room & other Business operation.
2. The requirement of these interested parties relevant to Information Security The needs and
expectations from external as well as internal customers are considered as under, and will
be reviewed and updated over a period of time as part of continual improvement.
XXX shall establish, implement, Maintained and continually improve an information security
management system, in accordance with the requirements of ISO 27001:2013.
5 Leadership
This section presents the XXX’s initiative and commitment to effective implementation and
operation of ISMS. In addition, this section highlights the roles and responsibilities associated with
ISMS operation.
Top management shall demonstrate leadership and commitment with respect to the information
Security management system by:
1. Ensuring the information security policy and the information security objectives are
established and are compatible with the strategic direction of the organization;
2. Ensuring the integration of the information security management system requirements into
the organization’s processes;
3. Ensuring that the resources needed for the information security management system are
available;
4. Communicating the importance of effective information security management and of
conforming to the information security management system requirements;
5. Ensuring that the information security management system achieves its intended
outcome(s);
6. Directing and supporting persons to contribute to the effectiveness of the information
security management system;
7. Promoting continual improvement; and supporting other relevant management roles to
demonstrate their leadership as it applies to their areas of responsibility.
XXX is committed to maintain high quality standards in delivering timely and cost effective
solutions to our customers by continual improvement of our processes, instilling quality
consciousness amongst all employees and recognizing the confidentiality, integrity and
availability of information assets to relevant stakeholders including our customers. Risk
management will be done as per ‘CP-05-ISMS-RART-Risk Assessment & Risk Treatment
Procedure’ and the risk will be evaluated based on asset value, threat and vulnerabilities. If risk
value is high, adequate controls will be implemented.
Action Guideline:
1. XXX prevents leakage, destruction, and illegal use of all information relating to the
customers, vendors, management etc. and builds the system to secure the confidentiality,
integrity and availability of the information for daily operations.
2. Company recognizes the value of the private information of all staff and secures it.
3. XXX establishes a contingency plan to secure continuation of the business, assuming
occurrences of a natural disaster, terrorism, a large scale infection disease etc.
4. Company provides all staff with proper education and training to maintain and improve the
effectiveness of the information security management system
5. Company builds and manages an organization which grasps incidents, audits its operations
and effectiveness of the information security management system, and attempts its
continuous improvement.
To secure its information assets and its customer, XXX shall deploy procedures to maintain
confidentiality, integrity and availability of all information assets
3. Key Objective 3: Continual improvement of services to our internal & external customers.
Goal 1 – Key process performance improvement of at least 10% per annum in all
departments
4. Key Objective 4: To secure its information assets and of its customers, NST shall deploy
procedures to maintain confidentiality, integrity and availability of all information assets.
Goal 1 – Number of security incidents of high severity to be less than 5% of total security
incidents.
5. Key Objective 5: To have year on year revenue increase while maintaining profitability
Goal 1 – Revenue growth of >=40% with respect to the previous financial year
Goal 2 – Profit before Tax to be >=20%
To meet these business goals, ISMS objective are defined. Which are given in section 6.2
XXX is committed to security. The management has constituted Information System Security
Committee, which is responsible for defining and improving the ISMS. Management provides
evidence of its commitment to the establishment, implementation, operation, monitoring, review,
maintenance and improvement of the ISMS as defined in ISMS documentation, by
1. Establishing an information security policy;
2. Ensuring that information security objectives and plans are established;
3. Establishing roles and responsibilities for information security;
4. Communicating to the organization the importance of meeting information security
objectives and conforming to the information security policy, its responsibilities under the
law and the need for continual improvement;
5. Providing sufficient resources to establish, implement, operate, monitor, review, maintain
and improve the ISMS;
6. Deciding the criteria for accepting risks and the acceptable level of risk;
7. Ensuring that internal ISMS audits are conducted;
8. Conducting management reviews of the ISMS.
1.SPONSOR
4. MANAGEMENT REPRESENTATIVE
5. MANAGER IT
Heading IT
Heading IT processes
Follow up daily tasks and tickets
Handling system security incidents and vulnerabilities
Handling virus attacks and hacking attacks and reporting them to Security Committee
Responsible for reviewing current implementation of policies and processes and
improving them if required
Responsible for reviewing any kind of hacking attacks and action taken to control them
Reviewing security audit reports and action taken to resolve NCs
Reviewing disciplinary action taken against employee (if there is any such case)
Review Backup audit reports and take action on it
Member of Security Committee
Managing IT resources
To review and prioritize significant information Assets and security threats
Incidents Reporting
6. Sr.executive- HR
Heading HR Processes
Follow up daily tasks and HR Issues
Handling employee related incidents (misconducts, policy violations and other offences)
and taking appropriate action against employees if required and reporting them to security
Committee.
Take care of Human resource security clauses prior to employment, during employment
and Termination or change of employment.
7. Admin Assistant
8. MANAGER IT NETWORKS
9. System administrator
Ticket assignment
Ticket escalations from engineers
IMS Management
Data Backups
Server usage tracking
Helpdesk
Reports Management
11. Users
The Security Committee will meet once every month, support and supervise the activities of the
NST (P) LTD., taking informed decisions. It will be held responsible for achieving measurable
progress. Process measurement metrics will be monitored to achieve continuous improvement.
Review, test and reassess the strategy plan to determine the overall approach to business continuity.
Responsible for reviewing security incidents and vulnerabilities and decide action to be taken on
them
Identify and define plans to protect critical business process from the major failure of
information system or disasters and to ensure timely resumptions of business activity
Review, test and reassess the strategy plan to determine the overall approach to business
continuity.
Responsible for reviewing security incidents and vulnerabilities and decide action to be
taken on them
Carry out RA and prepare RTP
Note: – Any two of the four members are mandatory to carry out this activity.
In addition, the group helps reduce the risk of disruption of business operation by providing advice
on all aspects of security including:
Security Awareness
Data Confidentiality and Privacy
Logical Access
Data Communications
Systems and Data Integrity
Physical Security
Personal and Procedural Controls
Contingency and Disaster Recovery Planning
13. EMPLOYEES
Expected to follow security policy, processes, and procedures as documented in ISMS.
Security Policy (A.5): Management direction and support for IS in accordance with
business requirements and relevant laws and regulations.
Organization of Information Security (A.6): Maintain security of information within the
organization and its processing facilities that are accessed, processed, communicated to, or
managed by external parties.
Human Resources Security (A.7): Clear roles and responsibilities, IS awareness and
trainings, exiting the organization in an orderly manner.
Asset Management (A.8): To appropriately classify and protect the organizational assets.
Access Control (A.9): Prevent unauthorized access to information systems, networked
services, operating systems, application systems, and ensure IS when using mobile
computing and teleworking facilities.
Cryptography (A10) deals with cryptographic controls.
Physical and Environmental Security (A.11): Preventing unauthorized physical access
in the premises and loss/damage/theft of equipment’s.
Operational security (A12) Ensuring secured networks, maintaining appropriate third-
party service delivery agreements, minimize risk of systems failures, and protect software
and information integrity.
Communication Security (A13) Deals with Network communication, Information transfer
and communication with suppliers.
Systems Acquisition, Development and Maintenance (A.14): Prevent errors, loss,
unauthorized modification or misuse of information in applications, ensure security of
system files and software, and reduce risks resulting from exploitation of published
technical vulnerabilities.
Supplier Relationship (A.15) Information security in supplier relationship and
supplier agreements
Information Security Incident Management (A.16): Timely communication of IS events
and weaknesses and taking corrective actions.
Information Security aspects in Business Continuity Management (A.17): Counteract
interruptions to business and protect critical business processes from effects of major
failures or disaster, and to ensure timely resumption
Compliance (A.18): Complying with legal requirements, security policy and standards.
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the information security management system, XXX shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
1. Ensure the information security management system can achieve its intended outcome(s);
2. relent, or reduce, undesired effects; and
3. Achieve continual improvement.
XXX shall define and apply an information security risk assessment process that:
XXX shall retain documented information about the information security risk assessment process.
6.1.3 Information security risk treatment
XXX shall define and apply an information security risk treatment process to:
1.
1. select appropriate information security risk treatment options, taking account of the
risk assessment results;
2. determine all controls that are necessary to implement the information security risk
treatment option(s) chosen;
XXX can design controls as required, or identify them from any source.
3. compare the controls determined in 6.1.3 b) above with those in Annex A of the
standard ISO 27001:2013 and verify that no necessary controls have been omitted;
NOTE 1 Annex A of the standard ISO 27001:2013 contains a comprehensive list of control
objectives and controls. Users of this International Standard are directed to Annex A of the standard
ISO 27001:2013 to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives
and controls listed in Annex A of the standard ISO 27001:2013 are not exhaustive and additional
control objectives and controls may be needed.
1. Produce a Statement of Applicability that contains the necessary controls and justification
for inclusions, whether they are implemented or not, and the justification for exclusions of
controls from Annex A;
2. Formulate an information security risk treatment plan; and
3. Obtain risk owners’ approval of the information security risk treatment plan and acceptance
of the residual information security risks. The organization shall retain documented
information about the information security risk treatment process.
The details of the RA process can be referred from ‘PROCEDURE FOR RISK ASSESSMENT
AND TREATMENT’
The outputs of the RA process include:
Based on the RA report, Information System Security Council prepares the RTP, which includes
selection of controls. The XXX then obtains management approval for RTP implementation and
acceptance of residual risk.
XXX Shall establish information security objectives at relevant functions and levels. The
information security objectives shall:
XXX shall retain documented information on the information security objectives. Following are
the ISMS Objectives established by senior management:
ISMS Objectives
When planning how to achieve its information security objectives, the organization shall monitor
The templates for each one of them is defined and frequency and thresholds for each of them is
defined in the template. For monitoring and analysis following
1. Monitoring and measurement of the controls shall be done as per process mentioned in the
template..
2. System Administrator either himself or shall make one of the data center employee
responsible for monitor and measurement of controls.
3. The results from monitoring and measurement shall be analyzed and evaluated at least on
monthly basis. However this analysis can be made early depending on the exigencies and
system administrator shall decide the same.; and
4. System Administrator shall analyses and evaluate these results.
7.Support
7.1 Resources
The management provides resources for the implementation, maintenance, and review of the ISMS.
The resources include funds, tools, human resources and any other resources that may be required
for the efficient performance of the ISMS. Periodically the XXX. evaluates resource requirements
for improvements in security infrastructure based on RA, review /audit records. Based on resource
requirements, the Management approves/ allocates the required resources.
7.2 Competence
Personnel who have experience and expertise in the application domain and in information security
concepts are assigned to manage ISMS. Whenever feasible, experienced individuals are available
and allocated appropriate responsibilities. When the required levels of skill and expertise are not
available, trainings are provided to ensure skill / knowledge enhancement as per the XXX training
process. The ISMS training should form an integral part of training curriculum of HR Dept. in
association with Co-ordination Team. Refer ‘PR-10-TRA-Training Process’
Identifying what training is needed, and how frequently, for specific positions.
Identifying qualified individuals/agency to conduct the training program.
Organizing the training program.
Maintaining attendance records, course outlines and course feedback of all trainings
conducted.
The XXX maintains records of all training programs as mentioned in the training process.
7.3 Awareness
Persons doing work under the organization’s control shall be aware of:
7.4 Communication
Users shall be made aware about the risk of Information Security while exchanging information
through Voice, Email, Fax, and Video Communication facility.
Processes by which
What to When to With whom to Who shall
communication shall
communicate communicate communicate communicate
be effected.
To seek clarification,
communicate
Delivery Manager Email / Video
Technical Matters execution and Customer
/ Technical Lead Call/Phone
discussing options of
delivery
Non-Technical when communicating
Email / Video
Business upgrades / updates Customer Account Manager
Call/Phone
Development and offers of NST
Financial
Information such as
As and when the Accounts Email / Video
Invoices, Payment Customer
event takes place Manager Call/Phone
reminder, Proposal,
upgrade offer etc.
To get the action
Accounts
initiated on Delivery Manager Email / Video
Technical Matters Manager /
completion of / Technical Lead Call/Phone
Business Head
delivery
Account Manager
PPT / Word / Excel –
Performance Report Monthly / quarterly Business Head and Delivery
Email/Phone
Manager
As and when the Project PPT / Word / Excel –
Technical Matters Developer/Tester
event takes place Manager Email/Phone
Network Security As and when the Email/ Phone/ Face to
IT Team Employees
Matters event takes place Face
Server Security As and when the Email/ Phone/ Face to
IT Team Employees
Matters event takes place Face
Application Security As and when the Email/ Phone/ Face to
IT Team or PM Employees
Matters event takes place Face
Physical Security As and when the Email/ Phone/ Face to
Admin Employees
Matters event takes place Face
7.5.1 General
NOTE: The extent of documented information for an information security management system can
differ from one organization to another due to:
1. The size of organization and its type of activities, processes, products and services;
2. The complexity of processes and their interactions; and
3. The competence of persons.
When creating and updating documented information the organization shall ensure appropriate:
Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:
1. it is available and suitable for use, where and when it is needed; and
2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of
integrity).
For the control of documented information, the organization shall address the following
activities, as applicable:
Documented information of external origin, determined by the organization to be necessary for the
planning and operation of the information security management system, shall be identified as
appropriate, and controlled. Access implies a decision regarding the permission to view the
documented information only, or the permission and authority to view and change the documented
information, etc. To meet the requirement of 7.5, the documentation structure of Information
security management System is as detailed below:
The components of ISMS Documentation are:
Level – 0 Corporate Information System Security Policy): It is the Top-level security policy of
the XXX.
Level – 1 ISMS Manual): This document includes requirements of the ISO/IEC 27001:20132013
standard, and describes how the defined ISMS meet the requirements. The document details the
XXX. approach towards management and implementation of ISMS.
Level – 2 Supporting Policies & Guidelines A complete set of supporting technical policies and
guidelines as identified and defined by the XXX. within the scope of ISMS.
Level – 3 Procedures and Processes – Contains processes and procedures required for
implementing and supporting the defined policies & guidelines.
Level – 4 Templates and Forms –XXX standard templates/forms used in the processes /
procedures. These are used to streamline the operation of ISMS and form a basis for records.
Control of Documents
Control of Records
Records are identified within each procedure in the ISMS to provide evidence of conformance to
requirements and effective functioning of the ISSC. Master list of records is maintained. Refer ‘List
of Format-Content Master’. Other attributes shall be as per ‘PO-12-ISMS-CLH-Information
Classification, Labeling and Handling Policy.docx’
8 Operation
8.1 Operational planning and control
Selected control objectives, and controls that are a part of RTP are implemented effectively in XXX
and they are also capable of enabling prompt detection of and response to security incidents.
XXX ensures that proper training and awareness on ISMS are conducted, and appropriate resources
are assigned to manage ISMS. XXX maintains a suitable matrix of risk / incidence reduction
against its major controls identified every year for monitoring purposes to ensure effectiveness of
selected controls. Logs of risk reduction and/or incidence reduction are maintained for results
comparison and reproduction.
1. For monitoring incidents, the XXX. has a well-defined Incident Management Procedure,
which ensures that all problems, errors identified during processing of any information are
handled promptly and effectively, and breach of security is appropriately addressed. Refer
‘ISMS-IMP-Incident Management Process’.
2. A process for conducting Management Reviews and audit procedure of ISMS exists. The
focus of the review is to ensure that ISMS is effective, and all policies, controls and security
objectives are in line with business requirements. The audit focuses on the compliance of
XXX’s practices as defined in ISMS. Refer ‘SEPG & ISMS Plan’
3. Information System Security Committee reviews the level of residual and acceptable risks
based on the changes in the deployed technology, new threats and vulnerabilities and
business objectives. Refer CP-05-ISMS-RART-Risk Assessment & Risk Treatment
Procedure’
4. The controls at appropriate intervals are monitored against the logs generated to arrive at
the current risk exposure. This is compared with previous risk level to verify the
effectiveness of controls. Refer ‘CEM-Control Effectiveness Measurement Process’
Based on the review reports and audit findings, appropriate corrective and preventive actions, as
approved by the Information System Security Committee are implemented and incorporated into
the ISMS. Inputs for improvement can be from:
Audit Reports
Management Review Reports
Incident Reports
RA report
Business Changes (Objectives, process, industry practices, legal/regulatory, etc)
Environmental Change (New threats and vulnerabilities, technology Changes, etc.)
XXX. maintains all inputs in an improvement database available for internal use’s XXX.
consolidates the inputs, and reviews the ISMS for applicable improvements. For changes to be
made, XXX prepares an action plan and communicates the results to all interested /affected parties.
All improvements should be directed towards predefined organizational Business objectives.
The organization shall perform information security risk assessments at planned intervals or when
significant changes are proposed or occur, taking account of the criteria established . The
organization shall retain documented information of the results of the information security risk
assessments.
The organization shall implement the information security risk treatment plan. The organization
shall retain documented information of the results of the information security risk treatment.
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
XXX shall evaluate the information security performance and the effectiveness of the
information security management system. XXX shall determine:
1. what needs to be monitored and measured, including information security processes and
controls;
2. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure
valid results;
3. The details of what needs to be measured is given in. The methods selected should produce
comparable and reproducible results to be considered valid.
4. Monitoring and measurement of the controls shall be done on daily basis.
5. System Administrator either himself or shall make one of the data center employee
responsible for monitor and measurement of controls.
6. The results from monitoring and measurement shall be analyzed and evaluated at least on
monthly basis. However this analysis can be made early depending on the exigencies and
system administrator shall decide the same.; and
7. System Administrator shall analyze and evaluate these results.
XXX shall retain appropriate documented information as evidence of the monitoring and
measurement results. The templates where these evidences are maintained are defined in ‘ISMS-
CEM-Control Effectiveness Measurement Process.docx’
9.2 Internal Audits
MR conducts internal ISMS audits quarterly to verify the adherence to ISMS. The audits are
conducted to ensure that ISMS:
Security Audits are conducted in accordance with the audit procedure defined in ‘NST-CP-06-
ISMS-IAP-Internal Audit Procedure’. Trained personnel, not having direct responsibility of the
activity being audited, shall conduct audits. MR with the help of HODs will ensure that any non-
conformance found is closed. MR is responsible for planning, scheduling, organizing and
maintaining records of these audits.
Top management shall review information security management system once every three months,
or on an event-driven basis, to ensure its continuing suitability, adequacy and effectiveness. The
management review shall include consideration of:
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system. XXX
shall retain documented information as evidence of the results of management reviews.
10 Improvement
10.1 Non conformity and Corrective Action
Corrective actions shall be appropriate to the effects of the nonconformities encountered. The
organization shall retain documented information as evidence of:
1. The nature of the nonconformities and any subsequent actions taken, and
2. The results of any corrective action.
The procedure is created, for implementing and tracking the correcting action. Refer ‘CAPA-
Corrective & Preventive Action Procedure’.
XXX is responsible for continual improvement of the ISMS for suitability and effectiveness. Inputs
to continual improvement can be:
11 ISMS Controls
This section describes the selection and implementation of controls by xxx. The control objectives
and controls listed in this section are directly derived from the ISO/IEC 27001:2013 standard, based
on ‘Section 5.3.1 – Security Domains addressed in ISMS’ ’ of this document. Controls applicable
to XXX. have been mentioned and addressed in this section. Controls not applicable to XX. are
mentioned in this section and exclusion with justification given in SOA. Refer ‘ISO27001-2013-
SOA-V2.0.xlsx’
The Chief Information Officer is responsible for establishing, issuing and monitoring information
security policies.
Control Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Management and business processes that include and enable security processes;
Ongoing employee awareness of security issues;
Physical security requirements for information systems;
Governance processes for information technology;
Defining security responsibilities;
Identifying, classifying and labelling assets;
Ensuring operational security, protection of networks and the transfer of information;
Safe-guarding assets utilized by third parties;
Reporting information security incidents and weaknesses;
Creating and maintaining business continuity plans; and,
Monitoring for compliance.
The Chief Information Officer recognizes that information security is a process, which to be
effective, requires executive and management commitment, the active participation of all
employees and ongoing awareness programs.
The Information Security Policy must be reviewed on an annual basis and updated when required.
The Purpose is too ensure information security policies remain current with evolving business
needs, emerging risks and technological changes.
XXX. is responsible for the creation, maintenance and updating of the policy. Information System
Security Committee approves the policy prior to release. The review and evaluation of ISMS policy
is conducted at least once in a year. The review guidelines state that the policy is to be reviewed
against its effectiveness, compliance to business process, and compliance to technology changes.
The Chief Information Officer is responsible for reviewing information security policies, standards
and guidelines on an annual basis. Policies and standards reviews must be initiated:
This describes the management structure needed to coordinate information security activities,
including who coordinates them and what agreements are required. Coordination of information
security activities requires the support of a network of contacts in the information security
community to elicit advice, monitor trends and deal with other external factors.
The Purpose is to ensure employees are informed of their information security roles and
responsibilities. Security roles and responsibilities of employees, contractors and third party users
are defined and documented in accordance with the organization’s information security policy.
Security roles and responsibilities for employees must be documented.
a) Security roles and responsibilities
b) Communication of security roles and responsibilities
The Purpose is to reduce risk of loss, fraud, error and unauthorized changes to information. In
XXX duties have been segregated in order to reduce the risk of accidental or deliberate system
misuse. Different individuals are responsible for their respective areas, and proper controls exist
that take care of possibility of fraud in areas of single responsibility without being detected.
Different areas and associated responsibilities are defined as per Roles and Responsibilities. Day
to day administration & maintenance of IT Infrastructure is done by IT Department & HOF/IT
review different logs & conduct periodic VA. Duties and areas of responsibility must be segregated
to reduce opportunities for unauthorized or unintentional modification or misuse of information
systems.
a) Segregation of duties
b) Critical or sensitive information systems.
a) Segregation of duties
Information Owners must reduce the risk of disruption of information systems by:
The Purpose is to facilitate timely response from and co-ordination with outside authorities during
information security incidents or investigations. Appropriate contacts shall be maintained with
local law enforcement authorities, emergency support employees.Appropriate contacts/
agreements are maintained with the following but not limited to:
Services Responsibility
Responsibility for any other services which fall under Information Security preview, but not
mentioned above, is assigned to Head/IT. This is necessary to ensure that appropriate actions can
be promptly taken, and advice obtained in the event of any security incident. Organization’s legal
department is consulted for all third party contracts and agreements. The Chief Information
Security Officer must ensure that outside authorities, emergency support employees can be
contacted by:
Maintaining and distributing as appropriate, a list of internal and external organizations and
service providers.
Documenting emergency and non-emergency procedures for contacting authorities as
required during information security incidents or investigations.
The Purpose is to promote and further employee knowledge of information security industry trends,
best practices, new technologies and threats or vulnerabilities. Appropriate contacts shall be
maintained with specialist security forums and professional associations. Information security
advice is obtained from vendors, legal advisors and technical experts on security matters to
maximize the effectiveness of the ISMS. Internally MR shall act as Security Advisor. External
advice shall only be sought by MR if required. All security incidents and breaches are reported to
MR for necessary corrective and preventive actions. Information security specialists must maintain
their knowledge of information security industry trends, best practices, new technologies and
threats or vulnerabilities by:
The Purpose is to ensure that information security risks are identified and addressed throughout the
project life-cycle. Project Planning, Where projects involve information or information technology
assets the information security is addressed in project management. Information Owners and
Information Custodians must integrate information security into every phase of the organization’s
project management method(s) to ensure that information security risks are identified early and
addressed as part of the entire project. The project management methods in use should require
that:
Information security implications should be reviewed regularly in all projects. Responsibilities for
information security should be defined and allocated to specified roles defined in project
management methods.
Control Objective: To ensure information security when using mobile computing and teleworking
facilities.
The Purpose is to protect information stored on mobile devices from loss or unauthorized access.
XXX. has well defined policy and guidelines on the use of laptops. Refer ‘PR-17-ISMS-AHP-
Asset Handling Process.docx’.Appropriate controls must be implemented to mitigate security risks
associated with the use of mobile devices.
a) Information protection paramount
b) Service-specific risks and practices
c) Protection of credentials
d) Protection of network endpoint and physical device
e) Human factors
f) Risk assessment factors
c) Protection of credentials
User identifiers and user credentials must be protected to reduce the risk of unauthorized access to
information and information technology assets. In particular, employees must protect against visual
eavesdropping of passwords, PINs and other credentials, especially when in public places.
e) Human factors
Information Owners and Information Custodians must provide employees using mobile devices
with security awareness training to ensure that they are:
Aware of the additional risks and responsibilities inherent in mobile computing and when
using mobile devices;
Familiar with operation of the protection technologies in use; and,
Familiar with the Information Incident Management Process.
Physical theft;
Use of mobile devices to remotely access the networks and systems;
Data interception;
Credential theft;
Unauthorized device use;
Device disposal;
Information disposal;