“Success doesn’t necessarily come from breakthrough innovation but from flawless execution. A great strategy alone won't win a game or a battle; the win comes from basic blocking and tackling.”
—Naveen Jain
This chapter covers what all can be implemented as part of the execution. You’ll see examples of all the controls that can be implemented based on the practices/procedures followed in your organization.
Information Security Awareness
Why is security awareness important at this stage? Awareness of the ISO 27001 standard should be planned and conducted at the organizational level. This is because when the implementation is in progress, it will help employees to understand what is being implemented in terms of security controls, as well as why they are being implemented and what the associated benefits are.
Most organizations only educate their implementation team members about the security implementation and never reach all the employees. This could be because management/senior members may not know the importance or there might be operational issues. But it’s important to realize that the employees must be aware of the importance of safeguarding information/assets and sometimes they are the ones who unknowingly cause security breaches.
Hence, planning these awareness sessions is important, regardless of your size. In big organizations, awareness sessions can be planned in batches. Information security must take attendance from all the employees/attendees to ensure all employees are covered as part of the exercise. If some employees are absent or on official travel, they must be covered in other batches/sessions.
In some organizations, contractors/vendors are also part of the workforce, so they must also attend the awareness sessions. They need to be familiar with the security policies and need to abide by them. Any support staff, for example, cleaning staff, security guards, car drivers, and so on, who work inside and outside the premises must know their information security responsibilities.
An Emphasis on Training Content
It is important to know what you are covering as part of the awareness content. It should be easy for all employees to understand and they must remember them as well. After the awareness sessions, you need to collect feedback from the employees, and this will help you understand whether they have understood or not. That way, you can improve the content accordingly.
Note
Awareness training content can be reviewed periodically to ensure that the training content is effective and easy to understand.
Awareness Quiz
A quiz session makes the awareness training more interesting and attendees get to play a game and learn at the same time. This is the best way to check whether employees understood the awareness sessions. The quiz can be easily created online for all your staff members to take at the same time, or they can be given a timeframe to complete the quiz.
Quiz questions should be objective types with options. Keep the quiz to 10 or 15 questions, so employees don’t feel overwhelmed when completing it. It should take up to five minutes to complete the quiz.
For each objective type, mark the points and decide on the passing score. Any employee who scores less than the passing score must retake the quiz. This process should continue for new employees as part of their induction.
Tip
Quizzes can be created offline or online as a part of the assessment. An online quiz can be more fun and create more interest, while offline quizzes are more of an assessment.
The awareness session also helps implementation team members when writing the policies and procedures. When the inputs are clear, it is easier to define them, and they will know how easily they will be understood by the employees when they read them.
Policies and Procedures
The most important step in the execution is defining the policy and operational procedures. Without them, the implementation will be incomplete. If you are going for an external audit, the auditor requires these procedures as part of the audit exercise to verify how they have defined and followed. Employees must adhere to the practices defined in the policy. These are the defined rules to be followed by all.
As part of the ISO 27001 standard implementation, you must define policies to cover various security controls, although the standard does not mandate standard operating procedures. Without having these procedures in place, your company won’t achieve the desired result consistently every time. To avoid defining too many procedures in the ISO 27001 implementation, the policies cover how security controls/practices should be implemented in the organization or in one of the business units of the organization, as applicable.
Who Defines the Policies?
As mentioned, the applicable team members help define the policies that affect their daily work routines. It is the combination of the information security team and the members from the operational team who work together. The information security team acts as the subject matter experts (SMEs) . They collect various inputs from the operation team to define policies, and once they are defined, they must be shared for review and approval.
Who Reviews and Approves the Policies?
The best way to go about this is to form a team of seniors (such as team heads and management) who will review and approve the policies, as they know the business processes very well and have the authority to change or modify them as needed. These are important reviews that need to be done before finalizing and rolling out the policies to all the employees. The final okay on the policies comes from management.
Note
Depending on the type of organization, management members’ roles could be different, hence no specific designation is mentioned here. Organizations, based on their organization/team structure, should decide which management member will approve which policy.
Which Policies and Procedures Are Covered?
Access control policy
Acceptable usage policy
Asset management policy
Antivirus policy
Business continuity and data recovery policy
Clear desk and clear screen policy
Change management policy
Data retention and disposal policy
Email usage policy
Encryption policy
Information security policy
Incident management policy
Information classification policy
Legal compliance policy
Network security and information transfer policy
Password creation policy
Physical and environmental security policy
Privacy and protection of personally identifiable information management policy
Remote access policy
Supplier relationship management policy
Technical vulnerabilities management policy
Operational planning procedure
Requirement collection/development procedure
Operational design procedure
Coding procedure (applicable to IT/software companies)
Change management procedure
The following sections discuss each policy and procedure, one by one.
Access Control Policy
- Policy on user account management:
Write a formal user registration and de-registration procedure for granting and revoking access to all information systems and services.
Explain how access rights will be created for new joiners and which rights are provided to the users by default.
Unique user IDs and passwords are assigned to enable users to be linked and held responsible for their actions.
- Privilege management covers the following:
Privileges should be allowed to users on a need-to-use basis and on an event-by-event basis in line with the access control policy.
The access privileges should be associated with each system product (e.g., operating systems or database management) and each application should be identified along with its users.
An authorization process should be in place and a record of all privileges allocated should be maintained and monitored. Privileges should not be granted until the authorization process is complete.
- Rules for physical access to the premises are defined here. A few examples are shared for understanding:
Employees are allowed on floors except the IT server room and management area.
The IT team can access all the areas (depending on the work).
Biometric access may be issued by the admin or HR department on the same day as joining.
Note
Other components can also be added, based on the organization and industry. The examples here are for illustrative purposes. They might not fit into every organization.
Acceptable Usages Policy
The main objective of the acceptable usages policy is to document and define the practices that users must agree to in order to access the organizational network or Internet. Some organizations require employees to accept this usages policy before they can access the network or Internet.
Don’t use any service as part of violating the rights of any person or company protected by copyrights, trade secrets, patents, and/or other intellectual property, or laws/regulations, including, but not limited to, the installation or distribution of “pirated” or other software products.
Don’t attempt to break the security of any computer network by introducing malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.).
Don’t use any program/script/command or send messages of any kind with the intent to interfere with, or disable, a user's terminal session, via any means, either locally or via the Internet.
Don’t send junk email or spam to anyone who doesn't want to receive it. For example, if individuals have requested they not receive material, you should not send them related emails.
Don’t send any form of harassment via email, telephone, or through any other means.
Don’t misuse any assets provided by the organization for personal use.
Asset Management Policy
- Identification and inventory of all the assets and relevant information about their location, backup, business value, criticality, etc. For example, these assets can be:
Information assets such as databases, contracts, agreements, manuals, policies, plans, etc.
Software assets such as system software, application software, utilities, etc.
Hardware assets such as computer hardware, servers, communication services, removable media devices, etc.
Personnel assets such as people, their qualifications, and the skills, etc.
Every asset should have a designated owner, which could be a person, a business process, an application.
This covers the monitoring and tracking of all the assets during their lifespan with the organization.
Antivirus Policy
The purpose of this policy is to help prevent the infection by computers and other malicious code and to provide a virus-free environment. The goal is to prevent the organization’s data from damage due to a virus/Trojan attack.
Antivirus software and virus pattern files must be kept up-to-date.
Virus-infected computers must be removed from the network until they are verified as virus free or the machine has been reformatted, if possible.
Do open any files or macros attached to an email from an unknown, suspicious, or untrustworthy source. It’s best to delete these attachments immediately and remove them from the trash.
Delete spam, chain, and other junk emails without forwarding them. Never download files from unknown or suspicious sources.
Do not directly share reading/writing access to the disk unless there is a compelling business requirement to do so.
USB ports should be blocked on all the machines. If there is a business need to use pen drives, it is highly recommended that this external media be scanned before use.
No files should be excluded from being scanned by anti-virus software.
Note This policy must be applied to all the computers on a network to safeguard from malicious attacks.
Business Continuity and Disaster Recovery Policy
This is one of the most important policies you’ll create because it tells you how to recover quickly from service interruption or disaster, whether natural or man-made. This policy contains the set of best practices, standards, and guidelines to ensure proper risk management, which enables the company to continue to deliver products and services during a disaster.
It’s important to define what a disaster is for your organization. This can vary widely, depending on the organization and industry.
There must be some ready-made plan for predictable disasters such as fire, earthquakes, or breakdown of products.
Team responsibilities must be identified in order to reduce the response to the incident, which may help resolve the incident in the minimum amount of time.
The recovery plan for the data backup and storage of the device must be defined.
Note The organization may have a different policy for business continuity management and disaster recovery, or it could have a combined policy. This all depends on the needs and requirements of the organization.
Clear Desk and Clear Screen Policy
This policy helps reduce the risk of unauthorized access, loss, or damage of information during and outside working hours. This policy also ensures that assets containing sensitive information, such as notepads, laptops, and desktops, remain protected even when employees leave their workstations, either for a short or a long period.
Any important business information (printed or digital) that is no longer needed must be discarded securely by using appropriate shredders.
When you are away from your desk for a short duration, such as during lunch/tea breaks or meetings, sensitive business information should be kept in locked drawers and laptops/desktops access screens should be locked. For example, you can use Ctrl+Alt+Del or Win+L to lock Windows-based systems.
Employees must not leave portable devices such as laptops or PDAs unattended and should physically lock these devices while away from the office.
No loose papers should be allowed on the desks or floor.
By default, workstations should not have access to printers.
Automated system lockout should be enabled with information security screen savers.
Change Management Policy
Define change management guidelines, including defining what a change is.
Determine who will be responsible for verifying the change and implementing the changes.
Manage the change record in the log sheet and change document for record purposes.
Specify if the organization has any other SOP for managing change.
Data Retention and Disposal Policy
This policy tells you how securely the data is retained and how you dispose of data when it’s no longer needed. This policy should document the lifespan of data. For example, how long is the log file data kept for record purposes.
How the data is collected and kept securely in compliance with the law and with organizational policy.
The business should capture the minimum user data required for the business operation after getting consent from their users/employees.
How stored data access is managed in the organization.
- An organization must have the guidelines and statutory procedures for records retention. For example:
The organizational records containing sensitive information that are not being used for active business should be archived until retention requirements have been met.
If relevant, only primary records should be archived. The duplicate records maintained elsewhere multiple times may be considered for archival.
- Similarly, organizations have guidelines for the disposal of records and data. For example:
When retention requirements have been met, records must be either immediately destroyed or placed in secure locations.
Before disposing of the data or any other assets, get the required approvals to avoid any miscommunication.
Note
This policy is intended to ensure that the information is uniformly used and disclosed by all organizational policies. A combination of physical security, personnel security, and system security mechanisms are used to achieve this standard.
Email Usage Policy
All components of the email system, including any messages created, sent, received, or stored locally on the user system or on the mail server in any form, are considered organizational property.
The company email system should not be used under any circumstances for the creation or distribution of any disruptive or offensive messages, including ones about race, gender, hair color, disabilities, age, sexual orientation, pornography, vulgar jokes, religious beliefs and practice, and political beliefs or national origin.
The employee should not forward any viruses or hoax email messages to company email addresses and groups that they receive through their company or personal email address. These messages must be immediately reported to the IT Helpdesk.
The employee should not use company email to infringe on the copyright or other intellectual property rights of others.
The employee should not distribute abusive, fraudulent, or harassing messages and avoid writing messages in any unethical, illegal, or wrongful manner.
Note The points described here are examples only. Your company may draft other points, based on their needs and culture.
Encryption Policy
Technology is implemented for encrypting confidential and other sensitive data. Key length requirements for encryption should be defined.
Confidential information stored on portable devices such as laptops must be encrypted using products and methods approved by the security officer, such as full disk encryption with pre-boot authentication.
Portable devices, including laptops, tablets, and smartphones cannot be used for the long-term storage of any confidential information.
Data transmission must be secure. For example, if the organization has an ecommerce site, the data must be transmitted on a secure channel.
Keys in storage and transit should be encrypted. Private keys are kept confidential.
Keys should be randomly chosen from the entire key space, using hardware-based randomization.
Note Under certain situations, the organization may grant or issue an exception to the use of encryption on portable computing devices and non-organization owned computing devices containing confidential data.
Information Security Policy
The purpose of the information security policy is to provide complete security from all ends and ensure the protection of the organization’s information assets from all threats, whether internal or external, planned or accidental. The information security policy should cover all the software and hardware devices, the physical parameters, and its human resources.
Information should be made available to organizational staff and the public with minimal interruption to the business process.
Critical information is protected from unauthorized access, use, disclosure, modification, and disposal, whether intentional or unintentional.
The information security team must show a commitment to the continual improvement of the information security management system.
Risk assessment and treatment is reviewed at predefined intervals. (Recommended interval is every six months.)
Incident Management Policy
- Security Incident Management Practice Standard. For example:
Whenever a security incident occurs in the organization, report it to the information security team or IT team with the corrective and preventive actions.
Define who is responsible for initiating, completing, and documenting the incident investigation.
Define the incident reporting flow.
Store the incident information for learning and for future improvement purposes. You will read more about this in Chapter 10.
Information Classification Policy
Document classification such as internal, external, public and restricted.
Confidential documents should be used by only a few people or departments. No one has access to confidential document other than the defined set of people.
Legal Compliance Policy
All relevant statutory, regulatory, and contractual requirements should be documented and kept updated by HR and the legal team.
Relevant standards and procedures should be defined and implemented by the information security team in consultation with HR and the legal team to ensure compliance with legal/contractual obligations on the use of information with respect to intellectual property rights.
Any guidance on essential legal requirements should be taken from management.
If any incidents relating to legal compliance occur, define how they will be handled and managed.
Network Security and Information Transfer Policy
Proper exchange of information through the electronic communication channel. Define the restricted and acceptable communication channels.
Regulations for external parties, such as vendors and service providers for hardware and software.
Define the security measures required to protect network services.
Segregate the network inside the organization. For example, the public domain, IT department, and any other departments should be separated.
Password Creation Policy
Define the standard guidelines for password management. For example, how long should passwords be and the combinations required to make them strong.
Define the password change frequency. For example, some organizations require password changes every 60 to 90 days.
Define the password protection standard clearly and communicate it to all employees.
Note Do not share passwords with anyone, including any of the departments like HR, admin, or IT. All passwords must be treated as sensitive, confidential information.
Physical and Environmental Security Policy
All the organizational perimeters should be physical secured from unauthorized entry and exit.
Identify the secure zones that have entry permitted only to authorized individuals. For example, datacenters.
Maintain appropriate environmental conditions for employees at work, such as lighting, temperature, and hygienic conditions.
Privacy and Protection of Personally Identifiable Information Management Policy
The aspects of securing data and privacy, especially for securing personally identifiable information. For example, your name, email, address, and other personal information.
Whenever data of personally identified information needs to be stored, it is necessary to get consent from the person/organization whose data is to be stored. It is also important to communicate the purpose of storing the data with a defined time period.
Remote Access Policy
Two-factor authentication should be required to access the company’s resources.
This policy should define who can work remotely and connect to the organization’s virtual private network (VPN).
Authorized users must ensure that their remote access connections to the organizational LAN are treated with the same level of security.
Note This policy applies to any person who is authorized to access a computer or device on the organization’s private LAN. This includes but is not limited to contractors, temporary workers, vendors, subcontractors, employees, and attorneys authorized to access any of the organization’s private LAN via remote access, for any reason.
Supplier Relationship Management Policy
Define the information that will be accessed by the supplier and what security measures will be implemented to secure the information from unauthorized access or use. For example, signing of NDAs (non-disclosure agreements) or agreement with suppliers.
Before engaging with the contractor or supplier, an organization must review the agreement in place.
Define how to select and develop a relationship with suppliers and vendors that delivers the highest standards of performance and allows profitable outcomes for both parties.
Technical Vulnerabilities Management Policy
The IT department should maintain the inventory of all the assets and components within the organization’s IT infrastructure.
All software and hardware devices must be scanned on the network to identify any technical vulnerabilities.
Security certificates and weaknesses need to be reviewed regularly.
Regular VAPTs (vulnerability assessment penetration tests) must be done on the applications to ensure there are no issues.
The roles and responsibilities of the employees must be clearly defined, including defining who is responsible for patch management and VAPT.
Note This policy is applicable to all software development and IT teams and should discuss all the aspects to address the security vulnerability.
These policies and procedure are further explained in this chapter in the control sections. This will help you understand what these policies and procedure should cover in order to cater to the needs of the security controls as per the ISO 27001 standard.
Understanding and Implementing Controls
This section explains how to implement the security controls covered in the ISO 27001 standard. Although these security controls are somewhat self-explanatory, this section simplifies them further by including real-world examples, including what needs to be done and which documents to prepare.
The motive is to help the implementation teams complete the implementation in their areas in a smooth manner. If you implement these controls effectively, it ensures you that you are on the right path in securing the company’s information. From there, it becomes the duty of each employee to maintain the security levels at all times.
The following sections explain each ISO 27001 control and give examples as well.
A.5 Information Security Policies
A.5.1 Management Direction for Information Security
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
Explanation: The focus is on management involvement, by giving direction to form all the required policies based on the type of organization’s business and applicable laws.
A.5.1.1: Policies for Information Security (ISO 27001 Control)
A set of policies for information security should be defined, approved by management, published, and communicated to employees and relevant external parties.
Explanation: The requirement is to define all the information security policies. This policy is the driving force for implementing security controls. Once all policies are approved by management, it is important to communicate them with all employees and external stakeholders to make them aware of their responsibilities. They must abide by these policies and help in securing the organization’s information.
Evidence that can be prepared: Policies lists, as mentioned previously, or as applicable to the organization’s business requirements. All the policies must be reviewed/approved by the management/steering committee.
Who prepares it: The information security department will facilitate the creation of the policies by involving relevant departments i.e. Human Resources, IT/Helpdesk, etc. The organization should assess and analyze their implementation teams who will help define the policies.
For external audit: An external auditor conducting the ISO 27001 certification audit will check all the defined/approved policies. Also, define how communication takes place on the policies to employees/external stakeholders.
A.5.1.2: Review of the Policies for Information Security (ISO 27001 Control)
The information security policies should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness.
Explanation: Once policies are defined and approved, there must be a set frequency defined to review them and determine if they are still relevant or need improvements/changes. If changes are applicable, they must be done accordingly, and a revised policy approval must be received from management before releasing the changes to the employees and stakeholders.
Note
There could be many factors to consider when reviewing the policy, but the ISO 27001 standard states that the management review meeting results should be considered.
Evidence that can be prepared: All the revised policies must be reviewed at regular intervals and the revised policies must be approved by management.
Who prepares it: The information security department will facilitate with relevant departments heads to ensure their policies are reviewed on regular, defined intervals.
For external audit: An external auditor conducting the ISO 27001 certification audit will check that all the policies have been reviewed at regular intervals, as well as have been approved and communicated to employees and external stakeholders.
A.6 Organization of Information Security
A.6.1 Internal Organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
Explanation: Before you initiate the ISO 27001 implementation in your organization, you need to build a framework to support the implementation teams.
This framework creates a clear path for the implementation team to follow. As mentioned earlier, sometimes you won’t know where to start with new initiatives and won’t know how to define the responsibilities of each person involved. This framework helps to address such issues.
The next section looks at the controls that are involved.
A.6.1.1: Information Security Roles and Responsibilities (ISO 27001 Control)
All information security responsibilities should be defined and allocated.
Explanation/what is required: You must define the roles and responsibilities related to information security and the policies based on the ISO 27001 implementation scope. If the responsibilities are not defined or if there is lot of ambiguity in each role, employees will not be clear about which areas they are accountable to.
Information security responsibilities for each role based on company business.
How assets are protected.
How specific information security processes are to be carried out.
Defined authorization levels for each role and supplier/vendor responsibilities.
Who prepares it: The human resources department and the information security team are responsible for defining and publishing the roles and responsibilities.
For external audit: An external auditor conducting ISO 27001 certification audit will check the roles and responsibilities defined for each role.
A.6.1.2: Segregation of Duties (ISO 27001 Control)
Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
Explanation/what is required: The focus is to check on individuals who have dual responsibilities or are accountable for more than one role. The ISO 27001 standard covers the risk involved in such conflicting duties and areas of responsibility.
Consider this from an IT company example. Say Krishna is the business analyst team manager and is also responsible for QA/Software testing team. Such a scenario would be considered conflicting and the risk might increase that poses a threat to the integrity of the test result. Hence, to avoid such risks, segregation of duties is important. For example, Krishna should be responsible only for the business analyst team and Shiva should have responsibility for QA/Software testing team. This will help mitigate the risks.
The ISO 27001 standard recognizes that small organizations face challenges in segregating duties. In such scenarios, the focus should be more on monitoring the activities and maintaining the audit trails so that individual actions do not go undetected. That is why usage of tools/technology should be monitored in organizations who do sensitive transactions and handle confidential data. Tools help you track and maintain the audit trails, which can be used and analyzed whenever the doubt arises, or any incident occurs.
Evidence that can be prepared: The roles and responsibilities document should include clear segregation of duties and areas of responsibility. Also, controls should be implemented to monitor and detect unauthorized actions.
Who prepares it: The human resources department and the information security team will define and publish roles and responsibilities. The IT department can implement the controls in the tools/systems to monitor the activities and maintain the audit trails for future checks and verification purposes.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the roles and responsibilities and ensure clear segregation of duties.
A.6.1.3: Contact with Authorities (ISO 27001 Control)
Appropriate contacts with relevant authorities should be maintained.
Explanation/what is required: The requirement is to define a procedure to contact with authorities when an information security incident occurs. This procedure should describe how authorities should be contacted and who will contact them from the organization. These authorities could be law/legal, regulatory bodies, etc.. Whenever any changes happen in acts/law or regulations, that needs to be implemented by the organization, and it must be communicated by the regulatory bodies. Hence being in contact with authorities is always useful.
When incidents or attacks happen through Internet sources, it might be required to contact cyber-law bodies or relevant bodies to investigate and take appropriate action. There are other authorities that an organization must be in contact with, such as fire departments, electricity suppliers, nearby hospitals, or any other emergency services. As these all have an impact on your organization’s business or operations.
For example, if a fire or electrical incident occurs, you may need to contact such authorities, as such incidents may halt your operations (if it is related to business continuity, you will read more about it in this chapter). This impacts the company’s revenue and reputation. Hence, the organization incident management procedure must describe what is to be done if any unexpected incident occurs.
Evidence that can be prepared: An incident management and escalation procedure should define the roles and responsibilities and explain what to do in such scenarios. For example, how to contact the authorities and who will contact them in case of incident.
Who prepares it: The information security team is responsible for preparing the document by involving relevant stakeholders/departments such as human resources, IT Helpdesk, Software Development, and other operations whose incidents are required to be reported to authorities.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the incident management and escalation procedure. If an incident has occurred, they will check if the procedure was followed, including whether the incident form was used properly to report the incidents and what actions were taken for resolution.
A.6.1.4: Contact with Special Interest Groups (ISO 27001 Control)
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
Explanation/what is required: Although you learn many things from the ISO 27001 standard, you must also learn from other industry best practices and other relevant information that is published from time to time to improve your team's knowledge about who is responsible for implementing and monitoring controls on a regular basis. It is important to stay up to date and ready to prevent any information security attack on your systems. Hence, it is advisable to participate in security forums, seminars, and security interest groups that share relevant and new information with the teams.
Evidence that can be prepared: Association with security forums, participation in security forums and seminars, etc. can be shown as evidence.
Who prepares it: The information security team is responsible for maintaining the records of associations and participations.
For external audit: An external auditor conducting the ISO 27001 certification audit may check all the security forums or seminars that the organization is associated with and their participation.
A.6.1.5: Information Security in Project Management (ISO 27001 Control)
There must be information security in project management regardless of the type of project.
Explanation/what is required: The focus is to identify the information security risks in the project. Organizations that work on project delivery (including development, testing, facility management, and support processes) must do risk assessment exercises at the project initiation phase, as this will help identify various information security risks. This helps you prepare the mitigation plan by identifying the appropriate security controls. You must ensure that the information security risks are identified for all the phases of the project until it is delivered/closed.
Note
It’s also important to regularly review risks, as this helps you analyze whether the identified security controls are reducing the threat levels or not.
Evidence that can be prepared: Create a risk-management procedure to explain how risk management is done in the projects and define the stakeholders’ roles and responsibilities. Use project risk registers and trackers with identified risks and mitigation actions, i.e. security controls.
Analyze the project/product requirements risks: Most information security risks must be identified based on the requirements.
Access control risks: Team members working on the project have access to project requirements and another project information. This is important as some projects are confidential, and your clients should not compromise the information security.
Business continuity risks: Assess whether any business continuity aspects could impact the project, based on the customer requirements, customer geographical location, your company geographical locations, and the vendors supporting you in the project by providing the services.
Any legal/regulatory risks: Assess if laws could impact your project if certain requirements based on those laws are not fulfilled. These laws could be country, regional, or state laws.
Contract risks: Assess risks based on the contract terms, such as if the project is not completed on time or does not meet the quality requirements stated in the contract. What it could this pose to your project and organization?
There could be many more areas, which you can assess to minimize the information security risks. By assessing these project risks, you ensure that your organization’s objectives are fulfilled by meeting the project security objectives.
Who prepares it: Using a risk register or tracker, the project managers identify risks in discussion with various project stakeholders. The information security team could be consulted to ensure that all the risks have been identified and that the controls are appropriate.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the risk management procedure and project risk register, in order to check how information security risks are identified and mitigated.
A.6.2.1: Mobile Device Policy (ISO 27001 Control)
A policy and supporting security measures should be adopted to manage the risks introduced by mobile devices.
Explanation/what is required: The focus is on the use of mobile devices to access organization information that could pose information security risks. Some of the examples of mobile devices are smartphones, tablets, laptop computers, etc.
We cannot deny use of mobile device these days, as it is a fast and easy medium to access information anywhere in a fast-paced world. At the same time, these devices are vulnerable to theft, loss, hacking, and unauthorized access while you leave them unattended.
Note
Sometimes organizations allow employees to bring and use their own/personal mobile device. In such scenarios, appropriate controls must be implemented so that organization’s information is protected on these devices.
Hence, the ISO 27001 standard guides you to be more aware and vigilant when you use mobile devices outside the premises, as you are carrying with you the organization’s confidential information.
Evidence that can be prepared: A mobile device policy could be prepared, which must clearly state the usage of mobile devices inside and outside the organization. Conduct awareness sessions and maintain records about these sessions.
Note
It is important to make employees/contractors aware of how to use these devices safely and remain vigilant of their surroundings.
Mobile devices given to employees/contractors must be registered. This helps ensure that only registered devices are using your office network and the information is accessed from a known device only. It is possible when organizations are monitoring them.
Employees should not be allowed to install software on these devices on their own, as this could pose an information security risk. Required software must be installed by an authorized individual, such as a member of the IT Helpdesk team. It is advisable to disable installation by anyone else.
Ensure that security patches are updated on these devices on time. Devices that could not be patched must be tracked and updated as soon as possible.
These devices must be automatically locked out when unattended for a few minutes and must be password protected. They must use a phone screen lock password or a folder password. If they are stolen or lost, unauthorized people should not be able to gain access to these devices.
Ensure that antivirus software is running on these devices so that a regular scan can be performed on the device to detect any virus or malware.
Regular backups are also performed so that information can be retrieved in any unexpected incident.
The policy must also explain what employees should do to report an incident (stolen or lost phone) to the IT Helpdesk team and to their immediate supervisors, so that they can also take steps to minimize the risk of information being accessed.
Users should sign an end-user agreement before they get access to a mobile device. It makes them aware and reminds them of their duties to protect the information.
Who prepares it: The IT Helpdesk team, in consultation with the information security team, can define the mobile device policy. Awareness sessions can be conducted for mobile device users. Be sure to include end-user agreements for the users of mobile devices to sign.
The IT Helpdesk team will implement all the security controls, as well as any other controls that they deem important based on their experience, skills, and business needs.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the mobile device policy, check how awareness sessions are conducted, and will check the required security controls. Also, if an incident occurs, they will check the steps that were planned and executed.
A.6.2.2: Teleworking (ISO 27001 Control)
A policy and supporting security measures should be implemented to protect the information accessed, processed, or stored at the teleworking sites.
Explanation/what is required: The focus is which security measures should be implemented to protect information during its access, processing, or storage at teleworking sites.
The physical environment must be secured while accessing teleworking sites.
When accessing organization internal systems through remote access, the information that will be accessed should be analyzed (i.e., is it confidential) and you need to know whether the communication channel is secure or not. A virtual private network (VPN) is used.
When employees are accessing information from home, family members or friends might try to gain unauthorized access.
When clients or external devices that are not provided by the organization access company information, it could be done via a virtual desktop access, as it would eliminate the need of processing and storage of information on such devices.
A teleworking policy can be prepared.
List of VPN license/accounts.
List of current users who have VPN access.
List of incidents and actions that were taken.
Creates and maintains the list of VPN license/accounts and the list of users who have VPN access.
Maintains the list of incidents and actions.
A.7 Human Resources Security
A.7.1 Prior to Employment
Objective: To ensure that employees and contractors understand their responsibilities and are suited to the roles for which they are considered.
Explanation: Before new employees and contractors get access to company information and assets, it becomes an important duty of the organization to make them aware of their work-related responsibilities and the safety measures they need to follow. It also is important that people are assigned to the right roles in terms of having the relevant skills, experience, and education.
The goal is to prevent employees or contractors from stealing company information or assets or sharing them with competitors for personal gain. The following sections cover the controls that fall under human resources-related security.
A.7.1.1: Screening (ISO 27001 Control)
Carry out background verification on all candidates for employment in accordance with relevant laws, regulations, and ethics. These checks should be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
Explanation/what is required: This control requires the organization to perform background checks on all people who will work for the company. This ensures that potential candidates don’t have fake identities or a serious criminal background that could pose as a risk to the organization, its customers, or fellow employees. The human resources department can perform these checks. Some companies outsource the background verification responsibility to experts or agencies.
The company must collect evidence about the candidate, such as educational certificates, the previous company where they worked, whether the company exists, and so on. This can be checked by verifying the company’s website and contacting their human resources team. You can also call the person’s references. All this will help in assessing the risk associated with the candidate and whether they can be hired.
Evidence that can be prepared: Background checks and reports on each candidate.
What is included in this report: Candidate names, the date on which the verification check was performed, the names and contact details of the people who were contacted, and the feedback noted about the candidate. Educational and criminal checks should also be documented.
During their first ISO 27001 implementation, some organizations might not conduct criminal checks on the candidates, so they must mention this in their standard operating procedure and note it as a risk in the human resources department risk assessment tracker.
Who prepares it: The human resources department or the outsource vendor hired for background checks.
Front page of a background verification form
A.7.1.2 Terms and Conditions of Employment (ISO 27001 Control)
The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security.
Explanation/what is required: This control requires the company to define the terms and conditions of the employment contract. This should clearly state security responsibilities to be adhered by employees and contractors during their employment. The goal is to make employees aware of these terms. Companies can take action as per the law if company information or assets are misused.
Evidence that can be prepared: A signed employment contract or offer letter (covering terms and conditions).
Who prepares it: The human resources department maintains signed hard copies of the employment contract or offer letter. Scanned soft copies could be maintained as a backup.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for a signed employment contract or offer letter. Also, they will check whether all the terms and conditions are stated clearly and completely.
A.7.2 During Employment
Objective: To ensure that employees and contractors are aware of and fulfill their information security responsibilities.
Explanation: Employees are fully aware of the threats to their data that occur during their daily job activities and understand their responsibilities to mitigate these threats.
A.7.2.1 Management Responsibilities (ISO 27001 Control)
Management should require all employees and contractors to follow the information security guidelines in accordance with the established policies and procedures of the organization.
Explanation/what is required: This control requires management to communicate to employees and contractors the standard operating procedures to ensure that security practices are implemented accordingly.
Evidence that can be prepared: Communication emails, minutes of the meeting, and signed/approved policies and procedures.
Who prepares it: An email from management, and the minutes of a meeting to be maintained by the information security team. The information security department should also maintain signed hard copies of approved policies and procedures and scan soft copies to be maintained as a backup.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the evidence.
A.7.2.2 Information Security Awareness, Education, and Training (ISO 27001 Control)
All employees of the organization and, when relevant, contractors should receive appropriate awareness training and regular updates to organizational policies and procedures, as relevant to their job function.
Explanation/what is required: Information security awareness sessions should be planned and conducted for all the employees, including your support staff, such as cleaners, security guards, etc. Whenever any changes/updates take place to any of the policies or standard operating procedures, employees must be made aware of them. These awareness sessions must be conducted for contractors and third-party users as well, as they also pose risks to information security.
Awareness helps reduce security risks, so these awareness sessions must be conducted on a regular basis and should be a mandatory part of the new hire induction program.
Evidence that can be prepared: Attendance records of participants/employees who attended the awareness sessions. Feedback forms and records of any quizzes.
Who prepares it: Awareness sessions are conducted by the information security department. Whenever sessions are conducted, attendance records need to be maintained.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the records of the awareness sessions. The auditor can ask questions randomly to any employee to check their knowledge.
A.7.2.3 Disciplinary Process (ISO 27001 Control)
There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
Explanation/what is required: There must be a defined policy or a standard operating procedure that covers the disciplinary steps to be taken in the case of misconduct
Evidence that can be prepared: Disciplinary policy or a standard operating procedure, or both, could be prepared. Feedback forms.
Who prepares it: The human resources department.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the disciplinary policy or a standard operating procedure.
A.7.3 Termination or Change of Employment
Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
Explanation: Whenever any employee and contractor exits the organization their exit formalities must be done systematically. Also, within the organization, if there is a change in employment responsibilities, there should also be a standard process.
A.7.3.1 Termination or Change of Employment Responsibilities (ISO 27001 Control)
Information security responsibilities and duties that remain valid after termination or change of employment should be defined and communicated to the employee or contractor and enforced.
When an employee/contractor joins and then leaves the company/organization.
An employee could transfer from one location to another within the organization.
Employee/contractor responsibilities can change, i.e., they could be increased or decreased.
When employees leave The organization must define a clear policy or standard operating procedure that explains when employees/contractors leave the organization, what they must do to complete all the exit formalities. This is to ensure that the exit is done in a safe manner without any impact to organizational information.
It is important to ensure that exiting employees/contractors do not have access to sensitive information or assets after their last day.
Clients also know the importance of safeguarding their information, and they could also communicate their own standard operating procedures to you to follow when an employee/contractor working for your client leaves. It is the duty of the organization to ensure that exiting employees abide by these defined policies.
When employees transfer to another department Employees could move from one office location to another office or department. Say that employee Krishna is working at office location A and then is transferred to office location B. It becomes important for the organization to review and revoke Krishna’s access from the information, assets, tools/applications, etc. that are relevant only to location A and to ensure that he has access to location B’s data and information only.
Even when the employee transfers from one department to another, you must follow the same process and review/revoke access accordingly.
The responsibilities of an employee change Employee or contractor responsibilities could undergo changes, for example, they might get additional/new responsibilities and maybe old responsibilities become no longer valid. In such scenarios, it’s important to review/revoke the access accordingly.
Evidence that can be prepared: The human resources (HR) department typically manages employee exits and transfers, so HR should define the policy that covers these scenarios and should ensure that this information is communicated to employees and contractors.
The evidence can be an employee exit form on which every department lists the information for which access needs to be revoked and assets to be returned. On their last day, the employee must return all the assets issued by every department. Every department head must sign the employee exit form to confirm that the employee has returned all assets. Once the employee exit form has been signed by every department head, then the HR department should relieve the employee by providing a company relieving certificate or an experience certificate (as per the human resources norms/standards).
Note
Organizations that do not use a paper-based approach for the employee exit form can use ticket-based tools or email communication. It is up to the organization to decide which method is effective and useful. In any case, evidentiary records need to be maintained for a longer period and should be easily available for audit/verification purposes.
IT companies and IT departments in any organization must ensure that the user ID of the employee/contractor is disabled in the system on the last day (the record must be available in the system for audit purposes) to ensure no tools or applications are accessible.
Employee exit clearance form
A.8 Asset Management
A.8.1 Responsibility for Assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
Explanation: The objective is to identify all the assets associated with the organization and then define security controls needed to safeguard those assets.
The next sections explain the controls in asset management.
A.8.1.1 Inventory of Assets (ISO 27001 Control)
Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.
Explanation/what is required: The first step is to create an asset list by identifying the relevant assets. An inventory of these assets needs to be managed throughout their lifecycle, which includes creation, processing, storage, transmission, deletion, and destruction.
Note
The inventory of your assets should be accurate and up to date in order to best manage organizational risk.
Evidence that can be prepared: An asset register should be prepared.
Who prepares it: The relevant department head/team members should prepare the asset register. For example, an HR asset inventory should be prepared by HR and the IT assets inventory should be prepared by the IT team/department.
For external audit: An external auditor may check for an asset register during the ISO 27001 audit.
A.8.1.2 Ownership of Assets (ISO 27001 Control)
Assets maintained in the inventory should be owned.
Ensuring that the asset register is correct and up to date.
Ensuring that assets are classified into appropriate categories and protected.
Defining the asset management policy and reviewing it periodically.
Properly handling assets while deleting or destroying them.
Evidence that can be prepared: Asset management policy and an asset register.
Who prepares it: The information security team should prepare the asset management policy and the relevant asset owner/department should prepare the asset register.
For external audit: An external auditor may check for this evidence, to verify that asset management practices are followed and managed throughout the asset’s lifecycle.
A.8.1.3 Acceptable Use of Assets (ISO 27001 Control)
Rules for the acceptable use of information and assets associated with information and information processing facilities should be identified, documented, and implemented.
Explanation: Assets are used by the organization and their suppliers or vendors and they must understand the information security requirement associated with each asset. Hence, they should be responsible for the assets provided to them for official use.
Evidence that can be prepared: Acceptable usages policy.
Who prepares it: The information security team and the relevant asset owner/department prepares the acceptable usages policies.
For external audit: An external auditor may check for the acceptable usages policy during the ISO 27001 audit.
A.8.1.4 Return of Assets (Control ISO 27001)
All employees and external party users should return all the organizational assets in their possession upon termination of their employment, contract, or agreement.
Explanation/what is required: This control explains the return of assets. For example, the employee or the vendor must return all the organizational assets when their project, contract, or agreement is closed. Upon termination of employment, assets such as laptops, company IDs, or any other asset provided by the company must be returned.
If an employee or external party is leaving the organization, they must document any job knowledge that is required for the smooth operation of the company. This document is sometimes known as knowledge transfer (KT)
Evidence that can be prepared: The exit form should indicate whether all assets have been returned.
Who prepares it: Each department head is responsible for collecting their assets and keeping records of that process.
For external audit: An external auditor may check for evidence in the form of physical or soft copies of reports or documents.
Note
The organization should watch for unauthorized copying of information, especially after notice of termination, to ensure that no intellectual property or copyrights are violated.
A.8.2 Information Classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
Explanation: This control helps classify information, which is very important for the organization. All information is not critical and at the same time, all information cannot be shared with the public. Hence, the classification of information plays an important role. The next sections discuss the controls related to information classification.
A.8.2.1 Classification of Information (Control ISO 27001)
Information should be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.
Explanation/what is required: The control says that classification of information should be done based on criticality, value, and sensitivity. The information classification should be done based on a risk assessment activity. Information classification must be defined based on the business need and there must be a process for defining and documenting information classification.
The frequency of information classification should be defined in the policy and should be updated based on the value and criticality of the information.
Evidence that can be prepared: Information classification policy and information classification guideline.
Who prepares it: The Information security team is responsible for preparing the information classification policy and guideline.
For external audit: The external auditor in the ISO 27001 audit will check for this document.
A.8.2.2 Labeling of Information (Control ISO 27001)
An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Where and how the label can be attached
On what types of media labeling is required
Where labeling is not required
Evidence that can be prepared: Information classification policy and information classification guideline.
Who prepares it: The information security team is responsible for preparing the information classification policy and guideline.
For external audit: The auditor will look at the records for information labeling along with the policy document.
A.8.2.3 Handling of Assets (Control ISO 27001)
Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.
Maintain a record for use by authorized recipients.
Implement access restrictions for each level of information classification.
Store the IT assets as per the manufacturer instructions only.
Note An agreement should be in place when the assets are used by other organizations/external parties on a sharing basis.
Evidence that can be prepared: Asset tracker and procedures for asset handling.
Who prepares it: Asset owners are responsible for handling assets and the information security team will facilitate with the asset handling procedure by getting input from various departments.
For external audit: The auditor will look at the records for asset handling along with the policy document.
A.8.3 Media Handling
Objective: To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.
Explanation: The objective is to prevent any kind of unauthorized access on a media device. This includes how you manage of media, how to dispose of media securely, and the physical media transfer. The next sections cover all the controls.
A.8.3.1 Management of Removable Media (Control ISO 27001)
Procedures should be implemented for the removable of media in accordance with the classification scheme adopted by the organization.
All the removable media should be stored in a safe and secure environment.
To reduce the risk of data damage, there should be multiple media devices to store business-critical data/information.
Confidential information should be protected with a cryptographic technique.
Restrict the use of external drives such as hard disks, stick devices, etc.
Evidence that can be prepared: Prepare the procedure for the management of removable devices.
Who prepares it: The IT team is responsible for records related to media transfer. Policies should also be defined and implemented with the support of the information security team.
For external audit: The external auditor will look for this document.
Note
Some external auditors may also physically check whether the removable device is blocked as per the policy document to confirm the compliance.
A.8.3.2 Disposal of Media (Control ISO 27001)
Media should be disposed of securely when it’s no longer required, using formal procedures.
Media that contains confidential information should be removed securely. For example, you may use shredders to destroy the information or any other tool.
Write a procedure for identifying and securely disposing of media containing sensitive information.
Maintain an audit trail for secure disposable of such media.
Evidence that can be prepared: The procedure document can be prepared to explain how you securely dispose of the media.
Who prepares it: The disposal of media is the responsibility of the IT departments and they must also prepare the procedure for securing media disposal with the help of the information security team.
For external audit: The external auditor will look for media disposal policy and procedure. They may ask for the media disposal records.
A.8.3.3 Physical Media Transfer (Control ISO 27001)
Media containing valuable information should be protected against unauthorized access, misuse, or corruption during transportation.
Identify the list of courier services and choose a reliable partner.
Protect the content by using a quality package that restricts the courier from seeing the content and reducing the chances of physical damage.
Evidence that can be prepared: A tracking log can be maintained to track media transfer. Tracking slips can be kept for record purposes.
Who prepares it: The admin from the IT team and the facility team should be responsible for creating the procedure and keeping the records in place.
For external audit: The external auditor may ask for the records and processes used to secure physical media transfer.
Note
After selecting a reliable courier partner, there must be an agreement between both the partners.
A.9 Access Control
A.9.1 Business Requirements of access Control
Objective: To limit access to information and information processing facilities.
Explanation/what is required: The objective is to protect information security by limiting the access to company information, systems, and tools. Limiting the access means providing access controls only up at required levels, as loose access may increase the risk of an information security breach.
A.9.1.1 Access Control Policy (ISO 27001 Control)
As access control policy should be established, documented, and reviewed based on the business and information security requirements.
Explanation/what is required: The requirement is to design a policy for managing access rights permissions to information and various assets of the organization. It is important that access controls rights are specific to each user role.
Assess your business application security requirements.
Access rights are based on the information classification guidelines.
Assess the relevant laws and contractual requirements before allotting access rights.
Determine how access to the information will be requested, authorized, and administered.
Determine how privileged access rights will be allotted and managed.
Determine how access rights will be reviewed at regular intervals.
Determine how removal of access rights will be requested and managed.
Evidence that can be prepared: Access control policy and risk tracker (with identified risks as part of access permissions).
Who prepares it: Information security needs to get input from various departments including critical ones, such as the IT Helpdesk team, to define access control policy.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the access control policy in order to verify how the organization has defined and communicated the policy to all stakeholders.
A.9.1.2 Access to Networks and Network Services (ISO 27001 Control)
Users should only be provided access to the network and network services that they have been specifically authorized to use.
Explanation/what is required: The requirement is the same as the objective says, organizations must ensure only authorized users/employees are provided access to organization network and network services. Any unauthorized use can pose a threat to the organization’s information.
Information on networks that is accessible
How the users/employees would be authenticated for permissions
Mode of using the network i.e. wireless, LAN, VPN, etc.
How network will be monitored to safeguard information
Evidence that can be prepared: Access control policy, network control policy, network diagram, and network monitoring logs
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has defined and implemented network policy, measures taken to protect network and network services.
A.9.2 User Access Management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
Explanation/what is required: Protect information security by ensuring only authorized users gain access to organization system and services. Also, implement security controls to prevent access to any unauthorized users.
A.9.2.1 User Registration and De-Registration (ISO 27001 Control)
A formal user registration and de-registration process should be implemented to enable assignment of access rights.
Every user must be allotted a unique ID, so it’s easy to identify the user and track him. If a security breach takes place, the user/employee will be held responsible and disciplinary action will be taken.
Ensure that there are no shared IDs used. In scenarios where it is required for business purposes, it must be approved by authority members, and documented and monitored on a regular basis. Shared user IDs are usually risk prone as when security breach happens, it is sometimes difficult to assess who was responsible because the same user ID is used by several users.
Once an employee leaves the organization, his/her user ID must be disabled immediately to avoid any information security breach.
Ensure that there is a periodic review performed on user IDs to identify whether any redundant user IDs exist. They should immediately be disabled.
Determine how requests will be made for assigning and revoking user IDs. It must be clear who can raise the request, approvals required, etc.
Evidence that can be prepared: Access control policy, user registration/de-registration procedures, requests raised for user registration/de-registration, evidence for user registration and disabling of user IDs, list of active and disabled user IDs, and monitoring records of user IDs at regular intervals
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has defined and implemented user registration and de-registration procedure. They might also check when user/employees left the organization and see Whether user IDs are disabled immediately or not.
A.9.2.2 User access provisioning (ISO 27001 Control)
A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services.
Explanation/what is required: The following points could be covered, based on organization business needs.
Before providing user access to the organization system and services, appropriate approvals must be taken from the owner of those system and services. It must be ensured that access rights are granted as per the defined policy and the roles defined for each user/designation. IDs of users whose roles have changed or have left the organization must be disabled immediately. Maintain the list of active and disabled user IDs.
Evidence that can be prepared: Access control policy, requests raised for the users for granting/revoking access, evidence for granting/revoking access for the users, list of active and disabled user IDs, monitoring records of user IDs at regular intervals
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has granted and revoked access to the users for specific information systems and services.
A.9.2.3 Management of Privileged Access Rights (ISO 27001 Control)
The allocation and use of privileged access rights should be restricted and controlled.
Identify all systems and services for which privileged user IDs are needed and users who could be provided with such IDs.
Authorization steps and records of all privileged user IDs must be maintained.
Expiry dates of all privileged user IDs must be defined.
Privileged user IDs must be created separately as a unique ID, and they should not be merged with the regular user ID allotted to the users.
For administrator user IDs, their secret authentication information must be protected, such as by change of passwords. When the user leaves the organization their user IDs must be disabled immediately.
Evidence that can be prepared: Privileged user access control policy, requests raised for the privileged users ID, evidence for granting/revoking access for the privileged users ID, list of active and disabled privileged users ID, and monitoring records of privileged users ID at regular intervals
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has managed privileged user IDs access permission rights.
A.9.2.4 Management of Secret Authentication Information of Users (ISO 27001 Control)
The allocation of secret authentication information should be controlled through a formal management process.
Users must sign a statement to secure their secret authentication information (i.e. passwords), as they are confidential information that belongs to a specific user. Sharing passwords with unauthorized users intentionally or unintentionally is an information security breach, which may pose a threat to the information.
When secret authentication information is shared with the user, initially it must be the temporary and users must be forced to change the temporary password with something of their own secret authentication.
Temporary secret authentication must be shared in a secure manner, to ensure that it reaches the right recipient/user only. Users must acknowledge the receipt of secret authentication information.
Evidence that can be prepared: Password control policy, procedure how secret authentication information will be created, shared, and maintained
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will create, share, and maintain secret authentication information for employees/contractors.
A.9.2.5 Review of Users Access Rights (ISO 27001 Control)
Asset owners should review users access rights at regular intervals.
Users’ access rights must be reviewed at regular intervals including when users are promoted, or their roles are changed, or they leave the organization.
Privileged user IDs must be reviewed on a more frequent basis, as such users can alter, modify, or delete information more easily than any normal users.
Logs of privileged user IDs must be maintained whenever there are changes to the access permission rights.
Evidence that can be prepared: Password control policy, review of user access rights permissions, logs of privileged user IDs access changes, and list of disable privileged user IDs
Who prepares it: The IT Helpdesk team along with the information security team would prepare the evidence.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will review the user access rights permissions at regular intervals to avoid any security breaches.
A.9.2.6 Removal or Adjustment of Access Rights (ISO 27001 Control)
The access rights of all employees and external users to information and information processing facilities should be removed upon termination of their employment, contract, or agreement or adjusted upon change.
The organization must ensure that access rights of employees/contractors are revoked once they leave the organization. Also, when any changes have been done in the employment (i.e. changes in the roles due to the business purposes or changes in the contract/agreement), then review of access rights must be conducted to check whether existing access rights need to be changed. These access rights could be for the authorization levels to systems/applications, identification cards, etc. For more information, refer to earlier chapters in this book.
If the user was allotted any asset, it must be removed or submitted to the specific department before termination or employment changes.
Known passwords for user IDs must be disabled on the last working day of the employee/contractor.
Evidence that can be prepared: Access control policy, disable requests for the user IDs/password, and list of disable user IDs/password
Who prepares it: the Human resources team raises the disable requests for the user IDs/password with the IT Helpdesk team, who will disable and maintain appropriate record/evidence. The information security team will review and provide consulting about the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will review and disable user IDs/passwords of users.
A.9.3 User Responsibilities
Objective: To make users accountable for safeguarding their authentication information.
Explanation/what is required: Users must protect secret authentication information shared with them for official use.
A.9.3.1 Use of Secret Authentication Information (ISO 27001 Control)
User should be required to follow the organization’s practices when using secret authentication information.
Explanation/what is required: Secret authentication information shared with the user/employee must be kept confidential. It is advisable not to keep secret authentication information in written form, i.e. on paper. If password vaults are used then it can be stored, as they are more secure.
It is advisable to change secret authentication information, when there is an indication that it has been compromised. In such scenarios it must be changed immediately.
Evidence that can be prepared: Access control policy, secret authentication information policy, requests for the secret authentication information, list of users with secret authentication
Who prepares it: The IT Helpdesk team will share the secret authentication information and will maintain associated record/evidence. The information security team would review and provide consulting about the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will share secret authentication information with the user/employee and how it will be protected by user/employee while using it for the official purposes.
A.9.4 System and Application Access Control
Objective: To prevent unauthorized access to systems and applications.
Explanation/what is required: The objective is that organization must create provisions to prevent systems and applications from unauthorized access.
A.9.4.1 Information access restriction (ISO 27001 Control)
Access to information and application system functions should be restricted in accordance with the access control policy.
Identify the users who will access certain information/data
Determine how the access controls will be managed for the users (i.e., read, write, and delete)
Determine how the access rights will be managed for other applications
Evidence that can be prepared: Access control policy, list of users with access permission rights i.e. read, write, and delete for all applications, and list of active and disabled users.
Who prepares it: The IT Helpdesk team will prepare and maintain record/evidence. The information security team would review and provide consulting on the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will manage users with access permission rights (i.e. read, write, and delete) for all applications’ data/information.
A.9.4.2 Secure Log-On Procedures (ISO 27001 Control)
Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
Users/employees are allowed inside the system only after successful completion of the secure log-on procedure.
The organization can implement the security control by configuring a system setting that displays a warning message, that the system/computer must be used by authorized users only.
Once all input data is entered correctly then only log-on information is validated.
Log all the successful and unsuccessful attempts made.
Security incidents must be logged if a security breach is observed while logged on.
While entering the password, it should not be visible.
Terminate the inactive session after a certain period to minimize the risk of unauthorized access.
Evidence that can be prepared: Access control policy, secure log on procedure, and list of secure log-on incidents
Who prepares it: The IT Helpdesk team will prepare and maintain record/evidence. The information security team would review and provide consulting on the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization is managing secure log-on procedure to ensure only valid authorized users gain access to the systems.
A.9.4.3 Password Management System (ISO 27001 Control)
Password management systems should be interactive and should ensure quality passwords.
Ensure that user ID/passwords are unique, to make the user accountable.
Passwords must be changed at first log-on attempt, as first passwords are default passwords that must be changed by the user on their own.
Passwords must be changed at regular intervals, such as every 60 to 90 days.
Password logs must be maintained and previous passwords are not allowed for reuse.
When entering the password, it should not be visible.
Evidence that can be prepared: Password creation policy, list of unique passwords per user ID, list of previous used passwords, configure system setting to change passwords every 90 days
Who prepares it: The IT Helpdesk team will prepare and maintain record/evidence. The information security team would review and provide consulting on the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will manage password management system to ensure no unauthorized access attempts are made.
A.9.4.4 Use of Privileged Utility Programs (ISO 27001 Control)
The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled.
Explanation/what is required: The organization must implement security controls to prevent utility programs from overriding the system on its own.
Define the authorization levels for the utility programs
Limit the use of utility programs
Maintain the log information of the utility program usage
Identify and disable all unnecessary utility programs
Evidence that can be prepared: List of utility programs in use, log information of the utility program, and list of disabled utility programs
Who prepares it: The IT Helpdesk team will prepare and maintain record/evidence. The information security team would review and provide consulting on the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will manage the usage of utility programs and preventing them from overriding the systems on their own.
A.9.4.5 Access Control to Program Source Code (ISO 27001 Control)
Access to program source code should be restricted.
Explanation/what is required: Organizations must implement security controls to restrict the access to program source code, to prevent unauthorized or unintentional changes to the source code. Organizations must assess the storage location of the source code, to manage the access in a better way.
Persons should not have unrestricted access to the code
Only authorized users must be allowed to update program source libraries
Audit log must be maintained of all successful and unsuccessful access attempts to the program source libraries
Program source code should be prohibited from copying
Evidence that can be prepared: List of authorized users access to program source code, audit log of all successful and unsuccessful access attempts to the program source libraries, and list of users with disabled access (who left organization or change in their roles)
Who prepares it: The IT Helpdesk team will prepare and maintain record/evidence. The information security team would review and provide consulting on the process.
For external audit: An external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization will restrict the access to program source code to prevent the unauthorized access, unintentional changes, and source code from being copied.
A.10 Cryptography
A.10.1 Cryptographic Controls
Objective: The objective of this control is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.
Explanation: Today we all must deal with lots of information through different mediums such as emails, online transactions, hard drives, and through other mediums. Also, the organizational information sometimes travels through different channels like ISPs, routers, switches, and via other channels before it reaches to us and thus the security of information is critical to the business. This control is divided into two parts.
A.10.1.1 Policy on the Use of Cryptographic Controls (ISO 27001 Control)
A policy on the use of cryptographic controls for protection of information should be developed and implemented.
Explanation: Define policies for cryptographic control. Cryptographic controls are implemented to provide additional safeguards against the compromise of data transmission across the public network. This control addresses encryption policy and controls for organization confidential data that is at rest (including portable devices and removable media), data in motion (transmission security), and encryption key standards and management.
Sometimes people get confused between cryptography and encryption. Cryptography is a science of writing in codes while encryption is the mechanism to convert the information in code that those who know the mechanism of encryption/decryption can understand.
Talking in code language is not new. In the old days, it was used by military leaders and diplomats to secure their information.
An example of classic cryptography: Hello World can be 'ehlol owrdl’, the letters are just mixed up. In a substitution cipher, the word is replaced by different letters or group of letters. In modern cryptography, we have a wide range of techniques to secure information. However, it is such a vast field and not in the scope of this book.
You can encrypt the devices that carry confidential information such as external hard drives and flash drives if they go outside the organization.
If any employee travels frequently with a laptop, it must be encrypted. Use reliable free encryption software tools such as Bitlocker, Veracrypt, 7-zip, etc.
Any email with confidential information must be secured.
When your employees connect to the office network from home, the connection must be secured using a virtual private network (VPN).
If you have any web portal or product that offers ecommerce services and have payment methods, the gateway must be secured.
Any shared folder or files that are accessible by all the employees in the organization must be secured.
USB sticks are very small devices and can be risky if the organization has no policy on their use. USB sticks must be blocked on all the devices expect a few devices with permission and known risk.
Evidence that can be prepared: A policy on the use of encryption can be prepared to identify the areas where encryption technique must be used and to define and implement the standards.
Who prepares it: The information security team is responsible for defining and implementing the encryption policy along with the IT team.
For external audit: The external auditor will check for this document during the ISO 27001 certification audit.
A.10.1.2 Key Management (ISO 27001 Control)
Control: A policy on the use, protection, and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.
Explanation: This control explains the use of policy and protection of cryptographic keys. The important aspect is about the management of keys throughout the lifecycle. It defines how you manage keys and how they are distributed, changed, and stored in the backup. Key management must be strong and safe so that the attacker cannot misuse the keys.
The information security team must verify backup storage for key passwords, files, and related backup configuration data to avoid the single point of failure and ensure access to encrypted data.
No single individual should be authorized to generate a new key pair.
The keys in storage and transit must be encrypted. Private keys will be kept confidential. Keys will be randomly chosen from the entire key space, using hardware-based randomization.
The lifespan of the key should be kept short with defined activation and deactivation duration limits.
A key-generating tool should be physically and logically secure from installation, operation, and removal of service.
Evidence that can be prepared: The policy on encryption, records-securely storage of encryption/decryption keys.
Who prepares it: The information security team is responsible for defining and implementing the encryption policy along with the IT team.
For external audit: The external auditor conducting the ISO 27001 audit may check for encryption policy and ask about the key management policy.
A.11 Physical and Environmental Security
Objective: To prevent unauthorized physical access, damage, and interference to the organization’s information and information processing facilities.
Explanation: The objective in this control is to restrict illegal physical and environmental access, the term physical and environmental refers to steps taken to protect the physical system and infrastructure against physical and environmental threats. In today's world, the information around the organization is very critical. This control is broken into two parts A.11.1, “Secure Areas” and A.11.2, “Equipment”. The next sections discuss each control one by one.
A.11.1 Secure Areas
Objective: To prevent unauthorized physical access, damage, and interference to the organization’s information and information processing facilities.
Explanation: Prevent unauthorized physical access and prevent damage to the organizational site and information. This includes the office building, rooms, and the facilities such as air-conditioning, heating, electricity, etc.
This control is further broken down into six subparts.
A.11.1.1 Physical Security Perimeter
Control: Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.
Explanation: The boundaries of the organization must be secured and defined. The expectation here is to have a secure fence or building wall that can protect critical information from compromise. The sensitive assets can be kept under secured room and in lockers.
A.11.1.2 Physical Entry Controls
Control: Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Entry by personnel access control only. For example, by using biometric devices.
Visitor entry must be recorded in a visitor logbook and they get temporary access to entry with a visitor card.
A.11.1.3 Securing Offices, Rooms, and Facilities
Control: Physical security of offices, rooms, and facilities should be designed and applied.
Is access protected and revoked when not required?
Is there a policy to remove the organizational asset after use if the rooms and facilities are shared among different organizations?
Note The external auditor may inspect the offices, rooms, and facilities to check if there is evidence of risk-based control implementations.
A.11.1.4 Protecting Against External and Environmental Threats
Control: Physical protection against natural disasters, malicious attacks, or accidents should be designed and applied.
Explanation: This control covers how you protect your organization from natural disasters and malicious attack or accidents. Here you need to identify potential natural or man-made disasters. Take a few examples of environmental threats such as floods, tornado, earthquake, lightning, fire, etc. Man-made threats can be water leakage from the company facility or any other things that make the environment difficult to work for the employees.
The external auditor will check for evidence that you identified all the potential threats and vulnerabilities and you also accessed or treated the environmental risks.
Proof showing the threats and vulnerability assessment are done properly.
Mock fire drills videos can be presented as proof.
A.11.1.5 Working in Secure Areas
Control: Procedures for working in secure areas should be designed and applied.
Employees in and out time logging.
Restriction of video/audio recording to sensitive areas within the organization.
Restriction on unauthorized entry in office premises.
Evidence that can be prepared: A procedure or policy document for keeping work area secured. Also, the auditor can ask for supporting evidence.
A.11.1.6 Delivery and Loading Areas
Control: Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
Explanation: This control covers the delivery and loading areas protection. The focus is on keeping unauthorized people away from the processing information facilities and to keeping them in an isolated area if possible under the supervision of CCTV recording 24/7. If this control does not apply to your organization, it can be updated in the SOA (Statement of Applicability) document as Not Applicable.
Evidence that can be prepared: A procedure or policy document can be written which clearly defines who all can enter the delivery and loading premises.
A.11.2 Equipment
Objective: To prevent loss, damage, theft, or compromise of assets and interruption to the organization’s operations.
Explanation: So far, the various components of physical and environmental security have been covered. This section focuses on equipment. The goal of A.11.2 is to prevent loss, damage, theft, or compromise of assets and to protect from interruption of business operations. This control is further broken into nine subparts. The next sections discuss them one by one.
A.11.2.1 Equipment Siting and Protection
Control: Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
Storage facilities must be secured from unauthorized access. This can be attained by restricting keys only to authorized personnel.
Laptops and desktops with sensitive data must be protected from the direct viewing angle.
You must have a separate cafeteria for food and drink to keep them away from information processing facilities.
Evidence that can be prepared: Clear desk/screen policy and the risk assessment document
Who prepares it: The IT team is responsible for securing equipment siting and protection.
For external audit: The external auditor conducting the ISO 27001 audit may ask for evidence.
A.11.2.2 Supporting Utilities (Control ISO 27001)
Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.
Test and inspect the supporting equipment regularly.
Make sure that it conforms to manufacturer's specifications and local laws.
If required, keep a backup ready for all types of equipment.
Services and maintenance record.
List of backup equipment if available
Who prepares it: The IT and the Admin teams are responsible for securing the supporting utilities and upkeep of records.
For external audit: The external auditor conducting the ISO 27001 audit may ask for this evidence.
A.11.2.3 Cabling Security (Control ISO 27001)
Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference, or damage.
All the cables or wires should be underground where possible to protect them from damage.
The electromagnetic shield can be used to protect the cables.
Access to the patch panel and cable rooms should be protected and controlled.
Evidence that can be prepared: Access control to the cable/network room and maintenance and inspection record of cables.
Who prepares it: The IT team is responsible for the cabling security along with other relevant stakeholders if available.
For external audit: The external auditor may physically verify the cabling security and can ask for some evidence for maintenance and upkeep of cables.
A.11.2.4 Equipment Maintenance (Control ISO 27001)
Equipment should be correctly maintained to ensure its continued availability and integrity.
Only authorized maintenance personnel should be allowed to carry out repairs and service equipment.
The equipment should be maintained following the supplier’s recommended service intervals and specifications. For example, if the Genset manufacturer service term is every six months, and it should be done on time and records should be maintained.
Evidence to be prepared:
Maintenance record for all equipment, list of assets under maintenance.
Who prepares it: The IT or Admin team is responsible for the regular maintenance of equipment.
For external audit: The external auditor conducting the ISO 27001 audit may ask for this evidence.
A.11.2.5 Removal of Assets (Control ISO 27001)
Equipment, information, or software should not be taken off-site without prior authorization.
When equipment is transferred to individuals or vendors off-premises, a log document should be maintained.
Organizational equipment and media devices should not be left unattended in public.
Evidence that can be prepared: Gate pass for equipment taken off-premises.
Who prepares it: The IT team, along with the admin team, is responsible for securing the removal of assets.
For external audit: The external auditor conducting the ISO 27001 audit may ask for this evidence.
A.11.2.7 Secure Disposal or Reuse of Equipment (Control ISO 27001)
All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
The encryption process should be strong and must cover the entire disk.
The encryption key should be long enough to protect from any attack and be updated in the encryption policy.
Never store the encryption key on the same disk. The key must be protected from unauthorized disclosure.
Evidence that can be prepared: Media disposal and reuse policy, and encryption policy
Who prepares it: The IT team is responsible for defining and documenting the media disposal and encryption policy along with other stakeholders.
For external audit: The external auditor conducting the ISO 27001 audit may ask for this evidence.
Note
Complete disk encryption reduces the risk of disclosure of confidential information when equipment is disposed of or reused.
A.11.2.8 Unattended User Equipment (Control ISO 27001)
Users should ensure that unattended equipment has appropriate protection.
Keep unattended equipment in the locker to protect them from unauthorized use.
When the user is not at her desk, use automatic locking with password protection.
Sessions must get terminated automatically if the user is not active in a predefined time frame.
Evidence that can be prepared: A log document for keys and drawers assigned to individuals and a session report from the server.
Who prepares it: The IT team is responsible for defining policy and procedure to protect unattended users’ system or equipment.
For external audit: The external auditor may check for the list of keys or lockers allocated to individuals or may ask for related evidence.
A.11.2.9 Clear Desk and Clear Screen Policy (Control ISO 27001)
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.
Any business-critical information, either in the form of physical paper or storage media, must be kept in the locker.
Unauthorized users should not have access to use photocopiers and scanners.
A clear desk/clear screen policy helps in reducing the risks of unauthorized access and damage to information during and outside the office working hours.
Evidence that can be prepared: Clear desk and screen policy and an access control policy
Who prepares it: The IT team is responsible for defining the clear desk/screen policy.
For external audit: The external auditor conducting the ISO 27001 audit may ask for the evidence.
A.12 Operations Security
A.12.1 Operational Procedures and Responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
Explanation/what is required: You need procedures to run operations smoothly and securely. The importance of defining and sharing standard operating procedures to all employees/contractors is communicated. Procedures should be defined by matching the business needs and objectives.
A.12.1.1 Documented Operating Procedures (ISO 27001 Control)
Operating procedures should be documented and made available to all users who need them.
Explanation/what is required: All the standard operating procedures related to business processes must be defined and made available to all the employees and contractors to perform the daily tasks in smooth and secure manner. This procedure will ensure that everybody understands their roles. It will help reduce the probability of information security risks happening.
Evidence that can be prepared: All the required standard operating procedures.
Who prepares it: All the department stakeholders will define the procedures with the help of the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the standard operating procedures, and determine how easily they are accessible for the employees who need them to execute the tasks as new employees keeps joining the company. They must be made aware of the path/portal from where they can access this information.
A.12.1.2 Change Management (ISO 27001 Control)
Change to the organization business processes, information processing facilities, and systems that affect information security should be controlled.
Explanation/what is required: Whenever a change occurs in the organization in terms of business processes or tools/applications, responsibilities etc., that change must be planned and executed in a controlled manner. When changes occur, it becomes important to re-analyze the security controls, as they might need changes too. All the security risks must be analyzed thoroughly for their potential impact on the security controls and appropriate approvals to be taken from the change control board (CCB) before implementing change management. Any security risk you skip can lead to a threat to the company information once it is released/implemented into the system.
Change management procedures
Change and impact analysis form
Change log/tracker
Who prepares it: The information security department, with the help of the subject matter experts selected for the implementation team, should define the change management procedure, as it needs to cover all aspects of business operations. Concerned department stakeholders should prepare the change and impact analysis form and maintain the change log/tracker on a regular basis.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the change management procedures. They will confirm that the change control board is created to review/approve the changes before they are implemented and released into the system or business operations for employees/contractors to follow.
Also, the change and impact analysis form and the change log/tracker will be verified for any current changes.
A.12.1.3 Capacity Management (ISO 27001 Control)
The use of resources should be monitored and tuned, and projections made of future capacity requirements to ensure the required system performance.
Explanation/what is required: The requirement is whenever the IT systems reach their maximum capacity levels (such as server disk space). Overloaded systems usually don’t run at optimum efficiency levels, which downgrades the service levels for your system users/customers, and it will directly impact the business. It is important to keep analyzing and monitoring the performance of your systems on a regular basis. Once you start analyzing the usage of your systems, you need to forecast whether there is any need to upgrade the systems in terms of numbers or capacity to deliver the optimum performance levels.
Capacity management procedures. Tools/applications implemented that must detect and communicate systems usage for server disk space.
This will help to perform the following tasks:If disk space is full, then you have to delete obsolete data to create space.
You may have to decommission some of the systems/applications that are no longer in use or needed to provide any services.
You need to identify services that are not critical and restricting their bandwidth, such as for video streaming.
Capacity management projections plan document.
Who prepares it: The information security department, with the help of the subject matter expects selected for the implementation team, should define the capacity management procedure, as it needs to cover all aspects of the business.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the capacity management procedures, to check how capacity management I monitored, forecasted, and planned for the systems to deliver optimum performance levels.
A.12.1.4 Separation of Development, Testing, and Operational Environment (ISO 27001 Control)
Development, testing, and operational environments should be separated to reduce the risks of anybody having unauthorized access or changes to the operational environment.
Explanation/what is required: The requirement is to maintain the development, testing, and operational environments separately, employees/contractors working on these environments their access must be checked and controlled, so that they do not perform any unauthorized actions or changes in the system. These must be detectable easily for all the verification and future audit purposes, as any incident occurs this information is always helpful.
Evidence that can be prepared: The environment creation procedures.
Define the rules for how software would be transferred from one environment to another, for example, from the development to operation/production environment.
Define the access levels for each environment and how to monitor them. For example, developer access to operation/production environment must be prohibited, as it can pose a threat of unauthorized changes or modification to the software code or operations/production data.
Different environments must be run on different systems or computers.
Changes to the operating systems or the applications must be tested in a testing or staging environment before implemented in the operation environment. Testing must be avoided on the operation/production environment.
Organizations based on their business needs should analyze and cover their required security controls for the creation of stable and secure environments.
Project management plan defines employees who will have access permissions to work on the different environments.
Separate environments should be created and maintained for development, testing, and operations.
Who prepares it: The information security department, with the help of the subject matter expects selected for the implementation team, should define the environment creation guideline.
Project managers should define all the access controls for all the different environments for their project team members. Access control reviews must be performed on a regular basis and records must be maintained.
The IT helpdesk team creates and maintains separate environments for development, testing, and operations.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the environment creation guideline, to check how the environment is created and access control levels are planned, given, and monitored on a regular basis.
A.12.2 Protection from Malware
Objective: To ensure that information and information processing facilities are rotected against malware.
Explanation/what is required: The organization and employees must know how to detect and protect their organization information from malware attacks. Employees must know what malware is and how it can be harmful.
A.12.2.1 Controls Against Malware (ISO 27001 Control)
Detection, prevention, and recovery controls to protect against malware should be implemented, combined with appropriate user awareness.
Explanation/what is required: As you are aware, malware is a serious threat so organizations must analyze and implement appropriate security controls, including educating the employees on a regular basis to prevent malware attacks. It is important that organizations install malware detection software as it will scan all the incoming data and will block any malware threat. The malware detection software may not be able to protect your systems in all the scenarios, so the focus must be more on prevention methods.
The organization should define a policy to communicate to the employees/contractors that the use of any unauthorized software/tools is prohibited.
Use controls that help in the prevention and detection of unauthorized software.
Use controls that help in the prevention and detection of websites that are malicious or could spread malicious content, i.e. sites that are blacklisted.
Install malware detection software to prevent and block malware threats. As a preventive measure, schedule the scan of all computer systems and media to detect malware. Scan files received over the network or through storage media, email attachments, and web pages. Regular updates to the software should be done to address the latest malware threats.
Plan and perform the regular reviews of your organization’s systems to check whether any unauthorized or prohibited files/software exist, which could pose a malware threat.
Plan regular training/awareness sessions for the employees/contractors so that they can prevent malware attacks.
Evidence that can be prepared: An authorized software usage policy to prohibit employees from using any unauthorized/unapproved software/tools. An antivirus policy because all systems must be installed with the antivirus/antimalware software to prevent any form of information security attack.
Standard operating procedures could be prepared that can guide teams during a malware attack as what should be done and what the responsibilities are of employees/resolution teams. Also, it could be the part of business continuity planning as well, as if systems are down due to a malware attack then how to recover from it, for e.g. all crucial/important data and software is backed up and could be restored faster to make your organizations systems up and running.
Records of scan results showing prevention/detection/removal of malware.
Employee training/awareness plan and participation evidence i.e. training attendees and training material etc.
Records of regular patch updates to the malware/antivirus detection software.
Who prepares it: The information security department, with the help of the IT Helpdesk team, which is part of implementation team, should define the policies and procedures.
The IT Helpdesk team maintains all the records of scan results, showing prevention/detection/removal of malware. It also patches the update records. The information security team maintains the employees training/awareness plan and the training participation records.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the policies and procedures. Malware/antivirus software installed on organization systems/machines should be up to date and working. Records of scan results/regular patch updates. Employee training evidence.
A.12.3 Backup
Objective: To protect against the loss of data.
Explanation/what is required: The requirement is to identify and implement controls to prevent the loss of company information.
A.12.3.1 Information Backup (ISO 27001 Control)
Backup copies of information, software, and system images should be taken and tested regularly in accordance with an agreed backup policy.
Explanation/what is required: Organizations must define a backup policy that can be followed to prevent the loss of data. The policy should cover how the backup activities will be done to protect the information. Once the data backup is done, it needs to be stored. It is important to define how the data will be stored on tapes, on cloud, etc. Also, how long will the data be retained, such as for or years or seven years, for example. The backup data must be tested on a regular basis to check whether it can be restored easily and is working as required.
As per the ISO 27001 standard it is the requirement that backup data/information be stored far from the main office site/location, to protect it from any type of damage due to natural unexpected disaster at the main office, this will help also help to restore the data safely whenever required. Also, the site or location where the data would be kept for storage must be access controlled, and no unauthorized individuals should be allowed to gain access. The location should be compliant to standard security requirements (fire proof, able to handle floods/earthquake, etc.).
Note
These days, organizations hire vendors to provide services to manage and safeguard their backup data in tapes or at datacenters.
The organization should analyze and define their own backup policy/procedure. As each organization can have different requirements, some may require real-time imaging of the data as they might be processing financial transaction.
Backup policy
Backup restoration procedure
Backup plan
Backup restoration test records
Agreement with vendor, if you’re hiring a vendor for maintaining data tapes and/or datacenters
Audit of vendor to check all safety controls are implemented to safeguard organization data
Who prepares it: The information security department with the help of the IT Helpdesk team, which is part of implementation team, should define the policies and procedures.
Maintain all the backup records to confirm data restoration was successful. Whenever restoration was unsuccessful, document what actions were taken. Have an agreement with the vendor for the storage of backup tapes and for datacenter services.
Information security team conducts the audit along with the IT Helpdesk team at the vendor site, to ensure they are compliant and are meeting the organizational requirements.
For external audit: The external auditor conducting the ISO 27001 certification audit will check for the policies and procedures. They check how the back procedure is followed as a practice in the organization and whether it is compliant as per the ISO 27001 standards.
A.12.4 Logging and Monitoring
Objective: To record events and generate evidence.
Explanation/what is required: Identify and implement controls to record the events of employee/contractor systems who were attempting to gain unauthorized access to files or systems. This is a security threat and may result in the loss of company information.
A.12.4.1 Event Logging (ISO 27001 Control)
Event logs recording user activities, exceptions, faults, and information security events should be produced, kept, and regularly reviewed.
Explanation/what is required: Organizations must create the provisions and implement security controls so that they can record all the user activities that they are doing on the organization systems allotted to them. This ensures that they are not misusing or trying to gain any unauthorized access or sharing the information outside the organization. This will be stored in the form of event logs.
Apart from the user/employee activities, it is also important to know if there are any system level faults/errors or exceptions scenarios. This information could also be available via the stored event logs.
Note
What all should event logs must store or display is in the ISO 27002:2013 code of practice. The list is very long, so it is not covered here.
Evidence that can be prepared:
Event management procedure
Event logs
Event logs analysis record (with actions taken)
List of systems/devices configured for monitoring
Who prepares it: The IT Helpdesk team can prepare all the evidence/documents by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure and records in order to understand how user activities and system faults/errors are tracked and monitored.
A.12.4.2 Protection of Log Information (ISO 27001 Control)
Logging facilities and log information should be protected against tampering and unauthorized access.
Explanation/what is required: Organizations must create the provisions and implement security controls to prevent the logs from being tampered with. If these logs are tampered with, the purpose of storing them would not make sense.
Hence, it is important to detect whenever there are changes or deletions to the logs. Also, you may need to monitor if there is enough storage space to record all the log events. If there is a space issue then log information may be overwritten.
Evidence that can be prepared: Implemented security tools that will help to detect and record the logs of unauthorized changes or access to the logs monitor the disk space left to record the logs without any interruption.
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting with the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the controls/records in order to understand how logs are protected from being tampered and from unauthorized access.
A.12.4.3 Administrator and Operator Logs (ISO 27001 Control)
System administrator and system operator activities should be logged, and the logs should be protected and regularly reviewed.
Explanation/what is required: Organizations must create the provisions and implement security controls to prevent logs from being tampered with by the employees who are designated as the administrator. They could modify the log data which is an information security breach.
Evidence that can be prepared: Implemented security tools help to detect and record the logs of administrator activities and a regular review of administrator activities logs.
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the controls/records in order to understand how administrator logs are protected.
A.12.4.4 Clock synchronization (ISO 27001 Control)
The clocks of all relevant information processing systems within an organization or security domain should be synchronized to a single reference time source.
Explanation/what is required: Organizations must ensure that the clocks of all the information processing systems within their organization/scope are automatically synchronized with an accurate time source. It is very important that time source is reliable because the purpose is to record the accurate timestamps of the security events that occur in your organization on a specific day/time.
Hence, these logs and records are required for investigation purposes internally due to disciplinary issues or could be required by the legal authorities. Because of this it is important that all computer clocks and telephone systems must display accurate time, and this can be done through network time protocol mechanism, which will help to synchronize clocks on computers, across networks (Internet or local area networks—LANs and all the servers).
Clock synchronization procedure
Test/review records of the computer systems, audit/incident logs displaying correct time based on the correct time source
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the controls/records in order to verify whether all information processing systems of the organization are displaying the correct clock synchronization from a reliable time source.
A.12.5 Control of Operational Software
Objective: To ensure the integrity of operational systems.
Explanation/what is required: Identify and implement controls to prevent the installation of unauthorized software on computers or any other operating systems.
A.12.5.1 Installation of Software on Operational Systems (ISO 27001 Control)
Procedures should be implemented to control the installation of software on operational systems.
Explanation/what is required: Organizations must create provisions and implement security controls so that they can prevent employees/contractors from installing software that is unauthorized/unapproved. It must be done only by the trained administrator once they receive approval from authorizing body members.
The main purpose of preventing such installations is to avoid any security threat/attack. If employee/contractor installs any malicious software on their allotted computer systems, it could pose a big threat and would become easier for any hacker to install malware.
Hence, it is advisable that computer systems of employee/contractors not bee allowed to install software. Employees must be routed to a Helpdesk system to log a request to install required software. The request then must be approved by the requestor immediate supervisor and to a final approver who has authority to accept or reject the request upon assessing the security threat that might occur.
It is very important that organizations/teams assess all the scenarios i.e. operational and security related before implementing any software changes to the operational systems. Whenever any new software version changes and must be installed, teams must have the rollback plan and must retain previous versions of the software as a contingency. Hence it is advisable that all new software and new versions of software be thoroughly tested on individual systems first to assess any problems before declaring them as fit for implementation and use.
Software installation policy
Software installation procedure
Security controls implemented to prohibit users from installing software on their own
Regular review/audit records of systems, to verify that unauthorized/unapproved software is not installed on computer systems/or any other devices
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy/procedure/security controls/records in order to verify that unauthorized/unapproved software is not installed on computer systems/or any other devices by the employees/contractors and only trained administrator have installed them upon acquiring the necessary approvals.
A.12.6 Technical Vulnerability Management
Objective: To prevent exploitation of technical vulnerabilities.
Explanation/what is required: Identify and implement controls to detect the technical vulnerabilities in the organization information processing systems and prevent these identified vulnerabilities form being exploited by an external source i.e. a hacker or an insider within your organization. Let’s look at this further in the control explained next.
A.12.6.1 Management of Technical Vulnerabilities (ISO 27001 Control)
Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion. The organization’s exposure to such vulnerabilities should be evaluated and appropriate measures taken to address the associated risk.
Explanation/what is required: Organizations must create the provisions and implement security controls so that they can prevent the exploitation of the identified technical vulnerabilities. Before proceeding further, it is important to understand what vulnerability is.
Roles and responsibilities should be defined for managing the vulnerabilities i.e. their regular monitoring, assessment of risks due to identified threats, patch management, and asset tracking. It is important to prepare the list of assets, which organization is using. The purpose is to know where they are installed and who their owner is, what are their current versions and configuration, etc.
Organizations must procure and deploy tools that can help to identify vulnerabilities, such as tools to detect network vulnerabilities and vulnerabilities in software applications. Once identified, they must be analyzed for potential threats, and the ones which are high must be addressed first and in a timely manner.
Organizations must perform vulnerability tests on a regular basis, as new vulnerabilities keep arising and teams must be ready to take the necessary actions, whenever required.
Each vulnerability will be different depending on the business or domain they are responsible for. Technical teams/experts must analyze and perform tests accordingly.
Vulnerability assessment policy
Vulnerability management procedure
Vulnerability test records/action plans
Risk register with risks identified during vulnerability testing
Who prepares it: The IT Helpdesk team for network vulnerability testing and for application vulnerability could be a separate technical team of experts. They can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy/procedure/security controls/records. They verify that organizations are detecting vulnerabilities and are taking necessary actions on a regular basis to secure organization information processing systems.
A.12.6.2 Restrictions on Software Installation (ISO 27001 Control)
Rules governing the installation of software by users should be established and implemented.
Explanation/what is required: Organizations must create the provisions and implement security controls to restrict the users/employees to install software on their computer systems. Organizations can create the list of software that the user/employee can install. The list must be communicated to reduce the risk of any threats arising from unapproved/unauthorized software installation.
For this control to work effectively, users/employees must be provided with least privileges. These privileges should be provided based on the user/employee role and must be monitored on a regular basis.
Software installation policy
List of software allowed to be installed by the users/employees
List of users with privileges
Vulnerability test records/action plans
Risk register with risks identified during vulnerability testing
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy/procedure/security controls/records. They verify how organizations have implemented the controls to restrict the users/employees from installing any software.
A.12.7 Information Systems Audit Considerations
Objective: To minimize the impact of audit activities on operational systems.
Explanation/what is required: Identify and reduce the impact on organization systems due to the audit requirements.
A.12.7.1 Information system audit controls (ISO 27001 Control)
Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes.
Explanation/what is required: Though audit is a mandatory exercise for any organization, it should be planned carefully to minimize the disruptions to the operations and its systems, which might occur during the audit verification exercise.
The plan on the access requirements should be provided on the information and the systems to the auditors.
Audit scope must be agreed and communicated to the auditees, so that auditees showcase information/evidence only for the agreed scope.
Wherever possible, give read only access to software and data to perform the audit tests.
Some audit tests that require longer hours must be planned after business/operation hours/shifts.
Access permissions provided for the audit must be monitored and logs should be maintained for future verification purposes.
Audit policy
Audit scope/audit plan
Audit reports
List of users provided access for audit purposes
Recorded users log of system access for audit/test purposes
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy/procedure/security controls/records. To verify how organizations has implemented the controls to minimize the impact on operations/systems due to audit verification exercises.
A.13 Communication Security
A.13.1 Network Security Management
Objective: To ensure the protection of information in networks and the supporting information processing facilities.
Explanation/what is required: Control and determine which users can access network data.
A.13.1.1 Network Controls (ISO 27001 Control)
Networks should be managed and controlled to protect information in systems and applications.
Establish the procedures and clear responsibilities for managing the network equipment.
Implement controls to safeguard the information that travels over the network to protect the systems and applications running on the network.
Maintain network activity logs and monitor them on a regular basis.
Access control policy
Network control policy
Procedure for managing network equipment
Risk tracker (with identified risks as part of access permissions)
Who prepares it: The information security team needs to get input from various departments, including critical ones like the IT Helpdesk team, to define the access control policy.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has defined and communicated the policy to all stakeholders.
A.13.1.2 Security of Network Services (ISO 27001 Control)
Security mechanisms, service levels, and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Explanation/what is required: Organizations hire network service providers for their Internet service requirements, it is important to assess whether service providers are capable to provide Internet services by following secure methods. To minimize information security risks and its impact, organizations must have network services agreement signed with the service provider by clearly defining the required service levels.
Access control policy
Network control policy
Network services agreement
Risk tracker (with identified risks, assessed as part of network service agreement)
The information security team facilitates in defining the network control policy by getting input from the IT Helpdesk team.
The IT Helpdesk team defines the network services agreement
Legal team reviews/approves the network services agreement after analyzing the information security risks
For external audit: The external auditor conducting the ISO 27001 certification audit will check the network services agreement done with the network service provider. They verify how the organization has defined the agreement with the vendor to safeguard their organization information.
A.13.1.3 Segregation in Networks (ISO 27001 Control)
Groups of information services, users, and information systems should be segregated on networks.
Explanation/what is required: Segregate them to make them work separately in a secure manner, because this way it will not be easy for hackers to identify the structure of your organization network and will help in preventing network intrusion attacks. The main aim of network segregation is to put restrictions on accessing sensitive information, hosts, and services. Hence, segregation measures must be assessed as per the access control policy before implementation, as it can impact the network performance.
Create separate network domains by assessing each domain trust level.
For each domain, define its perimeter as it helps to control the access between network domains using a gateway.
Organizations must put more focus on wireless networks as they are to be considered as external connections. Access to the sensitive/confidential information over wireless network is not to be allowed unless and until it is allowed by the firewall as per meeting the defined set rules and network control policy.
Network control policy
Access control policy
Network diagram showing segregated network
Who prepares it: The information security team facilitates in defining the network control policy by getting input from the IT Helpdesk team. The IT Helpdesk team defines the network diagram showing the segregated network.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence to verify how the organization has done the networks segregation to restrict the access for preventing network intrusion attacks.
A.13.2 Information Transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
Explanation: Put controls for transfer of information within and outside the information.
A.13.2.1 Information Transfer Policies and Procedures (ISO 27001 Control)
Formal transfer policies, procedures, and controls should be in place to protect the transfer of information using all types of communication facilities.
Explanation/what is required: Organizations should define policies and procedures for implementing controls in safeguarding the transfer of information by employees/contractors at work.
Be able to detect malware that could be transmitted while using electronic mode of communication.
Be able to protect sensitive information that is shared as an attachment.
Frame policy or guideline that explains how to use communication facilities in a secure manner at work.
Apply cryptographic techniques.
Conduct awareness sessions for employees on a regular basis and tell them to remain cautious while speaking at public places to prevent sharing of any confidential information.
Organizations can identify many more controls, by assessing the tools/equipment used for transferring the information. As tools/technologies keep changing, you need to always assess risks to prevent mistakes and breaches while using them, as any security incident may also lead to legal implications.
Information transfer policy
Information transfer procedure
Implemented controls
Who prepares it: The information security team helps define the information transfer policy and procedure by getting input from the IT Helpdesk team. The IT Helpdesk team implements the security controls.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence. They verify how security controls are implemented for safeguarding transfer of information via various modes of communication.
A.13.2.2 Agreements on Information Transfer (ISO 27001 Control)
Agreements should address the secure transfer of business information between the organization and external parties.
The responsibilities of management in controlling and transfer of information
The act of tracing the information from the source to destination
Standards to follow for information packaging. For example, if courier services are required, what security standards will the courier firm follow to secure your information.
If there is a security incident, how will issues be addressed, including any liabilities to be paid.
Ensuring information classification is understood. The information access control levels must be agreed on by your organization and the external party.
Information transfer policy
Information transfer agreements
Who prepares it: The information security team facilitates in defining the information transfer policy and agreements. Before agreements are finalized they must be reviewed and approved by the legal team to prevent any liabilities of the organization during an information security breach.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how agreements are framed and what controls are covered as part of the agreement.
A.13.2.3 Electronic Messaging (ISO 27001 Control)
Information involved in electronic messaging should be appropriately protected.
No unauthorized access to the information/electronic messages. For example, if public services—i.e., instant messaging, social networking or file sharing—need to be used to share information, approvals must be received before using them.
There could be many more areas, which an organization must assess before allowing the use of electronic messaging.
Evidence that can be prepared: Electronic messaging policy
Who prepares it: The information security team will facilitate in defining the electronic messaging policy in discussion with the IT/Helpdesk team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the electronic messaging policy is defined and implemented in your organization.
A.13.2.4 Confidentiality or Non-Disclosure Agreements (ISO 27001 Control)
Requirements for confidentiality or non-disclosure agreements reflecting the organization needs for the protection of information should be identified, regularly reviewed, and documented.
Explanation/what is required: Organizations must create non-disclosure agreements (NDAs), either with external parties or with the employees as required, to protect the company information. NDAs cover the legal aspects to make the parties liable for protecting the information.
Information to be protected
Responsibilities of the parties/organizations in safeguarding the information
Duration of the agreement; how long the information must be protected
Right to audit any external parties (vendors/suppliers, etc.)
There could be many more points, which an organization must assess before finalizing on the non-disclosure agreement
Evidence that can be prepared: Non-disclosure agreement
Who prepares it: The legal team will facilitate in defining/reviewing and finalizing the non-disclosure agreement.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the non-disclosure agreement is defined and shared/signed with external parties or with employees to safeguard company information.
A.14 System Acquisition, Development, and Maintenance
A.14.1 Security Requirements of Information Systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This includes the requirements for information systems that provide services over public networks.
Explanation: This control covers the lifecycle of the information system and it is an important part of ISMS. The next sections discuss each control one by one.
A.14.1.1 Information Security Requirements Analysis and Specification (Control ISO 27001)
The information security-related requirements should be included in the requirements for new information systems or enhancements to existing information systems.
Access provisioning and permission for business users, technical users, and other user groups.
The requirements mandated by other security controls, for example, interfaces for logging and monitoring or data leakage detection systems.
Security requirements to be collected in a separate section for each project/product.
The criteria for product acceptance should be defined before the UAT (User Acceptance Testing) to assure the customer that security requirements are met.
Evidence that can be prepared: Requirements document with security requirements and test records
Who prepares it: The requirements document should be prepared by the software development team along with relevant stakeholders.
For external audit: The external auditor will look for the evidence of security requirements. For example, the requirement document can be checked for whether you are covering the security requirement or not.
A.14.1.2 Securing Application Services on Public Networks (Control ISO 27001)
The information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.
Explanation/what is required: The software application uses lots of data and these data travel on public networks. This control covers the security of application services over the public network. For example, the video learning platform wants to restrict the download of paid videos on a public network and this becomes one of the security requirements.
Authentication of registered users. Only authorized users can see the information.
The payment page should verify the payment information from the supplied vendor.
Note The controls required often include cryptographic methods for authentication and securing data transfer.
Evidence that can be prepared: Network security evidence such monitoring logs and authentication mechanism
Who prepares it: The software development team along with the IT team is responsible for preparing the required evidence along with relevant stakeholders.
For external audit: The auditor may check for security events logs, payment logs, and system error logs.
A.14.1.3 Protecting Application Services Transactions (Control ISO 27001)
The information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, and unauthorized message duplication or replay.
The transaction ensures that the user’s secret authentication information is valid and remains confidential.
The communication channel of all involved individuals is encrypted.
Wherever required trusted authority is used. For example, the use of digital signatures and certificates.
Evidence that can be prepared: Payment logs, digital signatures and certificates
Who prepares it: The IT and software development teams are responsible for the security of application services.
For external audit: The external auditor may check for storage of certificates and ask for the logs and enquire about what kind of encryption tools are used.
A.14.2 Security in Development and Support Processes
Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
Explanation: The objective is to ensure security in the design and within the development lifecycle of the information systems. There are multiple subcontrols for security in development.
A.14.2.1 Secure development policy (Control ISO 27001)
Rules for the development of software and systems should be established and applied to developments within the organization.
Guidelines for secure coding practice for each programming language. For example, the name of any class should be written in camel case. Use of specific coding tools such as PhpStrom IDE, Eclipse, Netbeans, etc.
Security requirements review at the end of each development phase.
A secure repository and version control for code. For example, SVN, GitHub, etc.
Note The developers should be trained for use and testing and code review. Reliable programming methods should be used for new developments and in code re-use scenarios.
Evidence that can be prepared: A secure code repository and version control. The coding guidelines for each programming language used in the organization.
Who prepares it: The software development team is responsible for preparing the coding guidelines and the IT/Infrastructure team is responsible for keeping the development environment secure.
For external audit: The external auditor will try to understand how you are securing your development environment and how the version control is done.
A.14.2.2 System Change Control Procedures (Control ISO 27001)
Changes to systems within the development lifecycle should be controlled using formal change control procedures.
Keep records of approved changes by authorized users
Maintain version control for all the approved changes
Manage change within the software development lifecycle=
Audit trail of all the changes. The software development team needs to prepare RTM (Requirement Traceability Matrix) and can document changes.
Change log/tracker can be prepared.
Who prepares it: The software development is responsible for preparing the evidence document and other required controls.
For external audit: The external auditor can ask for a change-log document and/or the procedure to manage changes within the software development lifecycle.
A.14.2.3 Technical Review of Applications after Operating Platform Changes (Control ISO 27001)
When operating platforms are changed, business-critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
Thorough testing needs to be done when the operating system gets changed.
All the changes must be done to ensure that business continuity isn’t impacted.
Note The operating platform includes databases, middleware, and any hardware or software version change. For example, an application developed in MySQL version 5.5 and deployed in version 5.7 must go through technical review and rigorous testing.
Evidence that can be prepared: Test case document and test results
Who prepares it: The software development team is responsible for the technical review of the application after a change in the operating platform.
For external audit: The external auditor may ask for a test case document or evidence of technical review.
Restrictions on Changes to Software Packages (Control ISO 27001)
Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled.
The software update should be done after verification of changes made in the patch.
Only licensed software should be used and to be kept up to date.
A software update policy can be prepared and procedure to update, frequency of update, validity testing, etc. should be defined.
List of all licensed software
Log to be maintained for patch updates
Automatic system update logs
Restriction implemented on systems for prohibiting users from installing software an their systems
Who prepares it: The IT team is responsible for managing software update restrictions and for maintaining the evidence.
For external audit: The external auditor may ask for the list of the licensed software and should be able to see how the policy is implemented to restrict the software update by unauthorized personnel.
A.14.2.5 Secure System Engineering Principles (Control ISO 27001)
Principles for engineering secure systems should be established, documented, maintained, and applied to any information system implementation efforts.
All new technology should be analyzed for security risk and known attack pattern. For example, SQL injection is a known attack pattern in the database and hence those risk should be identified and worked on.
If the development is outsourced to a third party vendor , then there must be some agreement or legal binding in place to force security measures.
Perform code review to identify security related issues.
Note The software development team should also follow the secure engineering principle such as user authentication, secure sessions, data validation, and other standard practices to keep their application and software product secure.
Evidence that can be prepared: Coding guidelines for all programming languages.
Peer code review process can be defined and documented.
Who prepares it: The software development team is responsible for establishing secure engineering principles.
For external audit: The auditor may ask for the guidelines you use to protect the code from unauthorized access and may ask for some related evidence.
A.14.2.6 Secure Development Environment (Control ISO 27001)
Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
Explanation/what is required: The control covers the security of the development environment. This includes people, processes, and associated technology for development integration.
The sensitivity of data and storage over different environments.
Segregation of data between different development environments.
Access control to the development environment. For example, the access to DBA can be all rights whereas developers only need view-only rights to the production database.
Evidence that can be prepared: Segregation of development environment. Secure code repository. Procedure for code deployment from one development environment to another.
Who prepares it: The software development team is responsible for maintaining the secure development environment.
For external audit: The auditor may check the evidence for segregation of development environment.
A.14.2.7 Outsourced Development (Control ISO 27001)
The organization should supervise and monitor the activity of outsourced system development
Code ownership and intellectual copyright related to outsourced development.
Acceptance testing for the quality and accuracy of software deliverables.
Complete documentation deliverables.
Company who outsourced the development have full rights to audit the development cycle.
Agreement between both the parties
The complete list of software deliverables
Test results
Audit results
Who prepares it: Management, along with relevant stakeholders , will be responsible for agreement along with the legal team and the software development team for test results and audit.
For external audit: The auditor may check the agreement or legal binding document between both parties.
A.14.2.8 System Security Testing (Control ISO 27001)
Testing the security functionality should be carried out during development .
Explanation/what is required: This control covers system security testing, which is performed during the development cycle. The security testing should be performed rigorously for the development project. Independent software testing should be performed for the acceptance of software application/product.
Evidence that can be prepared: Security test cases for the application/software product and security test results.
Who prepares it: The software development team is responsible for security testing of software development.
For external audit: The external auditor conducting the ISO 27001 audit can ask for the evidence.
A.14.2.9 System Acceptance Testing (Control ISO 27001)
Acceptance testing programs and related criteria should be established for new information systems, upgrades, and new versions.
Explanation/what is required: System acceptance testing should include testing of information security requirements. Organizations can leverage automated tools such as code scanner and vulnerability assessment.
Evidence that can be prepared: Security test cases and user acceptance test result
Who prepares it: The IT/Software development team is responsible for system acceptance testing.
For external audit: The external auditor conducting the ISO 27001 audit may check the security test case and results.
A.14.3 Test Data
Objective: To ensure the protection of data used for testing.
Explanation: This control ensures the protection of test data that is used for testing.
A.14.3.1 Protection of Test Data (Control ISO 27001)
Test data should be selected carefully, protected, and controlled.
The access control policy should also be implemented on the test application.
The test data entered or copied should have an audit trail.
Evidence that can be prepared: Test data and audit trail log for test data
Who prepares it: The software development team is responsible for the protection of test data.
For external audit: The external auditor conducting the ISO 27001 audit may ask for audit tail log of test data or other related evidence.
A.15 Supplier Relationships
A.15.1 Information Security in Supplier Relationships
Objective: To ensure protection of an organization’s assets that are accessible by suppliers.
Explanation/what is required: Organizations must assess information security risks. When they provide suppliers access to information and assets, there must be provisions to protect them from unauthorized access.
A.15.1.1 Information Security Policy for Supplier Relationships (ISO 27001 Control)
Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented.
Explanation/what is required: Organizations must identify all the essential security controls and communicate to all employees/contractors/suppliers by creating a policy. Organizations need to mandate that suppliers adhere to the organizational policy and no unauthorized attempts be made for gaining access to the organization information and assets. It is important to define a clear procedure to implement identified security controls to guide the implementation teams.
Identify and prepare the list of suppliers with information such as supplier name, type of services provided by the supplier for example services like IT, logistics, infrastructure, etc.
Identify the types of access that need to be provided to all the different suppliers and how access will be monitored and controlled.
Define the agreements with each supplier based on the information security control and business needs of the organization. Agreements must be signed by both parties i.e. by supplier and your organization, to ensure all the obligations arising out of the agreements are fulfilled by the supplier organization.
How will incident management be done, if any supplier related incidents occur. The organization must plan and conduct awareness sessions for members of the supplier’s organization that would be accessing your organization’s information and assets.
Supplier relationship policy
Agreement with suppliers
List of users from supplier organization who have been given access
Records of access permission monitoring to prevent information security breaches
The information security team prepares the supplier relationship policy in discussion with various departments/implementation teams.
The various department heads prepare the agreements based on the services acquired from each supplier.
The IT Helpdesk team maintains a list of users from the supplier organization for access monitoring purposes.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy/procedure/security controls/records in order to verify how organizations have implemented the security controls for preventing unauthorized access.
A.15.1.2 Addressing Security Within Supplier Agreements (ISO 27001 Control)
All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization information.
Explanation/what is required: Once the supplier agreement is established between your organization and the supplier, both are aware of their obligations. This will also ensure that there are no misunderstandings between the organizations/parties. The agreement must be agreed and signed.
Information that will be shared with the supplier organization and the methods to provide access to the information.
Classification of information defined based on the classification scheme of your organization and the supplier.
All the legal and statutory requirements, including the intellectual property rights, must be clearly mentioned.
Policies to be followed as required by the work scope and contract:
It is important to include that your organization has the right to audit supplier organization whenever there is a security incident, or any type of issue observed for investigation purposes.
There could be many more points that can be mentioned inside the agreement to avoid any conflicts between your organization and the supplier. These are just examples for reference purposes only. Organizations may add more depending on their business/project scope.
Supplier relationship policy
Supplier agreement between your organization and the supplier
The information security team prepares the supplier relationship policy in discussion with various departments/implementation teams.
Concerned department heads prepare the agreements based on the services acquired from each supplier. Agreements must be reviewed by the legal team to avoid conflicts and legal issues in the future.
The IT Helpdesk team maintains a list of users from the supplier organization for access monitoring purposes.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy and the supplier agreement. To verify whether organizations have established the supplier agreement with the vendor/supplier, the agreement covers all the essential points to safeguard the organization’s interests and avoid any conflicts, and whether the agreement was signed or expired will also be audited.
A.15.1.3 Information and Communication Technology Supply Chain (ISO 27001 Control)
Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.
The organization should clearly define the information security requirements for the information and communication technology product or services.
Suppliers who are providing services along with subcontractors must ensure that they are responsible for complying to your organization’s security requirements throughout the supply chain lifecycle.
There should be procedures for monitoring and validating the products and services to ensure that they are adhering to defined/agreed security requirements
It is to be ensured that products and services that have been delivered will work as expected.
There could be many more points inside the agreement. These are just examples for reference purposes only. Organizations may add more depending on their business/project scope.
Supplier relationship policy
Supplier agreement between your organization and the supplier
Procedures for monitoring and validating products and services
Results of monitoring and validating products and services
Who prepares it: The information security team prepares the supplier relationship policy in discussion with various departments/implementation teams.
Concerned department heads prepare the agreements based on the services acquired from each supplier. Agreements must be reviewed by the legal team to avoid any conflicts and legal issues in the future.
Concerned departments prepare the procedure and results for monitoring and validating products and services.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy and the supplier agreement. To verify whether organizations have established the supplier agreement with the vendor/supplier, the agreement covers all the essential points to safeguard the products and services of supply chain.
A.15.2 Supplier Service Delivery Management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
Explanation: Organizations must create the provisions to monitor and review the supplier service delivery performance based on the agreed security and service levels.
A.15.2.1 Monitoring and Review of Supplier Services (ISO 27001 Control)
Organizations should regularly monitor, review, and audit supplier service delivery.
Explanation/what is required: Once the supplier starts providing their services, they must be regularly monitored, reviewed, and audited.
To monitor supplier required performance levels as per the agreed agreement terms.
To review service reports produced by the supplier and conduct regular meetings as defined in the agreement.
To conduct planned audits of the supplier processes and follow up on the closure of identified findings.
There could be many more points that can be mentioned for monitoring the performance of supplier performance. These points are for reference purposes only. Organizations may add more depending on their business/project scope
Supplier relationship policy
Supplier agreement covering the clause on monitoring and reviewing the supplier processes
Service management relationship procedure
Service reports shared by the supplier
Results of monitoring, reviewing, and auditing activities
Who prepares it: The information security team prepares the supplier relationship policy in discussion with various departments/implementation teams.
Concerned department heads prepare the agreements based on the services acquired from each supplier. Agreements must be reviewed by the legal team to avoid any conflicts and legal issues in the future.
Concerned departments prepare the procedure and results for monitoring and validating products and services.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy and the supplier agreement. They verify how monitoring, reviewing, and auditing activities have been performed by your organization and follow up on the closure of identified issues.
A.15.2.2 Managing Changes to Supplier Services (ISO 27001 Control)
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls should be managed, considering of the criticality of business information, systems, and processes involved and re-assessment of risks.
Explanation/what is required: Once the supplier starts providing their services, changes to the services might be required. Once the agreement is revised, risk assessment must be done to identify the existence of new risks.
When you need to manage changes to the supplier agreements
When you are proposing enhancements or modifications to the current system
When you need to develop new systems.
When new products are developed or acquired
You want to implement a new technology
Any changes to office locations
You want to change suppliers
Supplier relationship policy
Supplier agreement changes
Revised/new agreement
Risk assessment tracker
The information security team prepares the supplier relationship policy in discussion with various departments/implementation teams.
The concerned department heads revise or prepare new agreements based on the services acquired from each supplier. Agreements must be reviewed by the legal team to avoid any conflicts and legal issues in the future.
The information security team assesses the new risks in discussion with the concerned department/stakeholder.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the policy and the supplier agreement. They verify how supplier agreements are revised based on the organization’s business needs. The risks are reassessed based on the changes.
A.16 Information Security Incident Management
A.16.1 Management of Information Security Incidents and Improvements
Objective: To ensure a consistent and effective approach to managing information security incidents, including communication on security events and weaknesses.
Explanation/what is required: Organizations must manage the incidents effectively by providing a timely response to them.
A.16.1.1 Responsibilities and Procedures (ISO 27001 Control)
Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to information security incidents.
Explanation/what is required: Management must ensure that incident management procedures are defined and communicated to all within the organization.
How incident responses will be planned
How incidents will be monitored, detected, analyzed, and reported in the organization
How incident management activities will be logged
How incidents will be assessed
How incident escalation will be handled, recovery from an incident
How incidents reporting will be done to report the security events and to plan the response actions.
How incident details will be recorded—i.e. type of issue, messages appearing on screen, etc.—which could be shared with the incident response team for faster resolution
How incident resolution status will be reported to the people who reported the incident and how feedback will be gathered about the incident resolution to confirm the result is acceptable and the incident status can be closed
It is important that skilled employees handle the response to the incidents to ensure that incidents are resolved in an effective manner.
Incident management procedure
Incident form/reports
Incident resolution records/status
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records to verify how the organization has defined and managed incident management activities, how incidents are reported, and the resolution status communicated with the incident reporter.
A.16.1.2 Reporting Information Security Events (ISO Control)
Information security events should be reported through appropriate management channels as quickly as possible.
Explanation/what is required: The requirement is whenever any employee or contractor observes any security events in the system, it must be reported to the incident response team as quickly as possible, so that they can respond to the incident faster to minimize its impact on the organization information security. It is important that employee/contractor must be made aware of the procedures for reporting the security events and knows to whom to report any security event.
Incident due to human error/mistake
Ineffective security controls
Physical security access breaches
Unauthorized/unapproved system changes
Practices that are not followed as per policy and procedures
Errors in the system i.e. software or hardware
Incident management procedure
Form/tools to report security events
Records of training/awareness sessions to employees/contractors on incident reporting
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how the organization has defined and managed incident management activities, how incidents are reported, and how the resolution status was communicated to the incident reporter.
A.16.1.3 Reporting Information Security Weaknesses (ISO Control)
Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services.
Explanation/what is required: Whenever any employee or contractor observes a security weaknesses in the system, they must report it to the incident response team as quickly as possible. It is important that the reporting mechanism be easy to use and readily available.
Incident management procedure
Form/tools to report security events
Records of training/awareness sessions to employees/contractors on security weaknesses
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how employee/contractors report the security weaknesses and what reporting mechanisms are provided.
A.16.1.4 Assessment of and Decision on Information Security Events (ISO Control)
Information security events should be assessed, and it should be decided if they are to be classified as information security incidents.
Explanation/what is required: Assess the information security event to decide whether the security event is really an information security incident, assessment to be done by the point of contact, incident response team by referring to the incident classification scale, as this will also help to assess the impact and priority of an incident. For future reference purposes, all the security events assessment results must be recorded.
Incident management procedure
Incident classification guideline
Security events assessment results/records
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how security events are assessed and classified as an information security incident. Also, they check how the details of the security events assessments results are recorded for future verification purposes.
A.16.1.5 Response to Information Security Incidents (ISO Control)
Information security events should be responded to in accordance with the documented procedures.
Explanation/what is required: The information security incident must be responded to by the designated member/point of contact of the organization. There could be scenarios where members from outside the organization need to respond to the security incident as well.
Once the incident occurs, all possible evidence must be recorded.
All the responses on the security incident must be logged, as it might be needed n the future for analysis purposes.
Determine the root cause of the information security incident.
Once all the required actions are taken on the incident, the status should change to closed and all the details should be recorded.
Incident management procedure
Incident responses/results
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how security incident responses are communicated and recorded by the organization.
A.16.1.6 Learning from Information Security Incidents (ISO Control)
Knowledge gained from analyzing and resolving information security should be used to reduce the likelihood or impact of future incidents.
Explanation/what is required: Organizations must analyze all the data collected during the evaluation of information security incident. This data will help to assess whether similar type of incidents may occur on a frequent basis. After the analysis of such data, organizations must identify appropriate security controls for implementation to minimize the occurrence and impact of information security incident. The whole purpose of this control is to plan and implement improvements.
Incident management procedure
Incident analysis/reports
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how the security incident evaluation results are analyzed.
A.16.1.7 Collection of Evidence (ISO Control)
The organization should define and apply procedures for the identification, collection, acquisition, and preservation of information, all of which can serve as evidence.
Explanation/what is required: Organizations must create the provisions to protect and safely store the information that could serve as the potential evidence, which would be required whenever any disciplinary process is initiated. It is important that access to stored evidence must always be monitored, that they are not altered or deleted by unauthorized persons as they can hamper in the legal proceedings. Sometimes it becomes necessary that a lawyer or the police be involved as soon as possible.
Incident management procedure
Implemented security controls to protect the evidence
List of people having access to the folders/files
Regular reviews of access list/logs to monitor unauthorized access attempts made to the evidence folder/files
Who prepares it: The IT Helpdesk team can prepare all the evidence/records by consulting the information security team.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the procedure/records in order to verify how security controls are implemented and monitored to protect the evidence from being altered or deleted.
A.17 Information Security Aspects of Business Continuity Management
A.17.1 Information Security Continuity
Objective: Information security continuity should be embedded in the organization’s business continuity management systems.
Explanation/what is required: Protect information security from loss in any adverse situations that your organization may face. Organizations must always be prepared for adverse situations by establishing a robust business continuity management system.
A.17.1.1 Planning Information Security Continuity (ISO 27001 Control)
The organization should determine its requirements for information security and the continuity of information security management in adverse situations e.g. during a crisis or disaster.
Explanation/what is required: Perform robust planning for the organization’s information security management in unexpected adverse situations. These situations are explained in earlier chapters—a fire, electricity/power blackout, floods, cyber-attack by a hacker. If there is no preparation/planning done, there could be big negative impact. Recovery from such situations could take a lot of time and money. It is therefore advisable that organizations conduct impact analysis on their business continuity requirements and plan for a strategy that will help them execute the disaster recovery plan quickly.
Evidence that can be prepared: Business impact analysis document. business continuity and disaster recovery policy.
Who prepares it: Information security would need to get input from various departments, including critical ones like the IT Helpdesk team, to conduct a business impact analysis and prepare a business continuity and disaster recovery policy.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the business impact analysis and business continuity and disaster recovery policy. They verify how the organization has conducted the impact analysis to analyze all their critical business needs.
A.17.1.2 Implementing Information Security Continuity (ISO 27001 Control)
The organization should establish, document, implement, and maintain processes, procedures, and controls to ensure the required level of continuity for information security during an adverse situation.
Explanation/what is required: To face any adverse situation, the organization needs a lot of preparation. This includes approved documented plans, response and recovery procedures that explain the steps to be followed for different types of situations that may occur, and clear roles and responsibilities of employees/contractors/suppliers etc. with authorization levels to avoid miscommunicating. Preparing for business continuity is not a small task. It requires expertise with experienced skilled professionals who do a lot of analysis and planning. It is advisable that the organization identify their predetermined levels of information security they need to maintain after an adverse situation in order to run their business operations smoothly.
Evidence that can be prepared: Disaster response and recovery procedure and business continuity plan document
Who prepares it: Information security needs to get input from various departments including critical ones, such as the IT Helpdesk team, to prepare a business continuity and disaster recovery procedure and a business continuity plan document.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has done the planning and prepared their organization, i.e., what procedures will be followed by the teams to deal with adverse situations.
A.17.1.3 Verify, Review, and Evaluate Information Security Continuity (ISO 27001 Control)
The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
Explanation/what is required: Review and check whether there are any operational changes in the organization that require the business continuity planning and procedures to change.
For example, it is best to conduct a fire drill exercise for your organization/employees/emergency response teams as they would be aware and prepared to handle the situations effectively. During such situations, fire alarms should work, doors should be automatically open, water sprinklers must sprinkle water to douse the fire, and many more.
Wherever and whenever required, test your procedures, tools, technology, infrastructure etc. to ensure they are up to date, relevant, and would be enough to help your organization.
Evidence that can be prepared: Disaster response and recovery test procedure and test/review records
Who prepares it: the Information security, team along with the various departments stakeholders, will prepare test procedures and prepare test/review records after conducting various tests/reviews.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified relevant security controls and tested them to prepare for any adverse situations.
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
Explanation: Ensure that systems and tools are available and working during adverse situations to support your company by establishing a robust business continuity management system.
A.17.2.1 Availability of Information Processing Facilities (ISO 27001 Control)
Information processing facilities should be implemented with redundancy enough to meet availability requirements.
If any critical IT server failure happens, a backup second server must be planned that should immediately take over and supports the applications. This failover will ensure that there is minimum information loss over a few seconds’ switch time. The organization must analyze their business needs and determine which information/assets are critical.
It is important that the organization test the servers in a planned manner to ensure the systems work as expected. Scenarios must be identified where availability of systems to safeguard information cannot be assured . Those must be identified as risks, to mitigate them in the future and communicate to management including all the stakeholders.
Evidence that can be prepared: Redundancy test planning, test records, and the risk tracker (for new risks identified during redundancy availability testing)
Who prepares it: The IT Helpdesk team, along with the information security team, will do redundancy test planning and prepare test records after conducting various tests. The risk tracker will be updated if there are new identified risks.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified relevant redundancy controls and tested them to prepare for any adverse situations.
A.18 Compliance
A.18.1 Compliance with Legal and Contractual Requirements
Objective: To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security and of any security requirements.
Explanation/what is required: Protect the organization by complying to legal and/or obligations that are mentioned as part of the contract and agreement pertaining to information security requirements.
A.18.1.1 Identification of Applicable Legislation and Contractual Requirements (ISO 27001 Control)
All relevant legislative statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented, and kept up to date for each information system.
Explanation/what is required: Based on their business scope, an organization must identify and document all the applicable laws and contractual requirements that they need to comply to. Laws must be not only applicable to the country in which your organization is located, but also to the countries where your products and services will be sold, as well as from client and supplier perspective too. Whenever any changes happen in any laws or contractual obligations, organizations must identify and revise the relevant documents.
Evidence that can be prepared: Document covering all applicable laws, agreement/contracts covering obligations, and the risk tracker (for new risks identified due to law or contractual obligations)
Who prepares it: Legal/law, the human resources team, and the information security team will identify and document all applicable laws and agreements/contracts covering obligations. The risk tracker will be updated if there are new identified risks.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified relevant laws and contractual obligations to avoid from legal breaches.
A.18.1.2 Intellectual Property Rights (ISO 27001 Control)
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products.
Explanation/what is required: An organization must protect information/software/tools/source code or any other material that could be considered intellectual property. Intellectual property protection is important because it is something created by your organization. If it is copied or stolen then it would be considered a breach of intellectual property rights.
It is something created by your client or supplier, but your organization is accessing/using it, so your organization must comply with all the laws and contractual obligations. Hence, your organization can create a documented procedure that can be followed to ensure compliance is always achieved. All the impacted teams/managers/stakeholders must be aware of all the legal and contractual obligations related to their departments, as failing to comply may result in legal penalties and impact the organization’s image.
Mention in the employment contract/letter that every employee must protect the organization’s intellectual property rights
In all the business/work agreements made with your client and suppliers
All the purchased software/tools installed and used in your organization must be licensed and authorized for use. Always track the expiry of such license dates and renew them as required.
Evidence that can be prepared: Document policies and procedures for managing intellectual property, agreement/contracts, the risk tracker (for new risks identified due to legal or contractual obligations)
Who prepares it: Legal/law, the human resources team, and the information security team will identify and document evidence.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified and implemented security controls to protect intellectual property rights.
A.18.1.3 Protection of Records (ISO 27001 Control)
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual, and business requirements.
Explanation/what is required: An organization must avoid breach of intellectual property rights. To do this, the organization must identify and implement all the required security controls.
Create a data retention policy and procedure
Define the data retention period for each type of information/data/record
Define how the data is stored i.e. paper/files/electronic media
Define how access is managed to the stored information
After the data retention period is over, how will the data be disposed of.
Evidence that can be prepared: Data retention policy and procedure, tools/files where data is stored, list of people with access, and review of access permissions
Who prepares it: Department heads/managers along with the information security team will identify and document evidence.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified and implemented security controls for the protection of records.
A.18.1.4 Privacy and Protection of Personally Identifiable Information (ISO 27001 Control)
Privacy and protection of personally identifiable information should be ensured as required in relevant legislations and regulations where applicable.
Explanation/what is required: An organization must create the provisions to safeguard the personally identifiable information of employees/contractors/clients/users/suppliers, etc. The organization must be aware of personally identifiable information i.e. personal identification number, credit card details, health information, etc. It is very important that organizations get consent from all employees/contractors/clients/users/suppliers before storing their personal information for official purposes. The organization can define a procedure to explain how this information will be stored and protected from unauthorized access. All stakeholders must understand their roles and responsibilities and the importance of safeguarding such information.
Create policies and procedures for stakeholders to follow.
The human resources team can get the written consent from employees/contractors to store their information. The form should mention the information details that will be stored, for how many years, and the purpose of storing.
The organization can also put the request message on their company websites for the site visitors to inform them for capturing their cookies information and providing them with the options to either accept or reject this request. Also, for any form that’s filled in online on your organization website and is storing personal information, you must get consent.
Get consent from clients and suppliers via contracts/agreements.
Put controls to protect this stored information.
Define how users make requests to your organization to delete their personal information.
After the data retention period is over, define how you dispose of the personal information.
Evidence that can be prepared: Protection of personally identifiable information policy and procedures, consent evidence i.e. via paper forms signed or online application acceptances, list of people with access to the information, review of access permissions, users request records to delete their personal information, and information disposal evidence
Who prepares it: Department heads/managers along with the information security team will identify and document evidence.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization identified and implemented security controls for the privacy and protection of personal identifiable information.
A.18.1.5 Regulation of Cryptography Controls (ISO 27001 Control)
Cryptographic controls should be used in compliance with all relevant agreements, legislation, and regulations.
Explanation/what is required: An organization must use the cryptographic controls in compliance with all relevant agreements, legislation, and regulations, as there could be restrictions on the way it needs to be implemented. Failure to comply may result in fines or could impact the company image. Hence, organizations are advised to discuss with their legal team to analyze the specific legal requirements in countries where they are operate.
Evidence that can be prepared: Cryptography usage policy and evidence of cryptography usage
Who prepares it: Department heads/managers along with the information security team will identify and document evidence.
For external audit: The external auditor conducting the ISO 27001 certification audit will check the evidence in order to verify how the organization has identified and implemented cryptographic controls.
A.18.2 Information Security Reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
Explanation: The organization must ensure that they have implemented information security by following their defined policies and procedures.
A.18.2.1 independent Review of Information Security (ISO 27001 Control)
The organization’s approach to managing and implementing information security (i.e., control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.
Explanation/what is required: The requirement is that an organization must plan independent reviews at regular intervals, which are driven by management. This is to ensure that implemented information security management system—the policies, procedures, and security controls—are compliant and suitable for use. Wherever there are improvements identified and changes needed, they must be promptly implemented.
If these reviews are conducted by internal teams, the reviewer/auditor must be from a of different area or department so that there is no bias while conducting the review. The review could also be conducted by an external agency. The identified reviewer must be skilled and experienced. Results of these reviews must be presented to management for their awareness and to seek any feedback. When non-compliance is identified, proper corrective actions must be identified to fix it.
Review/audit plan
Reviewer/auditor list
Training records of reviewer/auditor list
Results of review/audit
Who prepares it: The information security team is responsible for reviewing security along with the relevant stakeholders.
For external audit: The external auditor conducting the ISO 27001 audit may check for all the stated evidence.
Summary
This chapter covered how to implement the ISO 27001 control by adopting the 27002 guidelines shared by the standard. Then you learned about all the information security controls that you need to implement and execute in your organization in order to make your system audit ready and to successfully complete the ISMS audit.
References
This chapter is based on the practical tips of the author while implementing various controls and from the ISO/IEC 27001 and 27002 standard guidelines, also known as “Security Techniques: Code of Practice for Information Security Controls”.