This article provides an overview of the organisation or information security as part of ISO 27002 compliance.
The objective is to establish a framework to implement, manage and control the operation of information security within the organisations. This section of the ISO 27002 provides a set of controls and guidelines to implement an organisation to manage security throughout the organisation and covers mobile devices and teleworking.
The organisation of information security covers key controls and guidelines across the following main area:
- Information security roles and responsibilities – all information security roles and responsibilities should be defined and allocated. Guidelines – allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out specific information security processes should be identified.
- Responsibilities for information security risk management activities should be defined.
- Segregation of duties – Control – conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organisation’s assets. Guidelines – no single person should be able to access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.
- Contact with authorities – appropriate contacts with relevant authorities should be maintained.
- Guidelines – organisations should have procedures in place that specify when, who and how contacts with relevant authorities (regulators, law enforcement agencies, supervisory authorities etc.) and when information security incidents should be reported in a timely and accurate manner.
- Contact with special interest groups – appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. Guidelines –
- Membership in special interest groups should be considered as a means to:
Improve knowledge about best practices -stay up to date with security information;
Ensure the understanding of the information security environment is current;
Latest warnings of alerts and patches for attacks and vulnerabilities;
Access to specialist information security advice;
Best practice sharing on new technologies, products, threats or vulnerabilities;
Information security in project management.
Guidelines – information security should be integrated into the organisation’s project management methodology ensuring risks are identified and addressed as part of a projects. This applies generally to any project regardless of its type. The project management methodology include:
- Information security objectives – part of project objectives;
- An information security risk assessment should be conducted at an early stage of the project to identify risks and controls;
- Information security should be part of all phases of the project management methodology.
Information security implications should be addressed and reviewed regularly for all projects with clear roles and responsibilities.
Mobile device policy
A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices.
Guidelines – implement measures to ensure that business information is not compromised when mobile devices are used by the organisation’s staff.
Teleworking
A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites.
Guidelines – organisations allowing teleworking activities should issue a policy that defines the conditions and restrictions for using teleworking.
For more information please contact Morland-Austin at info@morland-austin.com.