isms sample1
TRANSCRIPT
-
8/2/2019 ISMS Sample1
1/22
August 10, 2006
CS1/06-0175 Lucent Contribution to ISO 27001/2
Part 1 of 3
ISO 18028-2 and ISO 27001/2Contribution Document Structure
0. Introduction0.1) Motivation
0.2) Methodology
0.3) Benefits
1. Scope
2. References
3. Terms and Definitions
4. Overview
5. Security Policy
15. Compliance
Sections are aligned with revised
Recommendation X.1051 and ISO
27001/2 (Sections 5 through 15).
Consistent ISO Terminology
Example of the structure for Sections 5 though 15 (all of the ISO 27001/2 controls):
A.10.9.2
Control
Information involved in on-line transactions shall be protected to prevent incomplete transmission, mis-routing,unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
ISO 18028-2: Applicable X Not Applicable .
Layer(s) Services Layer, Infrastructure Layer, Applications Layer
Plane(s) Management Plane, End-User Plane
Dimension(s) Data Integrity, Data Confidentiality, Communications Security, and Access Control
Rationale to be supplied in a later submission. The rationale would provide technical depth and breath on
whether a control would be applicable to ISO 18028-2 or not. This extensive work would come after the studygroup agreed on all controls (applicable or N/A)
-
8/2/2019 ISMS Sample1
2/22
2
CS1/06-0175 Lucent Contribution to ISO 27001/2
Part 2 of 3
Applying ISO/IEC 18028-2 Contribution to ISO/IEC 27001/2
0. Introduction
ISO/IEC 27001 provides a model for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an Information Security Management System (ISMS) within the context of an
organization's overall business activities and the risks that it faces.
ISO/IEC 18028-2 partitions a telecommunications network into a three-layered hierarchy of equipment and
facilities groupings: (1) the infrastructure security layer, (2) the services security layer, and (3) the
applications security layer. ISO/IEC 18028-2 defines the three types of activities that can occur at everylayer as security planes. The three security planes present at every layer are: (1) management security plane,
(2) control/signaling security plane, and (3) end-user security plane. ISO/IEC 18028-2 applies security
mechanisms contained in eight security dimensions to secure each security layer/plane combination.
This document defines guidelines that support the application of the ISO/IEC 18028-2 security layers, planes
and dimensions to the ISO/IEC 27001 model for the establishment, implementation and operation of an
ISMS.
0.1 Motivation
ISO/IEC 27001 applies the "Plan-Do-Check-Act" model to structure the process of establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an ISMS in the following
phases:
Plan: Establish the ISMS.
Do: Implement and operate the ISMS.
Check: Monitor and review the ISMS.
Act: Maintain and improve the ISMS.
ISO/IEC 27001 provides a list of steps that must be performed in order to accomplish each of the above
phases, but does not provide technical guidance on the specific actions that need to be performed for each
step. This International Standard defines how ISO/IEC 18028-2 shall be used to provide specificity for the
actions required in each of the following steps.
Establish the ISMS:
Identify the risks,
Select control objectives and controls for the treatment of risks.
-
8/2/2019 ISMS Sample1
3/22
3
Implement and operate the ISMS:
Implement controls selected above to meet the control objectives,
Implement procedures and other controls capable of enabling prompt detection of security events and
response to security incidents.
0.2 Methodology
ISO/IEC 18028-2 security layers, planes and dimensions will be used in the following manner to provide
specificity to each of the following steps.
Establish the ISMS:
Identify the risks. The security layers and planes will be systematically analyzed to identify assets,
threats to those assets, and vulnerabilities in those assets that might be exploited by threats/the attackers.
Select control objectives and controls for the treatment of risks. Control objectives and controls will be
selected for application to the security layer and plane of each asset at risk.
Implement and operate the ISMS:
Implement controls selected above to meet the controls objectives. The security dimensions will be
used to provide the necessary mechanisms required to implement and operate the selected controls. The
security dimensions also address control objectives and controls that are not listed in ISO/IEC 27001
Annex A and that may be selected as well.
Implement procedures and other controls capable of enabling prompt detection of security events and
response to security incidents. The security layers and planes will be utilized to determine the type and
probable location of security events. Procedures and controls will be selected for application to the
identified security layer and plane. The security dimensions contain mechanisms required to implement
and operate the selected procedures and controls.
0.3 Benefits
This International Standard compliments ISO/IEC 27001 by providing necessary specificity to the
establishment, implementation and operation of an ISMS. It provides a standardized, systematic, methodical
approach utilizing ISO/IEC 18028-2 for identifying risks, selecting control objectives and controls for the
mitigation of risks, implementing controls to meet control objectives, and implementing procedures capable
of enabling prompt detection of security events and response to security incidents.
While some of the controls described in ISO/IEC 27002 provide very specific guidance on their
implementation and operation, most of them do not. The application of ISO/IEC 18028-2 to the
implementation and operation of ISO/IEC 27001 controls ensures that the right controls are comprehensively
applied to every layer and plane to thoroughly secure assets at risk. The ISO/IEC 18028-2 security
dimensions provide the details required to implement and operate the ISO/IEC 27001 controls. In addition,
the ISO/IEC 18028-2 security dimensions provide base for additional control objectives and controls that are
-
8/2/2019 ISMS Sample1
4/22
4
not listed in ISO/IEC 27001 Annex A and that may be selected, implemented and operated as part of an
organization's ISMS.
1. Scope
This International Standard covers all types of organizations (e.g., commercial enterprises, government
agencies, non-profit organizations). This International Standard specifies the requirements for application of
ISO/IEC 18028-2 to the to the ISO/IEC 27001 model for the establishment, implementation and operation of
an ISMS.
2. References
ISO/IEC27002:2005, Information technology - Code of practice for information security management
ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end
communications.
ISO/IEC 18028-2: 2006, Information technology - Security techniques - IT network security - Part 2:
Network security architecture.
3. Terms and Definitions
For the purposes of this International Standard, the following terms and definitions apply.
4. Overview
This section will ultimately describe how the nine ISO/IEC 18028-2 security modules are used to identify
assets, threats, vulnerabilities, and risks, and how controls are selected to protect the assets at risk. In
addition, the section will describe how the eight dimensions can be utilized for the implementation and
operation of controls
4.1 Structure of this guideline
This guideline, from Section 5 onward, will have the same structure as in ISO/IEC 27002. Objectives and
controls will be imported from ISO/IEC 27001/2.
-
8/2/2019 ISMS Sample1
5/22
5
The following provides two example of the structure of the control sections.
5.1.1 Information security policy document
Control
An information security policy document should be approved by management, and published and
communicated to all employees and relevant external parties.
ISO 18028-2: Applicable X Not Applicable .
Layers(s): All
Planes(s): All
Dimensions(s): All
Rationale: The implementation guidance for the information security policy document states that the policy
must set out the organizations approach to managing information security. In the policy, management wouldstate the use and benefits of ISO 18208-2 in the approach. The applicability and implementation of the
controls supported by ISO 18028-2 layers/planes/dimensions would be dependent on the ISMS scope.
10.9.2 On-Line Transactions
Control
Information involved in on-line transactions should be protected to prevent incomplete transmission, mis-
routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or
replay.
ISO 18028-2: Applicable X Not Applicable .
Layers(s): Services Layer, Infrastructure Layer, Applications Layer
Planes(s): Management Plane, End-User Plane
Dimensions(s): Data Integrity, Data Confidentiality, Communications Security, and Access Control
Rationale: In order to protect information involved in on-line transactions, the ISO 18028-2 layers and
planes are used to determine the necessary controls (in this case control 10.9.2), and where they need to be
applied, for on-line transactions. The ISO 18028-2 dimensions specify measures required to implement and
operate the control. For example: implementing IPSec AH of the data integrity dimension to prevent
unauthorized message alteration in the services layer and IPSec ESP of the data confidentiality dimension to
prevent unauthorized disclosure in the services layer.
-
8/2/2019 ISMS Sample1
6/22
6
CS1/06-0175 Lucent Contribution to ISO 27001/2
Part 3 of 3
ISO27001
Number
Control Name Sub-ControlName
Control Description ApplyingISO/IEC 18028-
2 to ISO 27001or ISO 27002
A.5 Security Policy
A.5.1 Information SecurityPolicy
A.5.1.1 Information SecurityPolicy
InformationSecurity policydocument
An information securitypolicy document shall beapproved by management,and published andcommunicated to allemployees and relevantexternal parties.
Yes
A.5.1.2 Information SecurityPolicy
Review of theinformation securitypolicy
The information securitypolicy shall be reviewed atplanned intervals of ifsignificant changes occur toensure its continuingsuitability, adequacy, andeffectiveness.
N/A
A.6 Organizational of InformationSecurity
A.6.1 Internal Organization
A.6.1.1 Internal Organization Management
commitment toinformation security
Management shall actively
support security within theorganization through cleardirection, demonstratedcommitment, explicitassignment, andacknowledgment ofinformation securityresponsibilities.
N/A
A.6.1.2 Internal Organization Information securitycoordination
Information securityactivities shall be co-ordinated byrepresentatives fromdifferent parts of theorganization with relevant
roles and job functions.
N/A
A.6.1.3 Internal Organization Allocation ofinformation securityresponsibilities
All information securityresponsibilities shall beclearly defined.
N/A
A.6.1.4 Internal Organization Authorizationprocess forinformationprocessing facilities
A managementauthorization process fornew information processingfacilities shall be definedand implemented.
N/A
-
8/2/2019 ISMS Sample1
7/22
7
A.6.1.5 Internal Organization Confidentialityagreements
Requirements forconfidentiality or non-disclosure agreementsreflecting the organization'sneeds for the protection ofinformation shall beidentified and regularly
reviewed.
N/A
A.6.1.6 Internal Organization Contact withauthorities
Appropriate contracts withrelevant authorities shall bemaintained.
N/A
A.6.1.7 Internal Organization Contact withspecial interestgroups
Appropriate contracts withspecial interest groups orother specialist securityforums and professionalassociations shall bemaintained.
N/A
A.6.1.8 Internal Organization Independent reviewof informationsecurity
The organization'sapproach to managinginformation security and itsimplementation (i.e., control
objectives, controls,policies, processes, andprocedures for informationsecurity) shall be reviewedindependently at plannedintervals, or whensignificant changes to thesecurity implementationoccur.
Yes
A.6.2 External Parties
A.6.2.1 External Parties Identification ofrisks related toexternal parties
The risks to theorganization's informationand information processingfacilities from business
processes involvingexternal parties shall beidentified and appropriatecontrols implementedbefore granting access.
Yes
A.6.2.2 External Parties Addressing securitywhen dealing withcustomers
All identified securityrequirements shall beaddressed before givingcustomers access to theorganization's informationor assets.
Yes
A.6.2.3 External Parties Addressing securityin third party
agreements
Agreements with thirdparties involving accessing,
processing, communicatingor managing theorganization's informationor information processingfacilities, or adding productsor services to informationprocessing facilities shallcover all relevant securityrequirements.
Yes
-
8/2/2019 ISMS Sample1
8/22
8
A.7 AssetManagement
A.7.1 Responsibility forassets
A.7.1.1 Responsibility forassets
Inventory of assets All assets shall be clearlyidentified and an inventoryof all important assets
drawn up and maintained.
Yes
A.7.1.2 Responsibility forassets
Ownership ofassets
All information and assetsassociated with informationprocessing facilities shall beowned by a designated partof the organization.
Yes
A.7.1.3 Responsibility forassets
Acceptable use ofassets
Rules for acceptable use ofinformation and assetsassociated with informationprocessing facilities shall beidentified, documented, andimplemented.
Yes
A.7.2 Informationclassification
A.7.2.1 Informationclassification
Classificationguidelines
Information shall beclassified in terms of itsvalue, legal requirements,sensitivity and criticality tothe organization.
Yes
A.7.2.2 Informationclassification
Information labelingand handling
An appropriate set ofprocedures for informationlabeling and handling shallbe developed andimplemented in accordancewith the classificationscheme adopted by the
organization.
N/A
A.8 HumanResourcesSecurity
A.8.1 Prior to employment
A.8.1.1 Prior to employment Roles andresponsibilities
Security roles andresponsibilities ofemployees, contractors andthird party users shall bedefined and documented inaccordance with theorganization's informationsecurity policy.
N/A
A.8.1.2 Prior to employment Screening back-up copies ofinformation and softwareshall be taken and testedregularly in accordance withthe agreed backup policy.
N/A
-
8/2/2019 ISMS Sample1
9/22
9
A.8.1.3 Prior to employment Terms andconditions ofemployment
As part of the contractualobligation, employees,contractors and third partyusers shall agree and signthe terms and conditions oftheir employment contractwhich shall state their and
the organization'sresponsibilities forinformation security.
N/A
A.8.2 During employment
A.8.2.1 During employment Managementresponsibilities
Management shall requireemployees, contractors andthird party users to applysecurity in accordance withestablished policies andprocedures of theorganization.
N/A
A.8.2.2 During employment Information securityawareness,education and
training
All employees of theorganization and, whererelevant, contractors and
third party users shallreceive appropriateawareness training regularupdates in organizationalpolicies and procedures, asrelevant for their jobdescription.
Yes
A.8.2.3 During employment Disciplinaryprocess
There shall be a formaldisciplinary process foremployees who havecommitted a securitybreach.
N/A
A.8.3 Termination of change of employment
A.8.3.1 Termination ofchange ofemployment
Terminationresponsibilities
Responsibilities forperforming employmenttermination or change ofemployment shall be clearlydefined and assigned.
N/A
A.8.3.2 Termination ofchange ofemployment
Return of assets All employees, contractorsand third party users shallreturn all of theorganization's assets intheir possession upontermination of theiremployment, contract oragreement.
N/A
A.8.3.3 Termination of
change ofemployment
Removal of access
rights
The access rights of all
employees, contractors andthird party users toinformation and informationprocessing facilities shall beremoved upon terminationof their employment,contract or agreement, oradjusted upon change.
N/A
A.9 Physical andEnvironment
-
8/2/2019 ISMS Sample1
10/22
10
Security
A.9.1 Secure Areas
A.9.1.1 Secure Areas Physical securityperimeter
Security perimeters(barriers such as walls,card controlled entry gatesor manned reception desks)shall be used to protect
areas that containinformation and informationprocessing facilities.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and Environment
Security
A.9.1.2 Secure Areas Physical entrycontrols
Secure areas shall beprotected by appropriateentry controls to ensure thatonly authorized personnelare allowed access.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.1.3 Secure Areas Securing offices,rooms and facilities
Physical security for offices,rooms, and facilities shallbe designed and applied.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and Environment
SecurityA.9.1.4 Secure Areas Protecting against
external andenvironmentalthreats
Physical protection againstdamage from fire, flood,earthquake, explosion, civilunrest and other forms ofnatural or man-madedisaster shall be designedand applied.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.1.5 Secure Areas Working in secureareas
Physical protection andguidelines for working insecure areas shall bedesigned and applied.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.1.6 Secure Areas Public access,delivery andloading areas.
Access points such asdelivery and loading areasand other points whereunauthorized persons mayenter the premises shall becontrolled and, if possible,isolated from informationprocessing facilities toavoid unauthorized access.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.2 Equipment security
A.9.2.1 Equipment security Equipment sitingand protection
Equipment shall be sited orprotested to reduce therisks from environmentalthreats and hazards, andopportunities forunauthorized access.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.2.2 Equipment security Supporting utilit ies Equipment shall beprotected from powerfailures and otherdisruptions caused byfailures in supportingutilities.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
-
8/2/2019 ISMS Sample1
11/22
11
A.9.2.3 Equipment security Cabling security Power andtelecommunications cablingcarrying data or supportinginformation services shallbe protected frominterception or damage.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.2.4 Equipment security Equipment
maintenance
Equipment shall be
correctly maintained toensure its continuedavailability and integrity.
Yes
A.9.2.5 Equipment security Security ofequipment off-premises
Security shall be applied tooff-site equipment takinginto account the differentrisks of working outside theorganization's premises.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.9.2.6 Equipment security Secure disposal orre-use ofequipment
All items of equipmentcontaining storage mediashall be checked to ensurethat any sensitive data andlicensed software has been
removed or securelyoverwritten prior todisposal.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and Environment
Security
A.9.2.7 Equipment security Removal ofproperty
Equipment, information orsoftware shall not be takenoff-site without priorauthorization.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.10 Communications and OperationsManagement
A.10.1 Operational procedures and responsibili ties
A.10.1.1 Operationalprocedures andresponsibilities
Documentedoperatingprocedures
Operating procedures shallbe documented,maintained, and madeavailable to all users whoneed them.
Yes
A.10.1.2 Operationalprocedures andresponsibilities
Changemanagement
Changes to informationprocessing facilities andsystems shall be controlled.
N/A
A.10.1.3 Operationalprocedures andresponsibilities
Segregation ofduties
Duties and areas ofresponsibility shall besegregated to reduceopportunities forunauthorized orunintentional modification
or misuse of theorganization's assets.
N/A
A.10.1.4 Operationalprocedures andresponsibilities
Separation ofdevelopment, testand operationalfacilities
Development, test andoperational facilities shallbe separated to reduce therisks of unauthorizedaccess or changes to theoperational system.
N/A
A.10.2 Third party service delivery management
-
8/2/2019 ISMS Sample1
12/22
12
A.10.2.1 Third party servicedelivery management
Service delivery It shall be ensured thatsecurity options, servicedefinitions and deliverylevels included in the thirdparty service deliveryagreement areimplemented, operated,
and maintained by the thirdparty.
Yes
A.10.2.2 Third party servicedelivery management
Monitoring andreview of third partyservices
The services, reports andrecords provided by thethird party shall be regularlymonitored and reviewed,and audits shall be carriedout regularly.
Yes
A.10.2.3 Third party servicedelivery management
Managing changesto third partyservices
Changes to the provision ofservices, includingmaintaining and improvingexisting information securitypolicies, procedures andcontrols, shall be managed,
taking into account of thecriticality of businesssystems and processesinvolved and re-assessment of risks.
N/A
A.10.3 System planning andacceptance
A.10.3.1 System planning andacceptance
Capacitymanagement
The use of resources shallbe monitored, tuned, andprojections made of futurecapacity requirements toensure the required systemperformance.
N/A
A.10.3.2 System planning andacceptance
System acceptance Acceptance criteria for newinformation systems,upgrades, and newversions shall beestablished and suitabletests of the system(s)carried out duringdevelopment and prior toacceptance.
N/A
A.10.4 Protection against malicious and mobilecode
A.10.4.1 Protection againstmalicious and mobile
code
Controls againstmalicious code
Detection, prevention, andrecovery controls to protect
against malicious code andappropriate user awarenessprocedures shall beimplemented.
Yes
-
8/2/2019 ISMS Sample1
13/22
13
A.10.4.2 Protection againstmalicious and mobilecode
Controls againstmobile code
Where the use of mobilecode is authorized, theconfiguration shall ensurethat the authorized mobilecode operates according toa clearly defined securitypolicy, and unauthorized
mobile code shall beprevented from executing.
Yes
A.10.5 Back-up
A.10.5.1 Back-up Information Back-up
Back-up copies ofinformation and softwareshall be taken and testedregularly in accordance withthe agreed backup policy.
Yes
A.10.6 Network SecurityManagement
A.10.6.1 Network SecurityManagement
Network controls Networks shall beadequately managed andcontrolled, in order to beprotected from threats, and
to maintain security for thesystems and applicationsusing the network, includinginformation in transit.
Yes
A.10.6.2 Network SecurityManagement
Security of networkservices
Security features, servicelevels, and managementrequirements of all networkservices shall be identifiedand included in any networkservices agreement,whether these services areprovided in-house oroutsourced.
Yes
A.10.7 Media handling
A.10.7.1 Media handling Management ofremoval media
There shall be proceduresin place for themanagement of removablemedia.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.10.7.2 Media handling Disposal of media Media shall be disposed ofsecurely and safely whenno longer required, usingformal procedures.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.10.7.3 Media handling Informationhandling
procedures
Procedures for the handlingand storage of information
shall be established toprotect this information fromunauthorized disclosure ormisuse.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.10.7.4 Media handling Security of systemdocumentation
System documentationshall be protected againstunauthorized access.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
-
8/2/2019 ISMS Sample1
14/22
14
A.10.8 Exchange ofinformation
A.10.8.1 Exchange ofinformation
Informationexchange policiesand procedures
Formal exchange policies,procedures, and controlsshall be in place to protectthe exchange of informationthrough the use of all types
of communication facilities.
Yes
A.10.8.2 Exchange ofinformation
Exchangeagreements
Agreements shall beestablished for theexchange of informationand software between theorganization and externalparties.
N/A
A.10.8.3 Exchange ofinformation
Physical media intransit
Media containinginformation shall beprotected againstunauthorized access,misuse or corruption duringtransportation beyond anorganization's physicalboundaries.
Subject to ITUContribution:
Adapting ISO18028-2 to Physical
and EnvironmentSecurity
A.10.8.4 Exchange ofinformation
Electronicmessaging
Information involved inelectronic messaging shallbe appropriately protected.
Yes
A.10.8.5 Exchange ofinformation
Businessinformationsystems
Polices and proceduresshall be developed andimplemented to protectinformation associated withthe interconnection ofbusiness informationsystems.
Yes
A.10.9 Electronic commerceservices
A.10.9.1 Electronic commerceservices
Electroniccommerce
Information involved inelectronic commercepassing over publicnetworks shall be protectedfrom fraudulent activity,contract dispute, andunauthorized disclosureand modification.
Yes
A.10.9.2 Electronic commerceservices
On-linetransactions
Information involved in on-line transactions shall beprotected to preventincomplete transmission,mis-routing, unauthorizedmessage alteration,
unauthorized disclosure,unauthorized messageduplication or replay.
Yes
A.10.9.3 Electronic commerceservices
Publicly availableinformation
The integrity of informationbeing made available ofpublicly available systemshall be protected toprevent unauthorizedmodification.
Yes
A.10.10 Monitoring
-
8/2/2019 ISMS Sample1
15/22
15
A.10.10.1 Monitoring Audit logging Audit logs recording useractivities, exceptions, andinformation security eventsshall be produced and keptfor an agreed period toassist in futureinvestigations and access
control monitoring.
Yes
A.10.10.2 Monitoring Monitoring systemuse
Procedures for monitoringuse of informationprocessing facilities shall beestablished and the resultsof the monitoring activitiesreviewed regularly.
N/A
A.10.10.3 Monitoring Protection of loginformation
Logging facilities and loginformation shall beprotected against tamperingand unauthorized access.
Yes
A.10.10.4 Monitoring Administrator andoperator logs
System administrator andsystem operator activities
shall be logged.
N/A
A.10.10.5 Monitoring Fault logging Faults shall be logged,analyzed, and appropriateaction taken.
N/A
A.10.10.6 Monitoring Clocksynchronization
The clocks of all relevantinformation processingsystems within anorganization or securitydomain shall besynchronized with anagreed accurate timesource.
N/A
A.11 Access Control
A.11.1 Business requirement for access control
A.11.1.1 Business requirementfor access control
Access controlpolicy
An access control policyshall be established,documented, and reviewedbased on business andsecurity requirements foraccess.
Yes
A.11.2 User accessmanagement
A.11.2.1 User accessmanagement
User registration There shall be a formaluser registration and de-registration procedure inplace for granting and
revoking access to allinformation systems andservices.
N/A
A.11.2.2 User accessmanagement
Privilegemanagement
The allocation and use ofprivileges shall be restrictedand controlled.
Yes
A.11.2.3 User accessmanagement
Use passwordmanagement
The allocation of passwordsshall be controlled througha formal managementprocess.
Yes
-
8/2/2019 ISMS Sample1
16/22
16
A.11.2.4 User accessmanagement
Review of useraccess rights
Management shall reviewuser's access rights atregular intervals using aformal process.
N/A
A.11.3 User responsibilities
A.11.3.1 User responsibilities Password use Users shall be required tofollow good securitypractices in the selectionand use of passwords.
Yes
A.11.3.2 User responsibilities Unattended userequipment
Users shall ensure thatunattended equipment hasappropriate protection.
Yes
A.11.3.3 User responsibilities Clear desk andclear screen policy
A clear desk policy forpapers and removablestorage media and a clearscreen policy forinformation processingfacilities shall be adopted.
Yes
A.11.4 Network accesscontrol
A.11.4.1 Network accesscontrol
Policy on use ofnetwork services
Users shall only beprovided with access to theservices that they havebeen specifically authorizedto use.
Yes
A.11.4.2 Network accesscontrol
User authenticationfor externalconnections
Appropriate authenticationmethods shall be used tocontrol access by remoteusers.
N/A
A.11.4.3 Network accesscontrol
Equipmentidentification innetworks
Automatic equipmentidentification shall beconsidered as a means toauthenticate connectionsfrom specific locations andequipment.
N/A
A.11.4.4 Network accesscontrol
Remote diagnosticand configurationport protection
Physical and logical accessto diagnostic andconfiguration ports shall becontrolled.
Yes
A.11.4.5 Network accesscontrol
Segregation innetworks
Groups of informationservices, users, andinformation systems shallbe segregated on networks.
Yes
A.11.4.6 Network accesscontrol
Network connectioncontrol
For shared networks,especially those extendingacross the organization's
boundaries, the capabilityof users to connect to thenetwork shall be restricted,in line with the accesscontrol policy andrequirements of thebusiness applications.
Yes
-
8/2/2019 ISMS Sample1
17/22
17
A.11.4.7 Network accesscontrol
Network routingcontrol
Routing controls shall beimplemented for networksto ensure that computerconnections andinformation flows do notbreach the access controlpolicy of the business
applications.
Yes
A.11.5 Operating systemaccess control
A.11.5.1 Operating systemaccess control
Secure log-onprocedures
Access to operatingsystems shall be controlledby a secure log-onprocedure.
N/A
A.11.5.2 Operating systemaccess control
User identificationand authentication
All users shall have aunique identifier (user ID)for their personal use only,and a suitableauthentication techniqueshall be chosen tosubstantiate the claimed
identity of a user.
N/A
A.11.5.3 Operating systemaccess control
Passwordmanagementsystem
Systems for managingpasswords shall beinteractive and shall ensurequality passwords.
N/A
A.11.5.4 Operating systemaccess control
Use of systemutilities
The use of utility programsthat might be capable ofoverriding system andapplication controls shall berestricted and tightlycontrolled.
N/A
A.11.5.5 Operating systemaccess control
Session time-out Inactive sessions shall shutdown after a defined periodof inactivity.
N/A
A.11.5.6 Operating systemaccess control
Limitation ofconnection time
Restrictions on connectiontimes shall be used toprovide additional securityfor high-risk applications.
N/A
A.11.6 Application and information accessrestriction
A.11.6.1 Application andinformation accessrestriction
Information accessrestriction
Access to information andapplication systemfunctions by users andsupport personnel shall berestricted in accordancewith the defined accesscontrol policy.
Yes
A.11.6.2 Application andinformation accessrestriction
Sensitive systemisolation
Sensitive systems shallhave a dedicated (isolated)computing environment.
Yes
A.11.7 Mobile computingand teleworking
-
8/2/2019 ISMS Sample1
18/22
18
A.11.7.1 Mobile computingand teleworking
Mobile computingandcommunications
A formal policy shall be inplace, and appropriatesecurity measures shall beadopted to protect againstthe risks of using mobilecomputing andcommunications facilities.
Yes
A.11.7.2 Mobile computingand teleworking Teleworking A policy, operational plansand procedures shall bedeveloped andimplemented forteleworking activities.
Yes
A.12 Information Systems Acquisition,Development and Maintenance
A.12.1 Security requirements of informationsystems
A.12.1.1 Securityrequirements ofinformation systems
Securityrequirementsanalysis andspecification
Statements of businessrequirements for newinformation systems, orenhancements to existinginformation systems shallspecify the requirements forsecurity controls.
Yes
A.12.2 Correct processing inapplications
A.12.2.1 Correct processing inapplications
Input datavalidation
Data input to applicationsshall be validated to ensurethat this data is correct andappropriate.
Yes
A.12.2.2 Correct processing inapplications
Control of internalprocessing
Validation checks shall beincorporated intoapplications to detect anycorruption of informationthrough processing errorsor deliberate acts.
Yes
A.12.2.3 Correct processing inapplications
Message integrity Requirements for ensuringauthenticity and protectingmessage integrity inapplications shall beidentified, and appropriatecontrols identified andimplemented.
Yes
A.12.2.4 Correct processing inapplications
Output datavalidation
Data output from anapplication shall bevalidated to ensure that theprocessing of storedinformation is correct andappropriate to thecircumstances.
Yes
A.12.3 Cryptographiccontrols
A.12.3.1 Cryptographiccontrols
Policy on use ofcryptographiccontrols
A policy on the use ofcryptographic controls forprotection of informationshall be developed andimplemented.
Yes
-
8/2/2019 ISMS Sample1
19/22
19
A.12.3.2 Cryptographiccontrols
Key management Key management shall bein place to support theorganization's use orcryptographic techniques.
N/A
A.12.4 Security of systemsfiles
A.12.4.1 Security of systems
files
Control of
operationalsoftware
There shall be procedures
in place to control theinstallation of software onoperational systems
Yes
A.12.4.2 Security of systemsfiles
Protection ofsystem test data
Test data shall be selectedcarefully, and protected andcontrolled.
Yes
A.12.4.3 Security of systemsfiles
Access control toprogram sourcecode
Access to program sourcecode shall be restricted.
N/A
A.12.5 Security in development and supportprocess
A.12.5.1 Security indevelopment andsupport process
Change controlprocedures
The implementation ofchanges shall be controlledby the use of formal changecontrol procedures.
N/A
A.12.5.2 Security indevelopment andsupport process
Technical review ofapplications afteroperating systemchanges
When operating systemsare changed, businesscritical applications shall bereviewed and tested toensure there is no adverseimpact on organizationaloperations or security.
Yes
A.12.5.3 Security indevelopment andsupport process
Restrictions onchanges tosoftware packages
Modifications to softwarepackages shall bediscouraged, limited to
necessary changes, and allchanges shall be strictlycontrolled.
N/A
A.12.5.4 Security indevelopment andsupport process
Information leakage Opportunities forinformation leakage shallbe prevented.
Yes
A.12.5.5 Security indevelopment andsupport process
Outsourcedsoftwaredevelopment
Outsourced softwaredevelopment shall besupervised and monitoredby the organization.
Yes
A.12.6 TechnicalVulnerabilityManagement
A.12.6.1 TechnicalVulnerabilityManagement
Control of technicalvulnerabilities
Timely information abouttechnical vulnerabilities ofinformation systems beingused shall be obtained, theorganization's exposure tosuch vulnerabilitiesevaluated, and appropriatemeasures taken to addressthe associated risk.
Yes
A.13 Information Security Incident
-
8/2/2019 ISMS Sample1
20/22
20
Management
A.13.1 Reporting information security events andweaknesses
A.13.1.1 Reporting informationsecurity events andweaknesses
Reportinginformation securityevents
Information security eventsshall be reported throughappropriate managementchannels as quickly as
possible.
N/A
A.13.1.2 Reporting informationsecurity events andweaknesses
Reporting securityweaknesses
All employees, contractorsand third party users ofinformation systems andservices shall be requiredto note and report anyobserved or suspectedsecurity weaknesses insystems or services.
N/A
A.13.2 Management of information securityincidents and improvements
A.13.2.1 Management of
information securityincidents andimprovements
Responsibilities
and procedures
Management
responsibilities andprocedures shall beestablished to ensure aquick, effective, and orderlyresponse to informationsecurity incidents.
N/A
A.13.2.2 Management ofinformation securityincidents andimprovements
Learning frominformation securityincidents
There shall be mechanismsin place to enable thetypes, volumes, and costsof information securityincidents to be quantifiedand monitored.
Yes
A.13.2.3 Management ofinformation security
incidents andimprovements
Collection ofevidence
Where a follow-up actionagainst a person or
organization after aninformation security incidentinvolves legal action (eithercivil or criminal), evidenceshall be collected, retained,and presented to conformto the rules for evidencelaid down in the relevantjurisdiction(s).
N/A
A.14 BusinessContinuityManagement
A.14.1 Information security aspects of businesscontinuity management
A.14.1.1 Information securityaspects of businesscontinuitymanagement
Includinginformation securityin the businesscontinuitymanagementprocess
A managed process shallbe developed andmaintained for businesscontinuity throughout theorganization that addressesthe information securityrequirements needed forthe organization's businesscontinuity.
N/A
-
8/2/2019 ISMS Sample1
21/22
21
A.14.1.2 Information securityaspects of businesscontinuitymanagement
Business continuityand riskassessment
Events that can causeinterruptions to businessprocesses shall beidentified, along with theprobability and impact ofsuch interruptions and theirconsequences for
information security.
Yes
A.14.1.3 Information securityaspects of businesscontinuitymanagement
Developing andimplementingcontinuity plansincludinginformation security
Plans shall be developedand implemented tomaintain or restoreoperations and ensureavailability of information atthe required level and in therequired time scalesfollowing interruption to, orfailure of, critical businessprocesses.
Yes
A.14.1.4 Information securityaspects of businesscontinuity
management
Business continuityplanning framework
A single framework ofbusiness continuity plansshall be maintained to
ensure all plans areconsistent, to consistentlyaddress informationsecurity requirements, andto identify priorities fortesting and maintenance.
N/A
A.14.1.5 Information securityaspects of businesscontinuitymanagement
Testing,maintaining andreassessingbusiness continuityplans
Business continuity plansshall be tested and updatedregularly to ensure that theyare up to date and effective.
N/A
A.15 Compliance
A.15.1 Compliance withlegal requirements
A.15.1.1 Compliance withlegal requirements
Identification ofapplicablelegislation
All relevant statutory,regulatory and contractualrequirements and theorganization's approach tomeet these requirementsshall be explicitly defined,documented, and kept up todate for each informationsystem and theorganization.
N/A
A.15.1.2 Compliance withlegal requirements
Intellectual propertyrights (IPR)
Appropriate proceduresshall be implemented toensure compliance withlegislative, regulatory, and
contractual requirements onthe use of material inrespect of which there maybe intellectual propertyrights and on the use ofproprietary softwareproducts.
Yes
-
8/2/2019 ISMS Sample1
22/22
A.15.1.3 Compliance withlegal requirements
Protection oforganizationalrecords
Important records shall beprotected from loss,destruction and falsification,in accordance withstatutory, regulatory,contractual, and businessrequirements.
N/A
A.15.1.4 Compliance withlegal requirements Data protection andprivacy of personalinformation
Data protection and privacyshall be ensured asrequired in relevantlegislation, regulations, andif applicable, contractualclauses.
Yes
A.15.1.5 Compliance withlegal requirements
Prevention ofmisuse ofinformationprocessing facilities
Users shall be deterredfrom using informationprocessing facilities forunauthorized purposes.
Yes
A.15.1.6 Compliance withlegal requirements
Regulation ofcryptographiccontrols
Cryptographic controls shallbe used in compliance withall relevant agreements,laws, and regulations.
N/A
A.15.2 Compliance with security policies and standards, and technical compliance
A.15.2.1 Compliance withsecurity policies andstandards, andtechnical compliance
Compliance withsecurity policiesand standards
Managers shall ensure thatall security procedureswithin their area ofresponsibility are carriedout correctly to achievecompliance with securitypractices and standards.
Yes
A.15.2.2 Compliance withsecurity policies andstandards, and
technical compliance
Technicalcompliancechecking
Information systems shallbe regularly checked forcompliance with security
policies and standards.
Yes
A.15.3 Information systems audit considerations
A.15.3.1 Information systemsaudit considerations
Informationsystems auditcontrols
Audit requirements andactivities involving checkson operational systemsshall be carefully plannedand agreed to minimize therisk of disruptions tobusinesses processes.
Yes
A.15.3.2 Information systemsaudit considerations
Protection ofinformationsystems audit tools
Access to informationsystems audit tools shall beprotected to prevent any
possible misuse orcompromise.
Yes