ISMS Sample1

8/2/2019 ISMS Sample1

1/22

August 10, 2006

CS1/06-0175 Lucent Contribution to ISO 27001/2

Part 1 of 3

ISO 18028-2 and ISO 27001/2Contribution Document Structure

0. Introduction0.1) Motivation

0.2) Methodology

0.3) Benefits

1. Scope

2. References

3. Terms and Definitions

4. Overview

5. Security Policy

15. Compliance

Sections are aligned with revised

Recommendation X.1051 and ISO

27001/2 (Sections 5 through 15).

Consistent ISO Terminology

Example of the structure for Sections 5 though 15 (all of the ISO 27001/2 controls):

A.10.9.2

Control

Information involved in on-line transactions shall be protected to prevent incomplete transmission, mis-routing,unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

ISO 18028-2: Applicable X Not Applicable .

Layer(s) Services Layer, Infrastructure Layer, Applications Layer

Plane(s) Management Plane, End-User Plane

Dimension(s) Data Integrity, Data Confidentiality, Communications Security, and Access Control

Rationale to be supplied in a later submission. The rationale would provide technical depth and breath on

whether a control would be applicable to ISO 18028-2 or not. This extensive work would come after the studygroup agreed on all controls (applicable or N/A)


2/22

2


Part 2 of 3

Applying ISO/IEC 18028-2 Contribution to ISO/IEC 27001/2

0. Introduction

ISO/IEC 27001 provides a model for establishing, implementing, operating, monitoring, reviewing,

maintaining and improving an Information Security Management System (ISMS) within the context of an

organization's overall business activities and the risks that it faces.

ISO/IEC 18028-2 partitions a telecommunications network into a three-layered hierarchy of equipment and

facilities groupings: (1) the infrastructure security layer, (2) the services security layer, and (3) the

applications security layer. ISO/IEC 18028-2 defines the three types of activities that can occur at everylayer as security planes. The three security planes present at every layer are: (1) management security plane,

(2) control/signaling security plane, and (3) end-user security plane. ISO/IEC 18028-2 applies security

mechanisms contained in eight security dimensions to secure each security layer/plane combination.

This document defines guidelines that support the application of the ISO/IEC 18028-2 security layers, planes

and dimensions to the ISO/IEC 27001 model for the establishment, implementation and operation of an

ISMS.

0.1 Motivation

ISO/IEC 27001 applies the "Plan-Do-Check-Act" model to structure the process of establishing,

implementing, operating, monitoring, reviewing, maintaining and improving an ISMS in the following

phases:

Plan: Establish the ISMS.

Do: Implement and operate the ISMS.

Check: Monitor and review the ISMS.

Act: Maintain and improve the ISMS.

ISO/IEC 27001 provides a list of steps that must be performed in order to accomplish each of the above

phases, but does not provide technical guidance on the specific actions that need to be performed for each

step. This International Standard defines how ISO/IEC 18028-2 shall be used to provide specificity for the

actions required in each of the following steps.

Establish the ISMS:

Identify the risks,

Select control objectives and controls for the treatment of risks.


3/22

3

Implement and operate the ISMS:

Implement controls selected above to meet the control objectives,

Implement procedures and other controls capable of enabling prompt detection of security events and

response to security incidents.

0.2 Methodology

ISO/IEC 18028-2 security layers, planes and dimensions will be used in the following manner to provide

specificity to each of the following steps.

Establish the ISMS:

Identify the risks. The security layers and planes will be systematically analyzed to identify assets,

threats to those assets, and vulnerabilities in those assets that might be exploited by threats/the attackers.

Select control objectives and controls for the treatment of risks. Control objectives and controls will be

selected for application to the security layer and plane of each asset at risk.

Implement and operate the ISMS:

Implement controls selected above to meet the controls objectives. The security dimensions will be

used to provide the necessary mechanisms required to implement and operate the selected controls. The

security dimensions also address control objectives and controls that are not listed in ISO/IEC 27001

Annex A and that may be selected as well.

Implement procedures and other controls capable of enabling prompt detection of security events and

response to security incidents. The security layers and planes will be utilized to determine the type and

probable location of security events. Procedures and controls will be selected for application to the

identified security layer and plane. The security dimensions contain mechanisms required to implement

and operate the selected procedures and controls.

0.3 Benefits

This International Standard compliments ISO/IEC 27001 by providing necessary specificity to the

establishment, implementation and operation of an ISMS. It provides a standardized, systematic, methodical

approach utilizing ISO/IEC 18028-2 for identifying risks, selecting control objectives and controls for the

mitigation of risks, implementing controls to meet control objectives, and implementing procedures capable

of enabling prompt detection of security events and response to security incidents.

While some of the controls described in ISO/IEC 27002 provide very specific guidance on their

implementation and operation, most of them do not. The application of ISO/IEC 18028-2 to the

implementation and operation of ISO/IEC 27001 controls ensures that the right controls are comprehensively

applied to every layer and plane to thoroughly secure assets at risk. The ISO/IEC 18028-2 security

dimensions provide the details required to implement and operate the ISO/IEC 27001 controls. In addition,

the ISO/IEC 18028-2 security dimensions provide base for additional control objectives and controls that are


4/22

4

not listed in ISO/IEC 27001 Annex A and that may be selected, implemented and operated as part of an

organization's ISMS.

1. Scope

This International Standard covers all types of organizations (e.g., commercial enterprises, government

agencies, non-profit organizations). This International Standard specifies the requirements for application of

ISO/IEC 18028-2 to the to the ISO/IEC 27001 model for the establishment, implementation and operation of

an ISMS.

2. References

ISO/IEC27002:2005, Information technology - Code of practice for information security management

ITU-T Recommendation X.805 (2003), Security architecture for systems providing end-to-end

communications.

ISO/IEC 18028-2: 2006, Information technology - Security techniques - IT network security - Part 2:

Network security architecture.

3. Terms and Definitions

For the purposes of this International Standard, the following terms and definitions apply.

4. Overview

This section will ultimately describe how the nine ISO/IEC 18028-2 security modules are used to identify

assets, threats, vulnerabilities, and risks, and how controls are selected to protect the assets at risk. In

addition, the section will describe how the eight dimensions can be utilized for the implementation and

operation of controls

4.1 Structure of this guideline

This guideline, from Section 5 onward, will have the same structure as in ISO/IEC 27002. Objectives and

controls will be imported from ISO/IEC 27001/2.


5/22

5

The following provides two example of the structure of the control sections.

5.1.1 Information security policy document

Control

An information security policy document should be approved by management, and published and

communicated to all employees and relevant external parties.


Layers(s): All

Planes(s): All

Dimensions(s): All

Rationale: The implementation guidance for the information security policy document states that the policy

must set out the organizations approach to managing information security. In the policy, management wouldstate the use and benefits of ISO 18208-2 in the approach. The applicability and implementation of the

controls supported by ISO 18028-2 layers/planes/dimensions would be dependent on the ISMS scope.

10.9.2 On-Line Transactions

Control

Information involved in on-line transactions should be protected to prevent incomplete transmission, mis-

routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or

replay.


Layers(s): Services Layer, Infrastructure Layer, Applications Layer

Planes(s): Management Plane, End-User Plane

Dimensions(s): Data Integrity, Data Confidentiality, Communications Security, and Access Control

Rationale: In order to protect information involved in on-line transactions, the ISO 18028-2 layers and

planes are used to determine the necessary controls (in this case control 10.9.2), and where they need to be

applied, for on-line transactions. The ISO 18028-2 dimensions specify measures required to implement and

operate the control. For example: implementing IPSec AH of the data integrity dimension to prevent

unauthorized message alteration in the services layer and IPSec ESP of the data confidentiality dimension to

prevent unauthorized disclosure in the services layer.


6/22

6


Part 3 of 3

ISO27001

Number

Control Name Sub-ControlName

Control Description ApplyingISO/IEC 18028-

2 to ISO 27001or ISO 27002

A.5 Security Policy

A.5.1 Information SecurityPolicy

A.5.1.1 Information SecurityPolicy

InformationSecurity policydocument

An information securitypolicy document shall beapproved by management,and published andcommunicated to allemployees and relevantexternal parties.

Yes

A.5.1.2 Information SecurityPolicy

Review of theinformation securitypolicy

The information securitypolicy shall be reviewed atplanned intervals of ifsignificant changes occur toensure its continuingsuitability, adequacy, andeffectiveness.

N/A

A.6 Organizational of InformationSecurity

A.6.1 Internal Organization

A.6.1.1 Internal Organization Management

commitment toinformation security

Management shall actively

support security within theorganization through cleardirection, demonstratedcommitment, explicitassignment, andacknowledgment ofinformation securityresponsibilities.

N/A

A.6.1.2 Internal Organization Information securitycoordination

Information securityactivities shall be co-ordinated byrepresentatives fromdifferent parts of theorganization with relevant

roles and job functions.

N/A

A.6.1.3 Internal Organization Allocation ofinformation securityresponsibilities

All information securityresponsibilities shall beclearly defined.

N/A

A.6.1.4 Internal Organization Authorizationprocess forinformationprocessing facilities

A managementauthorization process fornew information processingfacilities shall be definedand implemented.

N/A


7/22

7

A.6.1.5 Internal Organization Confidentialityagreements

Requirements forconfidentiality or non-disclosure agreementsreflecting the organization'sneeds for the protection ofinformation shall beidentified and regularly

reviewed.

N/A

A.6.1.6 Internal Organization Contact withauthorities

Appropriate contracts withrelevant authorities shall bemaintained.

N/A

A.6.1.7 Internal Organization Contact withspecial interestgroups

Appropriate contracts withspecial interest groups orother specialist securityforums and professionalassociations shall bemaintained.

N/A

A.6.1.8 Internal Organization Independent reviewof informationsecurity

The organization'sapproach to managinginformation security and itsimplementation (i.e., control

objectives, controls,policies, processes, andprocedures for informationsecurity) shall be reviewedindependently at plannedintervals, or whensignificant changes to thesecurity implementationoccur.

Yes

A.6.2 External Parties

A.6.2.1 External Parties Identification ofrisks related toexternal parties

The risks to theorganization's informationand information processingfacilities from business

processes involvingexternal parties shall beidentified and appropriatecontrols implementedbefore granting access.

Yes

A.6.2.2 External Parties Addressing securitywhen dealing withcustomers

All identified securityrequirements shall beaddressed before givingcustomers access to theorganization's informationor assets.

Yes

A.6.2.3 External Parties Addressing securityin third party

agreements

Agreements with thirdparties involving accessing,

processing, communicatingor managing theorganization's informationor information processingfacilities, or adding productsor services to informationprocessing facilities shallcover all relevant securityrequirements.

Yes


8/22

8

A.7 AssetManagement

A.7.1 Responsibility forassets

A.7.1.1 Responsibility forassets

Inventory of assets All assets shall be clearlyidentified and an inventoryof all important assets

drawn up and maintained.

Yes


Ownership ofassets

All information and assetsassociated with informationprocessing facilities shall beowned by a designated partof the organization.

Yes


Acceptable use ofassets

Rules for acceptable use ofinformation and assetsassociated with informationprocessing facilities shall beidentified, documented, andimplemented.

Yes

A.7.2 Informationclassification

A.7.2.1 Informationclassification

Classificationguidelines

Information shall beclassified in terms of itsvalue, legal requirements,sensitivity and criticality tothe organization.

Yes

A.7.2.2 Informationclassification

Information labelingand handling

An appropriate set ofprocedures for informationlabeling and handling shallbe developed andimplemented in accordancewith the classificationscheme adopted by the

organization.

N/A

A.8 HumanResourcesSecurity

A.8.1 Prior to employment

A.8.1.1 Prior to employment Roles andresponsibilities

Security roles andresponsibilities ofemployees, contractors andthird party users shall bedefined and documented inaccordance with theorganization's informationsecurity policy.

N/A

A.8.1.2 Prior to employment Screening back-up copies ofinformation and softwareshall be taken and testedregularly in accordance withthe agreed backup policy.

N/A


9/22

9

A.8.1.3 Prior to employment Terms andconditions ofemployment

As part of the contractualobligation, employees,contractors and third partyusers shall agree and signthe terms and conditions oftheir employment contractwhich shall state their and

the organization'sresponsibilities forinformation security.

N/A

A.8.2 During employment

A.8.2.1 During employment Managementresponsibilities

Management shall requireemployees, contractors andthird party users to applysecurity in accordance withestablished policies andprocedures of theorganization.

N/A

A.8.2.2 During employment Information securityawareness,education and

training

All employees of theorganization and, whererelevant, contractors and

third party users shallreceive appropriateawareness training regularupdates in organizationalpolicies and procedures, asrelevant for their jobdescription.

Yes

A.8.2.3 During employment Disciplinaryprocess

There shall be a formaldisciplinary process foremployees who havecommitted a securitybreach.

N/A

A.8.3 Termination of change of employment

A.8.3.1 Termination ofchange ofemployment

Terminationresponsibilities

Responsibilities forperforming employmenttermination or change ofemployment shall be clearlydefined and assigned.

N/A

A.8.3.2 Termination ofchange ofemployment

Return of assets All employees, contractorsand third party users shallreturn all of theorganization's assets intheir possession upontermination of theiremployment, contract oragreement.

N/A

A.8.3.3 Termination of

change ofemployment

Removal of access

rights

The access rights of all

employees, contractors andthird party users toinformation and informationprocessing facilities shall beremoved upon terminationof their employment,contract or agreement, oradjusted upon change.

N/A

A.9 Physical andEnvironment


10/22

10

Security

A.9.1 Secure Areas

A.9.1.1 Secure Areas Physical securityperimeter

Security perimeters(barriers such as walls,card controlled entry gatesor manned reception desks)shall be used to protect

areas that containinformation and informationprocessing facilities.

Subject to ITUContribution:

Adapting ISO18028-2 to Physical

and Environment

Security

A.9.1.2 Secure Areas Physical entrycontrols

Secure areas shall beprotected by appropriateentry controls to ensure thatonly authorized personnelare allowed access.



and EnvironmentSecurity

A.9.1.3 Secure Areas Securing offices,rooms and facilities

Physical security for offices,rooms, and facilities shallbe designed and applied.



and Environment

SecurityA.9.1.4 Secure Areas Protecting against

external andenvironmentalthreats

Physical protection againstdamage from fire, flood,earthquake, explosion, civilunrest and other forms ofnatural or man-madedisaster shall be designedand applied.




A.9.1.5 Secure Areas Working in secureareas

Physical protection andguidelines for working insecure areas shall bedesigned and applied.




A.9.1.6 Secure Areas Public access,delivery andloading areas.

Access points such asdelivery and loading areasand other points whereunauthorized persons mayenter the premises shall becontrolled and, if possible,isolated from informationprocessing facilities toavoid unauthorized access.




A.9.2 Equipment security

A.9.2.1 Equipment security Equipment sitingand protection

Equipment shall be sited orprotested to reduce therisks from environmentalthreats and hazards, andopportunities forunauthorized access.




A.9.2.2 Equipment security Supporting utilit ies Equipment shall beprotected from powerfailures and otherdisruptions caused byfailures in supportingutilities.





11/22

11

A.9.2.3 Equipment security Cabling security Power andtelecommunications cablingcarrying data or supportinginformation services shallbe protected frominterception or damage.




A.9.2.4 Equipment security Equipment

maintenance

Equipment shall be

correctly maintained toensure its continuedavailability and integrity.

Yes

A.9.2.5 Equipment security Security ofequipment off-premises

Security shall be applied tooff-site equipment takinginto account the differentrisks of working outside theorganization's premises.




A.9.2.6 Equipment security Secure disposal orre-use ofequipment

All items of equipmentcontaining storage mediashall be checked to ensurethat any sensitive data andlicensed software has been

removed or securelyoverwritten prior todisposal.



and Environment

Security

A.9.2.7 Equipment security Removal ofproperty

Equipment, information orsoftware shall not be takenoff-site without priorauthorization.




A.10 Communications and OperationsManagement

A.10.1 Operational procedures and responsibili ties

A.10.1.1 Operationalprocedures andresponsibilities

Documentedoperatingprocedures

Operating procedures shallbe documented,maintained, and madeavailable to all users whoneed them.

Yes


Changemanagement

Changes to informationprocessing facilities andsystems shall be controlled.

N/A


Segregation ofduties

Duties and areas ofresponsibility shall besegregated to reduceopportunities forunauthorized orunintentional modification

or misuse of theorganization's assets.

N/A


Separation ofdevelopment, testand operationalfacilities

Development, test andoperational facilities shallbe separated to reduce therisks of unauthorizedaccess or changes to theoperational system.

N/A

A.10.2 Third party service delivery management


12/22

12

A.10.2.1 Third party servicedelivery management

Service delivery It shall be ensured thatsecurity options, servicedefinitions and deliverylevels included in the thirdparty service deliveryagreement areimplemented, operated,

and maintained by the thirdparty.

Yes


Monitoring andreview of third partyservices

The services, reports andrecords provided by thethird party shall be regularlymonitored and reviewed,and audits shall be carriedout regularly.

Yes


Managing changesto third partyservices

Changes to the provision ofservices, includingmaintaining and improvingexisting information securitypolicies, procedures andcontrols, shall be managed,

taking into account of thecriticality of businesssystems and processesinvolved and re-assessment of risks.

N/A

A.10.3 System planning andacceptance

A.10.3.1 System planning andacceptance

Capacitymanagement

The use of resources shallbe monitored, tuned, andprojections made of futurecapacity requirements toensure the required systemperformance.

N/A

A.10.3.2 System planning andacceptance

System acceptance Acceptance criteria for newinformation systems,upgrades, and newversions shall beestablished and suitabletests of the system(s)carried out duringdevelopment and prior toacceptance.

N/A

A.10.4 Protection against malicious and mobilecode

A.10.4.1 Protection againstmalicious and mobile

code

Controls againstmalicious code

Detection, prevention, andrecovery controls to protect

against malicious code andappropriate user awarenessprocedures shall beimplemented.

Yes


13/22

13

A.10.4.2 Protection againstmalicious and mobilecode

Controls againstmobile code

Where the use of mobilecode is authorized, theconfiguration shall ensurethat the authorized mobilecode operates according toa clearly defined securitypolicy, and unauthorized

mobile code shall beprevented from executing.

Yes

A.10.5 Back-up

A.10.5.1 Back-up Information Back-up

Back-up copies ofinformation and softwareshall be taken and testedregularly in accordance withthe agreed backup policy.

Yes

A.10.6 Network SecurityManagement

A.10.6.1 Network SecurityManagement

Network controls Networks shall beadequately managed andcontrolled, in order to beprotected from threats, and

to maintain security for thesystems and applicationsusing the network, includinginformation in transit.

Yes

A.10.6.2 Network SecurityManagement

Security of networkservices

Security features, servicelevels, and managementrequirements of all networkservices shall be identifiedand included in any networkservices agreement,whether these services areprovided in-house oroutsourced.

Yes

A.10.7 Media handling

A.10.7.1 Media handling Management ofremoval media

There shall be proceduresin place for themanagement of removablemedia.




A.10.7.2 Media handling Disposal of media Media shall be disposed ofsecurely and safely whenno longer required, usingformal procedures.




A.10.7.3 Media handling Informationhandling

procedures

Procedures for the handlingand storage of information

shall be established toprotect this information fromunauthorized disclosure ormisuse.




A.10.7.4 Media handling Security of systemdocumentation

System documentationshall be protected againstunauthorized access.





14/22

14

A.10.8 Exchange ofinformation

A.10.8.1 Exchange ofinformation

Informationexchange policiesand procedures

Formal exchange policies,procedures, and controlsshall be in place to protectthe exchange of informationthrough the use of all types

of communication facilities.

Yes


Exchangeagreements

Agreements shall beestablished for theexchange of informationand software between theorganization and externalparties.

N/A


Physical media intransit

Media containinginformation shall beprotected againstunauthorized access,misuse or corruption duringtransportation beyond anorganization's physicalboundaries.





Electronicmessaging

Information involved inelectronic messaging shallbe appropriately protected.

Yes


Businessinformationsystems

Polices and proceduresshall be developed andimplemented to protectinformation associated withthe interconnection ofbusiness informationsystems.

Yes

A.10.9 Electronic commerceservices

A.10.9.1 Electronic commerceservices

Electroniccommerce

Information involved inelectronic commercepassing over publicnetworks shall be protectedfrom fraudulent activity,contract dispute, andunauthorized disclosureand modification.

Yes


On-linetransactions

Information involved in on-line transactions shall beprotected to preventincomplete transmission,mis-routing, unauthorizedmessage alteration,

unauthorized disclosure,unauthorized messageduplication or replay.

Yes


Publicly availableinformation

The integrity of informationbeing made available ofpublicly available systemshall be protected toprevent unauthorizedmodification.

Yes

A.10.10 Monitoring


15/22

15

A.10.10.1 Monitoring Audit logging Audit logs recording useractivities, exceptions, andinformation security eventsshall be produced and keptfor an agreed period toassist in futureinvestigations and access

control monitoring.

Yes

A.10.10.2 Monitoring Monitoring systemuse

Procedures for monitoringuse of informationprocessing facilities shall beestablished and the resultsof the monitoring activitiesreviewed regularly.

N/A

A.10.10.3 Monitoring Protection of loginformation

Logging facilities and loginformation shall beprotected against tamperingand unauthorized access.

Yes

A.10.10.4 Monitoring Administrator andoperator logs

System administrator andsystem operator activities

shall be logged.

N/A

A.10.10.5 Monitoring Fault logging Faults shall be logged,analyzed, and appropriateaction taken.

N/A

A.10.10.6 Monitoring Clocksynchronization

The clocks of all relevantinformation processingsystems within anorganization or securitydomain shall besynchronized with anagreed accurate timesource.

N/A

A.11 Access Control

A.11.1 Business requirement for access control

A.11.1.1 Business requirementfor access control

Access controlpolicy

An access control policyshall be established,documented, and reviewedbased on business andsecurity requirements foraccess.

Yes

A.11.2 User accessmanagement

A.11.2.1 User accessmanagement

User registration There shall be a formaluser registration and de-registration procedure inplace for granting and

revoking access to allinformation systems andservices.

N/A


Privilegemanagement

The allocation and use ofprivileges shall be restrictedand controlled.

Yes


Use passwordmanagement

The allocation of passwordsshall be controlled througha formal managementprocess.

Yes


16/22

16


Review of useraccess rights

Management shall reviewuser's access rights atregular intervals using aformal process.

N/A

A.11.3 User responsibilities

A.11.3.1 User responsibilities Password use Users shall be required tofollow good securitypractices in the selectionand use of passwords.

Yes

A.11.3.2 User responsibilities Unattended userequipment

Users shall ensure thatunattended equipment hasappropriate protection.

Yes

A.11.3.3 User responsibilities Clear desk andclear screen policy

A clear desk policy forpapers and removablestorage media and a clearscreen policy forinformation processingfacilities shall be adopted.

Yes

A.11.4 Network accesscontrol

A.11.4.1 Network accesscontrol

Policy on use ofnetwork services

Users shall only beprovided with access to theservices that they havebeen specifically authorizedto use.

Yes


User authenticationfor externalconnections

Appropriate authenticationmethods shall be used tocontrol access by remoteusers.

N/A


Equipmentidentification innetworks

Automatic equipmentidentification shall beconsidered as a means toauthenticate connectionsfrom specific locations andequipment.

N/A


Remote diagnosticand configurationport protection

Physical and logical accessto diagnostic andconfiguration ports shall becontrolled.

Yes


Segregation innetworks

Groups of informationservices, users, andinformation systems shallbe segregated on networks.

Yes


Network connectioncontrol

For shared networks,especially those extendingacross the organization's

boundaries, the capabilityof users to connect to thenetwork shall be restricted,in line with the accesscontrol policy andrequirements of thebusiness applications.

Yes


17/22

17


Network routingcontrol

Routing controls shall beimplemented for networksto ensure that computerconnections andinformation flows do notbreach the access controlpolicy of the business

applications.

Yes

A.11.5 Operating systemaccess control

A.11.5.1 Operating systemaccess control

Secure log-onprocedures

Access to operatingsystems shall be controlledby a secure log-onprocedure.

N/A


User identificationand authentication

All users shall have aunique identifier (user ID)for their personal use only,and a suitableauthentication techniqueshall be chosen tosubstantiate the claimed

identity of a user.

N/A


Passwordmanagementsystem

Systems for managingpasswords shall beinteractive and shall ensurequality passwords.

N/A


Use of systemutilities

The use of utility programsthat might be capable ofoverriding system andapplication controls shall berestricted and tightlycontrolled.

N/A


Session time-out Inactive sessions shall shutdown after a defined periodof inactivity.

N/A


Limitation ofconnection time

Restrictions on connectiontimes shall be used toprovide additional securityfor high-risk applications.

N/A

A.11.6 Application and information accessrestriction

A.11.6.1 Application andinformation accessrestriction

Information accessrestriction

Access to information andapplication systemfunctions by users andsupport personnel shall berestricted in accordancewith the defined accesscontrol policy.

Yes

A.11.6.2 Application andinformation accessrestriction

Sensitive systemisolation

Sensitive systems shallhave a dedicated (isolated)computing environment.

Yes

A.11.7 Mobile computingand teleworking


18/22

18

A.11.7.1 Mobile computingand teleworking

Mobile computingandcommunications

A formal policy shall be inplace, and appropriatesecurity measures shall beadopted to protect againstthe risks of using mobilecomputing andcommunications facilities.

Yes

A.11.7.2 Mobile computingand teleworking Teleworking A policy, operational plansand procedures shall bedeveloped andimplemented forteleworking activities.

Yes

A.12 Information Systems Acquisition,Development and Maintenance

A.12.1 Security requirements of informationsystems

A.12.1.1 Securityrequirements ofinformation systems

Securityrequirementsanalysis andspecification

Statements of businessrequirements for newinformation systems, orenhancements to existinginformation systems shallspecify the requirements forsecurity controls.

Yes

A.12.2 Correct processing inapplications

A.12.2.1 Correct processing inapplications

Input datavalidation

Data input to applicationsshall be validated to ensurethat this data is correct andappropriate.

Yes


Control of internalprocessing

Validation checks shall beincorporated intoapplications to detect anycorruption of informationthrough processing errorsor deliberate acts.

Yes


Message integrity Requirements for ensuringauthenticity and protectingmessage integrity inapplications shall beidentified, and appropriatecontrols identified andimplemented.

Yes


Output datavalidation

Data output from anapplication shall bevalidated to ensure that theprocessing of storedinformation is correct andappropriate to thecircumstances.

Yes

A.12.3 Cryptographiccontrols

A.12.3.1 Cryptographiccontrols

Policy on use ofcryptographiccontrols

A policy on the use ofcryptographic controls forprotection of informationshall be developed andimplemented.

Yes


19/22

19

A.12.3.2 Cryptographiccontrols

Key management Key management shall bein place to support theorganization's use orcryptographic techniques.

N/A

A.12.4 Security of systemsfiles

A.12.4.1 Security of systems

files

Control of

operationalsoftware

There shall be procedures

in place to control theinstallation of software onoperational systems

Yes

A.12.4.2 Security of systemsfiles

Protection ofsystem test data

Test data shall be selectedcarefully, and protected andcontrolled.

Yes

A.12.4.3 Security of systemsfiles

Access control toprogram sourcecode

Access to program sourcecode shall be restricted.

N/A

A.12.5 Security in development and supportprocess

A.12.5.1 Security indevelopment andsupport process

Change controlprocedures

The implementation ofchanges shall be controlledby the use of formal changecontrol procedures.

N/A


Technical review ofapplications afteroperating systemchanges

When operating systemsare changed, businesscritical applications shall bereviewed and tested toensure there is no adverseimpact on organizationaloperations or security.

Yes


Restrictions onchanges tosoftware packages

Modifications to softwarepackages shall bediscouraged, limited to

necessary changes, and allchanges shall be strictlycontrolled.

N/A


Information leakage Opportunities forinformation leakage shallbe prevented.

Yes


Outsourcedsoftwaredevelopment

Outsourced softwaredevelopment shall besupervised and monitoredby the organization.

Yes

A.12.6 TechnicalVulnerabilityManagement

A.12.6.1 TechnicalVulnerabilityManagement

Control of technicalvulnerabilities

Timely information abouttechnical vulnerabilities ofinformation systems beingused shall be obtained, theorganization's exposure tosuch vulnerabilitiesevaluated, and appropriatemeasures taken to addressthe associated risk.

Yes

A.13 Information Security Incident


20/22

20

Management

A.13.1 Reporting information security events andweaknesses

A.13.1.1 Reporting informationsecurity events andweaknesses

Reportinginformation securityevents

Information security eventsshall be reported throughappropriate managementchannels as quickly as

possible.

N/A

A.13.1.2 Reporting informationsecurity events andweaknesses

Reporting securityweaknesses

All employees, contractorsand third party users ofinformation systems andservices shall be requiredto note and report anyobserved or suspectedsecurity weaknesses insystems or services.

N/A

A.13.2 Management of information securityincidents and improvements

A.13.2.1 Management of

information securityincidents andimprovements

Responsibilities

and procedures

Management

responsibilities andprocedures shall beestablished to ensure aquick, effective, and orderlyresponse to informationsecurity incidents.

N/A

A.13.2.2 Management ofinformation securityincidents andimprovements

Learning frominformation securityincidents

There shall be mechanismsin place to enable thetypes, volumes, and costsof information securityincidents to be quantifiedand monitored.

Yes

A.13.2.3 Management ofinformation security

incidents andimprovements

Collection ofevidence

Where a follow-up actionagainst a person or

organization after aninformation security incidentinvolves legal action (eithercivil or criminal), evidenceshall be collected, retained,and presented to conformto the rules for evidencelaid down in the relevantjurisdiction(s).

N/A

A.14 BusinessContinuityManagement

A.14.1 Information security aspects of businesscontinuity management

A.14.1.1 Information securityaspects of businesscontinuitymanagement

Includinginformation securityin the businesscontinuitymanagementprocess

A managed process shallbe developed andmaintained for businesscontinuity throughout theorganization that addressesthe information securityrequirements needed forthe organization's businesscontinuity.

N/A


21/22

21


Business continuityand riskassessment

Events that can causeinterruptions to businessprocesses shall beidentified, along with theprobability and impact ofsuch interruptions and theirconsequences for

information security.

Yes


Developing andimplementingcontinuity plansincludinginformation security

Plans shall be developedand implemented tomaintain or restoreoperations and ensureavailability of information atthe required level and in therequired time scalesfollowing interruption to, orfailure of, critical businessprocesses.

Yes

A.14.1.4 Information securityaspects of businesscontinuity

management

Business continuityplanning framework

A single framework ofbusiness continuity plansshall be maintained to

ensure all plans areconsistent, to consistentlyaddress informationsecurity requirements, andto identify priorities fortesting and maintenance.

N/A


Testing,maintaining andreassessingbusiness continuityplans

Business continuity plansshall be tested and updatedregularly to ensure that theyare up to date and effective.

N/A

A.15 Compliance

A.15.1 Compliance withlegal requirements

A.15.1.1 Compliance withlegal requirements

Identification ofapplicablelegislation

All relevant statutory,regulatory and contractualrequirements and theorganization's approach tomeet these requirementsshall be explicitly defined,documented, and kept up todate for each informationsystem and theorganization.

N/A


Intellectual propertyrights (IPR)

Appropriate proceduresshall be implemented toensure compliance withlegislative, regulatory, and

contractual requirements onthe use of material inrespect of which there maybe intellectual propertyrights and on the use ofproprietary softwareproducts.

Yes


22/22


Protection oforganizationalrecords

Important records shall beprotected from loss,destruction and falsification,in accordance withstatutory, regulatory,contractual, and businessrequirements.

N/A

A.15.1.4 Compliance withlegal requirements Data protection andprivacy of personalinformation

Data protection and privacyshall be ensured asrequired in relevantlegislation, regulations, andif applicable, contractualclauses.

Yes


Prevention ofmisuse ofinformationprocessing facilities

Users shall be deterredfrom using informationprocessing facilities forunauthorized purposes.

Yes


Regulation ofcryptographiccontrols

Cryptographic controls shallbe used in compliance withall relevant agreements,laws, and regulations.

N/A

A.15.2 Compliance with security policies and standards, and technical compliance

A.15.2.1 Compliance withsecurity policies andstandards, andtechnical compliance

Compliance withsecurity policiesand standards

Managers shall ensure thatall security procedureswithin their area ofresponsibility are carriedout correctly to achievecompliance with securitypractices and standards.

Yes

A.15.2.2 Compliance withsecurity policies andstandards, and

technical compliance

Technicalcompliancechecking

Information systems shallbe regularly checked forcompliance with security

policies and standards.

Yes

A.15.3 Information systems audit considerations

A.15.3.1 Information systemsaudit considerations

Informationsystems auditcontrols

Audit requirements andactivities involving checkson operational systemsshall be carefully plannedand agreed to minimize therisk of disruptions tobusinesses processes.

Yes

A.15.3.2 Information systemsaudit considerations

Protection ofinformationsystems audit tools

Access to informationsystems audit tools shall beprotected to prevent any

possible misuse orcompromise.

Yes

ISMS Sample1

Documents

Transcript of ISMS Sample1