 Awareness of and communication with interested parties

 Requirements for document management

Finally, there are requirements for ‘documented information’. The new standard refers to
“documented information” rather than “documents and records” and requires that they are retained
as evidence of competence These requirements relate to the creation and updating of documented
information and to their control. There is no longer a list of documents you need to provide or
particular names they must be given. The new revision puts the emphasis on the content rather than
the name. Note that the requirements for documented information are presented in the clause to
that they refer to. They are not summarized in a clause of their own, as they are in ISO/IEC
27001:2005.

Clause 8: Operation

The organization must plan, implement and control the processes needed to meet information
security requirements and to implement the actions determined in the standard. The organization
must perform information security risk assessments at planned intervals, and shall also implement
the information security risk treatment plan. This clause deals with the execution of the plans and
processes that are the subject of previous clauses. Organizations must plan and control the
processes needed to meet their information security requirements including:

 keeping documents
 management of change
 responding to adverse events
 the control of any outsourced processes

Operation planning and control also mandate the carrying out of information security risk
assessments at planned intervals and the implementation of an information security risk treatment
plan.
Clause 8.1 deals with the execution of the actions determined in Clause 6.1, the achievement of the
information security objectives and outsourced processes;
Clause 8.2 deals with the performance of information security risk assessments at planned intervals,
or when significant changes are proposed or occur; and
Clause 8.3 deals with the implementation of the risk treatment plan.

Clause 9: Performance evaluation

The organization shall evaluate the information security performance and the effectiveness of the
information security management system. The organization shall conduct internal audits at planned
intervals to provide information on whether the information security management system conforms
to the organization’s own requirements and to the International Standard requirements.

The first paragraph of Clause 9.1 (Monitoring, measurement, analysis, and evaluation) states the
overall goals of the clause. As a general recommendation, determine what information you need to
evaluate the information security performance and the effectiveness of your ISMS. Work backward
from this ‘information need’ to determine what to measure and monitor, when who and how. There
is little point in monitoring and making measurements just because your organization has the
capability of doing so. Only monitor and measure if it supports the requirement to evaluate
information security performance and ISMS effectiveness. Note that an organization may have
several information needs, and these needs may change over time. For example, when an ISMS is
relatively new, it may be important just to monitor the attendance at, say, information security
awareness events. Once the intended rate has been achieved, the organization might look more
towards the quality of the awareness event. It might do this by setting specific awareness objectives
and determining the extent to which the attendees have understood what they have learned. Later
still, the information need may extend to determine what impact this level of awareness has on
information security for the organization.
Internal audits and management review continue to be key methods of reviewing the performance
of the ISMS and tools for its continual improvement. he requirements include conducting internal
audits at planned intervals, plan, establish, implement and maintain an audit programme(s), select
auditors and conduct audits that ensure objectivity and impartiality of the audit process. Clause 9.2,
(Internal audit) requires is similar to its counterpart in ISO 27001:2005. However, the requirement
holding management responsible for ensuring that audit actions are taken without undue delay has
been removed, as it is effectively covered by the requirements in Clause 10.1. The requirement that
auditors shall not audit their own work has also been removed, as it is covered by the requirement
to ensure objectivity and impartiality (Clause 9.2 e).
In Clause 9.3 (Management review), rather than specify precise inputs and outputs, this clause
now places requirements on the topics for consideration during the review. The requirement for
reviews to be held at planned intervals remains but the requirement to hold the reviews at least
once per year has been dropped.

Clause 10: Improvement

Due to the new way of handling preventive actions, there are no preventive action requirements in
this clause. However, there are some new corrective action requirements. The first is to react to
nonconformities and take action, as applicable, to control and correct the nonconformity and deal
with the consequences. The second is to determine whether similar nonconformities exist, or could
potentially occur. Although the concept of preventive action has evolved there is still a need to
consider potential nonconformities, albeit as a consequence of an actual nonconformity. There is
also a new requirement to ensure that corrective actions are appropriate to the effects of the
nonconformities encountered. The requirement for continual improvement has been extended to
cover the suitability and adequacy of the ISMS as well as its effectiveness, but it no longer specifies
how an organization achieves this

ISO 27002:2013
The Information Security standard ISO 27002:2013 is the “Code of Practice for Information
Security Controls”. The document provides best practice recommendations and guidance for
organizations selecting and implementing information security controls within the process of
initiating, implementing and maintaining an Information Security Management System (ISMS).
The establishment and implementation of an ISMS depend on a strategic orientation of the
organization and is influenced by a number of aspects including its needs, objectives, security
requirements, the organizational processes used, the size and the structure of the organization. An
ISMS such as specified in ISO 27001 is an integrated part of the organization’s processes and
overall management structure, with the main objective to ensure the necessary levels of
confidentiality, integrity, and availability of information. This objective is achieved by applying a
supporting risk management process within the ISMS and by implementing a suite of information
security controls as part of the risk treatment under the overall framework of a coherent
management system. The normative requirements of ISMS are addressed in clauses 4 to 11 of
27001:2013 that define the ISMS. Furthermore, organizations need to consider the set of 144
controls which are found in Annex A of the same standard.
In ISO 27002, you will find more detailed guidance on the application of the controls of Annex A
including areas such as policies, processes, procedures, organizational structures and software, and
hardware functions. All these information security controls may need to be established,
implemented, monitored, reviewed and improved, where necessary, to ensure that the specific
established security and business objectives of the organization are met. ISO 27002 provides
general guidance on the controls of ISO 27001 and should be combined and used with other
standards of the information security management system family of standards, including ISO
27003 (implementation), ISO 27004 (measurement), and ISO 27005 (risk management).

ISO 27002 applies to all types and sizes of organizations, including public and private sectors,
commercial and non-profit that collect, process, store and transmit information in many forms
including electronic, physical and verbal. This standard should be used as a reference for the
consideration of controls within the process of implementing an Information Security Management
System based on ISO 27001, it implements commonly accepted information security controls and
develops the organization’s own information security management guidelines. The standard
contains 14 security control clauses, collectively containing a total of 35 main security categories
and 114 controls.

In each section of the ISO 27002 standard, there is a security control category that contains:

 a control objective stating what is to be achieved;

 one or more controls that can be applied to achieve the control objective;
 implementation guidance and any other pertinent information useful for understanding the
controls and implementation process.

If you want to create the foundations of information security in your organization and devise its
framework, you should use ISO 27001; whereas if you want to focus on the implementation
controls, you should use ISO 27002. So by implementing ISO 27001 correctly, an organization
will have a management system that will assist in efficiently planning, implementing, monitoring,
reviewing and improving information security in scope. On the other hand, ISO 27002 can assist
to implement and maintain controls to achieve objectives for all requirements as required by ISO
27001. For every risk situation identified in ISO 27001, ISO 27002 will give a set of controls on
how to decrease the risks and how to maintain it at an acceptable
level.

Key clauses of ISO 27002:2013

ISO 27002 is organized into the following main clauses:

The standard contains 14 security control clauses, collectively containing a total of 35 main security
categories and 114 controls.

 Clause 5: Information Security Policies

 Clause 6: Organization of Information Security
 Clause 7: Human Resource Security
 Clause 8: Asset Management
 Clause 9: Access Control
 Clause 10: Cryptography
 Clause 11: Physical and Environmental Security
 Clause 12: Operations Security
 Clause 13: Communication Security
 Clause 14: System Acquisition, Development, and Maintenance
 Clause 15: Supplier Relationships
 Clause 16: Information Security Incident Management
 Clause 17: Information Security Aspects of Business Continuity Management
 Clause 18: Compliance
Section 0: Introduction

This lays out the background, mentions three origins of information security requirements, notes
that the standard offers generic and potentially incomplete guidance that should be interpreted in
the organization’s context, mentions information and information system lifecycles, and points to
ISO/IEC 27000 for the overall structure and glossary for ISO27k.

Section 1: Scope

The standard gives recommendations for those who are responsible for selecting, implementing
and managing information security. It may or may not be used in support of an ISMS specified in
ISO 27001.

Section 2: Normative references

ISO 27000 is the only standard considered absolutely indispensable for the use of ISO 27002.
However, various other standards are mentioned in the standard, and there is a bibliography.

Section 3: Terms and definitions

All the specialist terms and definitions are now defined in ISO 27000 and most apply across the
entire ISO27k family of standards.

Section 4: Structure of this standard

Security control clauses
Of the 21 sections or chapters of the standard, 14 specify control objectives and controls. These 14
are the ‘security control clauses’.
There is a standard structure within each control clause: one or more first-level subsections, each
one stating a control objective, and each control objective are supported in turn by one or more
stated controls, each control followed by the associated implementation guidance and, in some
cases, additional explanatory notes. The amount of detail is responsible for the standard is nearly
90 A4 pages in length.
35 control objectives
ISO 27002 has some 35 control objectives (one per ’security control category’) concerning the
need to protect the confidentiality, integrity, and availability of information. The control objectives
are at a fairly high level and, in effect, comprise a generic functional requirements specification for
an organization’s information security management architecture. Few would seriously dispute the
validity of the control objectives, or, to put that another way, it would be difficult to argue that an
organization need not satisfy the stated control objectives in general. However, some control
objectives are not applicable in every case and their generic wording is unlikely to reflect the
precise requirements of every organization, especially given the very wide range of organizations
and industries to which the standard applies. This is why ISO 27001 requires the SoA (Statement
of Applicability), laying out unambiguously which information security controls are or are not
required by the organization, as well as their implementation status.
114 controls
Each of the control objectives is supported by at least one control, giving a total of 114. However,
the headline figure is somewhat misleading since the implementation guidance recommends
numerous actual controls in the details. The control objective relating to the relatively simple
subsection 9.4.2 “Secure log-on procedures”, for instance, is supported by choosing, implementing
and using suitable authentication techniques, not disclosing sensitive information at log-on time,
data entry validation, protection against brute-force attacks, logging, not transmitting passwords in
clear over the network, session inactivity timeouts, and access time restrictions. Whether you
consider that to be one or several controls is up to you. It could be argued that ISO 27002
recommends literally hundreds of distinct information security controls, although some support
multiple control objectives, in other words, some controls have several purposes. Furthermore, the
wording throughout the standard clearly states or implies that this is not a totally comprehensive
set. An organization may have slightly different or completely novel information security control
objectives, requiring other controls (sometimes known as ‘extended control sets’) in place of or in
addition to those stated in the standard.

Section 5: Information security policies

The Information Security Policies clause addresses the need to define, publish and review different
types of policies required for information security management

5.1 Management direction for information security

Objectives: To provide management direction and support for information security in

accordance with business requirements and relevant laws and regulations.
Management should define a set of policies to clarify their direction of, and support for, information
security. At the top level, there should be an overall “information security policy” as specified in
ISO 27001 section 5.2.

Section 6: Organization of information security

The Organization of Information Security clause addresses the need to define and allocate the
necessary roles and responsibilities for information security management processes and activities.
This includes controls related to the definition of information security roles and responsibilities,
segregation of duties, contact with authorities, contact with special interest groups, information
security in project management and mobile devices and teleworking.

6.1 Internal organization

Objectives: To establish a management framework, to initiate and control the

implementation and operation of information security within the organization.
The organization should lay out the roles and responsibilities for information security, and allocate
them to individuals. Where relevant, duties should be segregated across roles and individuals to
avoid conflicts of interest and prevent inappropriate activities. There should be contacts with
relevant external authorities (such as CERTs and special interest groups) on information security
matters. Information security should be an integral part of the management of all types of project.

6.2 Mobile devices and teleworking

Objectives: To ensure the security of teleworking and the use of mobile devices.
There should be security policies and controls for mobile devices (such as laptops, tablet PCs,
wearable ICT devices, smartphones, USB gadgets, and other Boys Toys) and teleworking (such as
telecommuting, working-from-home, road-warriors, and remote/virtual workplaces).

Section 7: Human resource security

The Human Resource Security clause addresses the required controls for processes related to staff
recruiting, their job during employment and after the termination of their contracts. These
considerations should include information security coordination, allocation of information security
responsibilities, authorization processes for information processing facilities, confidentiality
agreements, contact with authorities, contact with special interest groups, independent review of
information security, identification of risks related to external parties, addressing security when
dealing with customers, addressing security on contractors’ agreements, etc.

7.1 Prior to employment

Objectives: To ensure that employees and contractors understand their responsibilities and
are suitable for the roles for which they are considered.
Information security responsibilities should be taken into account when recruiting permanent
employees, contractors and temporary staff (e.g. through adequate job descriptions, pre-
employment screening) and included in contracts (e.g. terms and conditions of employment and
other signed agreements defining security roles and responsibilities, compliance obligations, etc.).
7.2 During employment

Objectives: To ensure that employees and contractors are aware of and fulfill their
information security responsibilities.
Managers should ensure that employees and contractors are made aware of and motivated to
comply with their information security obligations. A formal disciplinary process is necessary to
handle information security incidents allegedly caused by workers.

7.3 Termination and change of employment

Objectives: To protect the organization’s interests as part of the process of changing or

terminating employment.
Security aspects of a person’s departure from the organization, or significant changes of roles
within it, should be managed, such as returning corporate information and equipment in their
possession, updating their access rights, and reminding them of their ongoing obligations under
privacy and intellectual property laws, contractual terms etc. plus ethical expectations.

Section 8: Asset management

The Asset Management clause addresses the required responsibilities to be defined and allocated
for the asset management processes and procedures. The owner of the assets and other parts
involved in this matter should be identified to be held accountable for assets’ security, including
classification, labeling, and handling of information; and information processing facilities should
be identified and maintained. Moreover, this clause addresses controls on management of
removable media, disposal of media, and physical media transfer.

8.1 Responsibility for assets

Objectives: To identify organizational assets and define appropriate protection

responsibilities.
All information assets should be inventoried and owners should be identified to be held accountable
for their security. ‘Acceptable use’ policies should be defined, and assets should be returned when
people leave the organization.

8.2 Information classification

Objectives: To ensure that information receives an appropriate level of protection in

accordance with its importance to the organization.
Information should be classified and labeled by its owners according to the security protection
needed, and handled appropriately.

8.3 Media handling

Objectives: To prevent unauthorized disclosure, modification, removal or destruction of

information stored on media.
Information storage media should be managed, controlled, moved and disposed of in such a way
that the information content is not compromised.

Section 9: Access control

The Access controls clause addresses requirements to control access to information assets and
information processing facilities. The controls are focused on the protection against accidental
damage or loss, overheating, threats, etc. This requires a documented control policy and
procedures, registration, removal and review of user access rights, including here physical access,
network access and the control over privileged utilities and restriction of access to the program
source code.

9.1 Business requirements of access control

Objectives: To limit access to information and information processing facilities.

The organization’s requirements to control access to information assets should be clearly
documented in an access control policy and procedures. Network access and connections should
be restricted.

9.2 User access management

Objectives: To ensure authorized user access and to prevent unauthorized access to systems
and services.
The allocation of access rights to users should be controlled from initial user registration through
to removal of access rights when no longer required, including special restrictions for privileged
access rights and the management of passwords (now called “secret authentication information”)
plus regular reviews and updates of access rights.

9.3 User responsibilities

Objectives: To make users accountable for safeguarding their authentication information.

Users should be made aware of their responsibilities towards maintaining effective access controls
e.g. choosing strong passwords and keeping them confidential.

9.4 System and application access control

Objectives: To prevent unauthorized access to systems and applications.

Information access should be restricted in accordance with the access control policy e.g. through
secure log-on, password management, control over privileged utilities and restricted access to the
program source code.

Section 10: Cryptography

The Cryptography clause addresses policies on cryptographic controls for protection of information
to ensure proper and effective use of cryptography in order to protect the confidentiality,
authenticity, integrity, non-repudiation, and authentication of the information. It also includes the
need for digital signatures and message authentication codes and cryptographic key management.

10.1 Cryptographic controls

Objectives: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
There should be a policy on the use of encryption, plus cryptographic authentication and integrity
controls such as digital signatures and message authentication codes, and cryptographic key
management.

Section 11: Physical and environmental security

The Physical and Environmental Security clause addresses the need to prevent unauthorized
physical access, damage and interference to the organization’s information and information
processing facilities. Controls cover to physically secure the perimeter of office rooms and
facilities, protection against external and environmental threats, prevent loss, damage, theft or
compromise of assets, protect the equipment from power failures, cabling should be protected from
interception or damage, maintenance of equipment, etc.

11.1 Secure areas

Objectives: To prevent unauthorized physical access, damage and interference to the

organization’s information and information processing facilities.
Defined physical perimeters and barriers, with physical entry controls and working procedures,
should protect the premises, offices, rooms, delivery/loading areas, etc. against unauthorized
access. Specialist advice should be sought regarding protection against fires, floods, earthquakes,
bombs, etc.

11.2 Equipment

Objectives: To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations
“Equipment” (meaning ICT equipment, mostly) plus supporting utilities (such as power and air
conditioning) and cabling should be secured and maintained. Equipment and information should
not be taken off-site unless authorized and must be adequately protected both on and off-site.
Information must be destroyed prior to storage media being disposed of or re-used. Unattended
equipment must be secured and there should be a clear desk and clear screen policy.

Section 12: Operations security

The Operations security clause addresses the organization’s ability to ensure correct and secure
operations. The controls cover the need for operational procedures and responsibilities, protection
from malware, backup, logging and monitoring, control of operational software, technical
vulnerability management, information systems audit considerations.
12.1 Operational procedures and responsibilities

Objectives: To ensure correct and secure operations of information processing facilities.

IT operating responsibilities and procedures should be documented. Changes to IT facilities and
systems should be controlled. Capacity and performance should be managed. Development, test
and operational systems should be separated.

12.2 Protection from malware

Objectives: To ensure that information and information processing facilities are protected
against malware.
Malware controls are required, including user awareness.

12.3 Backup

Objectives: To protect against loss of data.

Appropriate backups should be taken and retained in accordance with a backup policy.

12.4 Logging and monitoring

Objectives: To record events and generate evidence.

System user and administrator/operator activities, exceptions, faults and information security
events should be logged and protected. Clocks should be synchronized.

12.5 Control of operational software

Objectives: To ensure the integrity of operational systems.

Software installation on operational systems should be controlled.

12.6 Technical vulnerability management

Objectives: To prevent exploitation of technical vulnerabilities.

Technical vulnerabilities should be patched, and there should be rules in place governing
software installation by users.

12.7 Information systems audit considerations

Objectives: To minimize the impact of audit activities on operational systems.

IT audits should be planned and controlled to minimize adverse effects on production systems or
inappropriate data access.

13 Communications security

The Communication Security clause addresses the organization’s ability to ensure the protection
of information in systems and applications in networks and its supporting information processing
facilities. Controls cover the security of information in networks and connected services from
unauthorized access, transfer policies, and procedures, secure transfer of business information
between the organization and external parties, the information involved in electronic messaging,
the need for confidentiality or non-disclosure agreements.

13.1 Network security management

Objectives: To ensure the protection of information in networks and its supporting

information processing facilities.
Networks and network services should be secured, for example by segregation.

13.2 Information transfer

Objectives: To maintain the security of information transferred within an organization and

with any external entity.
There should be policies, procedures, and agreements (e.g. non-disclosure agreements) concerning
information transfer to/from third parties, including electronic messaging.

Section 14: System acquisition, development, and maintenance

The System Acquisition, Development and Maintenance clause covers controls for identification,
analyses and specification of information security requirements, securing application services in
development and support processes, technical review restrictions on changes to software packages,
secure system engineering principles, secure development environment, outsourced development,
system security testing, system acceptance testing and protection of test data.

14.1 Security requirements of information systems

Objectives: To ensure that information security is an integral part of information systems

across the entire lifecycle. This also includes the requirements for information systems which
provide services over public networks.
Security control requirements should be analyzed and specified, including web applications and
transactions.

14.2 Security in development and support processes

Objectives: To ensure that information security is designed and implemented within the
development lifecycle of information systems.
Rules governing secure software/systems development should be defined as policy. Changes to
systems (both applications and operating systems) should be controlled. Software packages
should ideally not be modified, and secure system engineering principles should be followed. The
development environment should be secured, and outsourced development should be controlled.
System security should be tested and acceptance criteria defined to include security aspects.

14.3 Test data

Objectives: To ensure the protection of data used for testing.
Test data should be carefully selected/generated and controlled.

15: Supplier relationships

The Supplier Relationships clause addresses controls for supplier’s relationship issues, including
here information security policies and procedures, addressing security within supplier agreements,
communication, and awareness about technology supply chain and service delivery management.

15.1 Information security in supplier relationships

Objectives: To ensure the protection of the organization’s assets that is accessible by

suppliers.
There should be policies, procedures, awareness, etc. to protect the organization’s information that
is accessible to IT outsourcers and other external suppliers throughout the supply chain, agreed
within the contracts or agreements.

15.2 Supplier service delivery management

Objectives: To maintain an agreed level of information security and service delivery in line
with supplier agreements
Service delivery by external suppliers should be monitored, and reviewed/audited against the
contracts/agreements. Service changes should be controlled.

Section 16: Information security incident management

The Information Security Incident Management clause covers controls for responsibilities and
procedures, reporting information and security weaknesses, assessment of and decision on
information security events, response to information security incidents, learning from information
security incidents, and collection of evidence.

16.1 Management of information security incidents and improvements

Objectives: To ensure a consistent and effective approach to the management of information

security incidents, including communication on security events and weaknesses.
There should be responsibilities and procedures to manage (report, assess, respond to and learn
from) information security events, incidents and weaknesses consistently and effectively, and to
collect forensic evidence.

Section 17: Information security aspects of business continuity management

The Business Continuity Management clause addresses the organization’s ability to counteract
interruptions to normal operations, including the availability of information processing facilities,
verify, review and evaluate information security continuity, implementing information security
continuity, and planning information security continuity.
17.1 Information security continuity

Objectives: Information security continuity should be embedded in the organization’s

business continuity management systems.
The continuity of information security should be planned, implemented and reviewed as an integral
part of the organization’s business continuity management systems.

17.2 Redundancies

Objectives: To ensure availability of information processing facilities.

IT facilities should have sufficient redundancy to satisfy availability requirements.

Section 18: Compliance

The Compliance clause addresses the organization’s ability to remain in compliance with
regulatory, statutory, contractual, and security requirements, including: identification of applicable
legislation and contractual requirements, intellectual property rights, protection of records, privacy
and protection of personally identifiable information, regulation of cryptographic controls,
independent review of information security, compliance with security policies and standards, and
technical compliance review.

18.1 Compliance with legal and contractual requirements

Objectives: To avoid breaches of legal, statutory, regulatory or contractual obligations

related to information security and of any security requirements.
The organization must identify and document its obligations to external authorities and other
third parties in relation to information security, including intellectual property, [business] records,
privacy/personally identifiable information and cryptography.

18.2 Information security reviews

Objectives: To ensure that information security is implemented and operated in accordance

with the organizational policies and procedures.
The organization’s information security arrangements should be independently reviewed
(audited) and reported to management. Managers should also routinely review employees’ and
systems’ compliance with security policies, procedures etc. and initiate corrective actions where
necessary.

Back to Home Page

If you need assistance or have any doubt and need to ask any question contact me at
preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to
publish them. Your comments and suggestion are also welcome.
ISO 27001:2013 Clause 5 Leadership
preteshbiswas Uncategorized August 1, 2019 57 Minutes

by Pretesh Biswas

This clause places requirements on ‘top management’ which is the person or group of people who
directs and controls the organization at the highest level. Demonstrating leadership in regard to the
ISMS is a core aspect of the IEC 27001 standard. Note that if the organization that is the subject of
the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller
organization. The purpose of these requirements is to demonstrate leadership and commitment by
leading from the top. A particular responsibility of top management is to establish the information
security policy, and the standard defines the characteristics and properties that the policy is to
include. Finally, the clause places requirements on top management to assign information security-
relevant responsibilities and authorities, highlighting two particular roles concerning ISMS
conformance to ISO 27001 and reporting on ISMS performance. It is essential that top management
provide the appropriate level of leadership in terms of direction, authority, policy, governance, and
organization. Good leadership defines the business purpose of information security, creates the
mission statement, sets the strategy, provides staff focus on what is important with regard to the
information security for the business and what the priorities are, motivates and inspires confidence
and trust in the workforce that it is committed to protecting the business and nurtures security
culture and security skills. Good ISMS leadership is needed to build a team that will successfully
take forward the implementation of the ISMS, which will empower and motivate staff to be
proactive followers and supporters in helping to protect the organization. A good ISMS leader will
be passionate about being successful in managing the information security risks the organization
faces. ISMS leadership should strive to inspire others to see information security as a business
enabler, with the vision of turning information security risks into a business opportunity.
Leadership is different than management—the former motivates and inspires, creates the vision
and points people in the right direction, while the latter administers, controls and follows the vision
and organizes people. Both ISMS leadership and ISMS management together achieve an effective,
robust, resilient ISMS. Leadership will be the champion of the ISMS, and management will control
and manage the ISMS.

The “Leadership” clause has three sub-clauses ie

Clause 5.1 Leadership and Commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities.

5.1 Leadership and commitment

Top management must demonstrate leadership and commitment by ensuring the information
security policy and the information security objectives are established and are compatible with
the strategic direction of the organization. The top Management must ensure the integration of
the information security management system requirements into the organization’s processes.
The top Management must make available the resources needed for the information security
management system. The top management must communicate the importance of effective
information security management and of conforming to the information security management
system requirements. The top Management must ensure that the information security
management system achieves its intended outcome which preserves the confidentiality, integrity,
and availability of information by applying a risk management process and gives confidence to
interested parties that risks are adequately managed. Top Management must direct and support
persons to contribute to the effectiveness of the information security management system. They
must also support other relevant management roles to demonstrate their leadership as it applies
to their areas of responsibility. They must promote continual improvement.

The organization’s Top Management must provide leadership and show their support for ISMS.
They must demonstrate a commitment to ISMS. Ensure that ISMS policies are established. Ensure
that ISMS objectives are established. Ensure that ISMS achieves its intended outcomes. Ensure
that ISMS requirements become an integral part of the organization’s processes. Ensure that
necessary ISMS resources are available when they are needed. Must communicate a commitment
to ISMS. Make sure that people understand how important information security actually
is. Encourage managers to demonstrate their leadership and commitment to information security
within their own areas.

Implementing a Security Strategy

An effective information security strategy for an organization must take into account the overall
strategic objectives of the Organization. Even when focusing on critical processes and legal
mandates, it is necessary to extend protective measures beyond the underlying IT systems and
associated administrative staff. For example, the marketing department has access to customer
records, and this access must be considered when assessing the security risks associated with these
data. A failure to provide marketing executive with securely configured workstations increases the
risk of sensitive data being exposed via their computers. This risk can also be reduced by
implementing a middleware solution to properly control which records each executive can access
and to minimize the amount of sensitive data stored on their computers. Also, to be effective,
security practices cannot rely completely on technological solutions. Continuing the example,
policies are required to clearly define each employees responsibilities relating to s data and the
security of their workstations. Also, awareness programs aimed specifically at employees and their
responsibilities to safeguard information might be developed, possibly in conjunction with the
CISO(Chief Information Security Officer)

To complicate matters, the operational needs of the Organization often directly conflict with
security practices such as perimeter firewalls, port authentication, centralized configuration
management, and strong authentication. Organizational networks must, therefore, be designed to
balance security and privacy requirements while accommodating a wide variety of end-users and
their needs – e.g., visitors, new employees arriving with computers, employees sharing large
quantities of data with members of the organizations, remote access to a variety of network services
for individuals who are traveling or telecommuting, and mobile users moving between classrooms,
libraries, and indoor and outdoor study spots on campus. Although firewalls are becoming widely
used to protect critical systems on organizations networks, their use at the perimeter is less common
because it is difficult to reconcile their restrictiveness with the need for an open networking
environment that supports research, learning, and high-speed networking. Although centralized
management is feasible for certain hosts on organizations network, this approach is not suitable for
most computers and many systems. In the end, security and privacy practices need to be integrated
into operational practices in a way that makes the most sense.

Effective Organizational governance of the information security function is critical to a successful

program. It can be both the “proof of the pudding…” with regard to management commitment and
provide necessary guidance when deciding where to allocate scarce resources. This well-researched
section draws from experts in the field and provides useful background and advice which can be
adapted to a wide variety of cultures.

Management Policy

The organization must establish an information security policy for the organization. The Top Must
ensure that information security policy is appropriate and supports the organization’s purpose. The
information security policy must include security objectives or can be used to establish these
objectives. The information security policy must make a commitment to comply with all relevant
information security requirements. An important aspect of conformance to the requirements of ISO
27001 and of achieving a successful ISMS development and implementation and ongoing
management is that such task should be driven and led from the top, by top management. Top
management should start by defining an appropriate information security policy for the ISMS. The
policy should be a clear management statement of its intentions, objectives, and goals regarding
information security and the protection of its information systems. This policy should reflect top
management commitment and support for the ISMS to satisfy the requirements in Section 4.1 and
address the issues in Section 4.2. It should be a directive from above that typically should address
at least the following:

 The scope of information security, its importance to the business, and clarity about what
the business information security objectives are (e.g., regarding the protection of the
confidentiality, integrity, and availability of its information);
 The need for stall awareness: stall should be aware of their duties and responsibilities
regarding the risks (e.g., their responsibility to handle and process sensitive company
information in a way that protects it from compromise);
 What is acceptable and not acceptable with regard to behavior and use of its resources (e.g.,
acceptable use of the company email system);
 Its obligations to carry out its business in compliance with the laws and regulations,
contractual obligations, best practices and standards that stall also need to comply with
(e.g., compliance with laws on copyright, data privacy/protection and computer
use/misuse/abuse);
 Reference to any other documents that stall needs to be aware of and comply with (e.g.,
more detailed security policies and procedures as well as any other relevant proceedings
not directly related to security). This could be industry-specific policies such as those
businesses that need to deal with environmental issues, aspects of health care, production
of pharmaceutical products or food safety.

This management information security policy should be written in a way that the style and content
are independent of any particular skill, process or technical knowledge. For example, the content
should be understandable by someone that is not an IT specialist, someone not trained in company
finances or legal affairs or does not have human resources skills. in other words, it should state
information security objectives that are generally understood by all stall not just people with highly
technical backgrounds or certain professional qualifications or skills.

Approval, Communication, and Awareness

This management policy needs to be approved and signed by the CEO (or someone of similar
management authority and accountable status) since the aim is to indicate management
commitment and support. The policy needs to be communicated across the organization to all staff
and interested parties. This could be in paper form or by electronic means or both. Some
organizations display their policies on the walls of offices, computer rooms, and other areas to
ensure they are continually accessible and visible. Other organizations resort to using ICT to
distribute and have available their policies and procedures via their internal network. Others may
choose to distribute it in paper only for the stall to keep at their own place of work. Whatever the
method used, the policy should not be hidden away and forgotten. Stall need to read, understand,
and refresh their memories every so often about its contents and what it says about their specific
information security responsibilities and duties. This policy needs to be reviewed and updated as
necessary to take account of the changing nature of the information security risk environment and
evolving organizational developments and changes. There needs to be a review process for
maintaining this policy, as is the case with all policies and procedures, as part of the ISMS continual
improvement process. This management policy is a high-level policy that “sets the scene,” and
typically there will more detailed policies, which will give more specific rules and instructions on
the implementation of information security protection. For example, policies on access control
cover the rules of access to different organizational resources and facilities such email servers,
databases, network services, applications as well as physical access to buildings, offices, rooms,
and storage equipment.

5.3 Organizational roles, responsibilities and authorities

Top management must ensure that the responsibilities and authorities for roles relevant to
information security are assigned and communicated. Top management must assign the
responsibility and authority for ensuring that the information security management system
conforms to the requirements of this International Standard, and reporting on the performance
of the information security management system to top management. Top management may also
assign responsibilities and authorities for reporting performance of the information security
management system within the organization.

Roles and Responsibilities

Involvement from top management is critical to the design and effectiveness of any information
security program. The definition of “top management” can vary from organization depending on
size and structure, but in general, “top management” should involve members of the senior
executive team responsible for making strategic decisions within the organization. The intent of
involving top management within the information security program is to ensure that enterprise
governance is aligned with the information security governance framework. Components of a well-
designed information security governance program include leadership, structure, and processes
designed to protect an organization’s information security assets. Effective information security
governance requires that top management have clear expectations about what to expect from the
information security program, how to evaluate the organization’s risk posture, and how to define
information security objectives that are in alignment with the strategic direction and goals of the
organization. Top Management must allocate responsibility and authority for carrying out
information security roles to the appropriate people within the organization. Top Management must
communicate all relevant information security management roles, responsibilities, and authorities.
Top management’s involvement with the information security program includes ensuring that the
intended outcomes of the information security program are achieved, which could include the
following:

 Alignment with business strategy to meet the organization’s strategic objectives.

 A risk management program that identifies and mitigates the impacts to an organization’s
resources and assets.
 Effective and efficient resource management
 Timely and useful metrics reporting
 Value-added information security initiatives

Security is ultimately the responsibility of all employees within an organization; however, the most
successful information security programs demonstrate effective leadership from top management
by setting a “tone at the top” and championing the importance of information security through well-
designed policy and direction. The result can be an organization with information security
ingrained as part of its culture. The ISO 27001 standard requires that organizations demonstrate
leadership and commitment from top management as outlined in Clauses 5 (Leadership) and 9.3
(Management review). The focus within Clause 5 is on the design the information security
management system (ISMS) which requires involvement from top management and includes the
establishment of the information security policy and an organizational structure where the
responsibilities and roles relevant to information security are defined and communicated. The focus
within Clause 9.3 is to establish procedures for top management to be continually involved in the
evaluation of the ISMS to ensure its effectiveness. The members of top management that are
involved with the leadership of the ISMS should consider the scope of the ISMS. Involvement from
top management can vary by organization, but the scope of the ISMS should be considered when
determining who from top management will be involved from a leadership and commitment
standpoint. Typically, organizations begin by selecting a committee responsible for overseeing the
design, operation, maintenance, and improvement of the ISMS. The committee should include
members from top management and members from the information security team.
An organization that is able to successfully implement the requirements of Clause 5 will establish
an ISMS program with the oversight, support, and direction of top management; an information
security policy that includes information security objectives and is appropriate to the organization;
and an organizational structure that incorporates information security with upstream channels so
that information security performance is effectively reported to top management. In addition to
involving top management in the design of the ISMS, they are required to review and evaluate the
performance of the ISMS on a continual basis. The frequent involvement of top management
during the evaluation phase of the ISMS is a critical requirement. The intent is to provide regular
feedback on the performance of the ISMS so that changes in the environment or processes not
performing as expected are identified promptly so that corrective action can be successfully
implemented. An organization that can successfully implement the requirements of Clause 9.3 will
be able to consistently and continually evaluate the operation of the ISMS, with input from top
management to ensure the intent and objectives of the ISMS are being achieved and that the
improvements are implemented where necessary.

Day-to-day working and operational activities functioning effectively, and the proper management
of staff, at all levels throughout the organization, can contribute to an effective information security
business environment. In part, this requires a good information security culture within the
organization to be in place, with appropriate awareness and understanding of the problems of
information security risks and clear lines of responsibility and accountability. It is essential that
roles and responsibilities for protecting specific types of information or information systems or for
carrying out specific information security-related processes are clearly defined and allocated. For
example:

 The owner of an information system should be given the information security responsibility
and accountability for that system (of course, these owners may delegate that day-to-day
implementation of security to another individual or to a service provider, but they remain
ultimately accountable for the protection of the system and the management of the
information security risks);
 Personal data manager;
 Business owner—a specific department/group (ensures implementation of policy and
procedures, defines information usage and classification for information in their custody,
allocates information custodians,defines access roles and privileges, conducts staff training
and awareness and provides protection of personal data under their control);
 Chief information security officer (CISO);
 Information security incident response team;
 Business continuity manager;
 Internal auditors;
 Human resource manager;
 IT services manager (IT service management, IT disaster recovery, involvement in incident
management);
 IT and network administrators/managers (network management, secure network
technologies, involvement in incident management);

Authorized users of information systems. In addition, all staff will have general responsibility for
information security related to their day-to-day work. For example, reporting of unusual or
suspicious behavior either related to their use of IT, network services or related to other staff or
visitors. Also, all individual staff needs to be aware of their responsibility for keeping their
passwords and other types of access codes secure, to ensure that they are using organizational
resources in accordance with the acceptable usage policy (e.g., rules for using email for sending
file attachments).

Resources

As with any successful business venture, it is important to have the right types of resources for the
jobs that need to be done. Having stall with the right competence to do a job properly, efficiently
and effectively is key to the overall success of the business. If it is a technical job, then the stall
involved need to have the right level of knowledge and skill to handle technical requirements of
the job at hand, to resolve technical problems and to be able to use techniques, methods, equipment,
and procedures relevant to the technical area in question. If it’s a customer service job, then the
staff involved must have the relevant skills needed to deal with customers (e.g., they are able to
listen and respond effectively to customer’s questions and queries, they are able to satisfactorily
resolve customer queries and problems, follow up on feedback from customers and generally be
able to meet the expectations of the organization’s customers). Management needs to ensure that
for specific information security tasks, it has the right people, with the right skills and knowledge
and experience. This can mean recruiting people who have the right existing skills and experience
or recruiting people and providing a training program for them to develop the right skills and
experience. In addition, all staff working in the field of information security, whether those with
experience or those in training, need to keep up to date as the issues and risks in information
security continually evolve, as does technology and business practices. Every organization strives
to have human resources with certain core competence, and many organizations seek staff with
information security skills. The market is expanding, becoming more buoyant and becoming highly
competitive. For many years, organizations have recruited information security personnel with
hands-on experience, practical knowledge, and appropriate references. Even though this is still the
general basis of recruitment, more and more organizations have started to request applicants have
market-proven professional qualifications, personal certifications and in some cases university
qualifications or a combination of both. The current education and training market provides
certified qualifications, for example, in areas such as:

 information security auditing;

 information security management;
 Risk management;
 Information assurance;
 Governance
 IT security;
 Physical security.

Training and Awareness

The organization needs to ensure that staff are aware of information security risks and have
sufficient understanding to support the organization’s information security policy to undertake their
normal work functions and tasks. Staff should be trained in the use of information security policies
and procedures, security controls applicable to their job function and the correct use of IT (e.g., log
in procedures, keeping passwords safe, appropriate use of IT). Training should take place during:

 Induction training for new staff upon joining the organization. This should cover the
company’s information security policies, procedures and routine practices, whom to contact
for help and support regarding information security matters and whom to report security
problems to, initial familiarization with the common types of risk malware, hacking,
protection of commercially sensitive information and the protection of personal data, fraud,
use of email and so on.
 On-the-job training providing specifically tailored instructions on information security
suited to the individual’s job function.
  Annual (or more frequent) refresher training to keep stall up to date with new developments
and to provide organization-wide reminders or more immediate remedial training as the
result of a security incident or an emerging risk.

An organization can deploy a variety of methods to deliver effective information security

awareness and training to its staff. The methods that an organization selects will depend on the
business culture and it’s operational needs. Therefore, an information security awareness and
training program should be tailored to the specifics of the organization. You should alternate
between different methods, perhaps introducing an element of motivational instruction together
with practical interactivity.

 Classroom-based training can be highly interactive—such training can vary from half-
day/one-day induction/beginners training course, through to various intermediate/advance
three-to-five-day training courses covering a range of specific topics.
 Computer-based/online web-based training and awareness is a good method for reinforcing
information security principles and specific topics. Such training can be delivered as a set
of modules, interactive or noninteractive, and be accessible to staff at a time and place
convenient to the individual.
 Seminars, workshops, round-table discussions, and presentations are especially well suited
for introducing the new subject matter and for organizations with multiple sites;
 Videos are also an effective way to provide training on various topics.
 Posters provide visual reinforcement of information security principles and specific topics.
 On-the-job/desktop training is available.
 Internal emails can be used to remind, reinforce and provide updates on organizational
policies and procedures.

ISMS-Related Topics

Implementing the requirements of ISO/1EC 27001 covers many different tasks, activities, and
processes that need to be carried out, and these are associated with a number of specific topics that
information security professionals, practitioners and other staff will need to have knowledge of and
develop experience in, depending on their particular job function. For example, an internal ISMS
auditor will require knowledge of the auditing process and methods, whereas an ISMS risk manager
would need knowledge and skills of the principles of risk management. These include:

 Principles of risk management

 Risk assessment;
 Risk treatment.
 Information security controls:
 Generic controls eg, as found in ISO 27002, NIST SP 800 etc;
 Sector-specific controls eg, as found in ISO 27010, 27011,27015, 27017, 27018, 27019.
 Performance evaluations:
 Measuring and monitoring methods and techniques eg, as found in ISO 27004
 ISMS auditing process and methods (eg., as found in 1S0 19011 and 27007).
 Certification and auditing
 Certification eg, as found in ISO 27006, ISO 17021;
 Auditing (e.g., as found in ISO 27007, ISO 19011).
  Legislation and regulations related to information security and privacy
 National and regional laws and directives;
 Standards covering privacy leg, as found in ISO 29100, 29134, 29190).
 Other specific security-related processes
 Incident handling (e.g., as found in ISO 27035, NIST SP 800-61);
 Business continuity e.g., as found in ISO 22301, ISO 27031
 Operational resilience e.g., as found in B5 16000.
 Specific IT security controls and mechanisms
 Network security (e.g., as found in ISO 27033);
 Applications security (e.g., as found in ISO 27034);
 Malware (eg. as found in NIST SP 800-83);
 Firewalls, IDS, IPS;
 Access control.

Annex A: Control objectives and control

A.6 Organization of information security

A.6.1 Internal organization

Objective:

To establish a management framework to initiate and control the implementation and

operation of information security within the organization.

A.6.1.1 Information security roles and responsibilities

Control
All information security responsibilities should be defined and allocated.
Implementation guidance

Allocation of information security responsibilities should be done in accordance with the

information security policies. Responsibilities for the protection of individual assets and for
carrying out Specific information security processes should be identified. Responsibilities for
information security risk management activities and in particular for acceptance of residual risks
should be defined. These responsibilities should be supplemented, where necessary, with more
detailed guidance for specific sites and information processing facilities. Local responsibilities for
the protection of assets and for carrying out specific security processes should be defined.
Individuals with allocated information security responsibilities may delegate security tasks to
others. Nevertheless, they remain accountable and should determine that any delegated tasks have
been correctly performed. Areas for which individuals are responsible should be stated. In
particular, the following should take place:

1. The assets and information security processes should be identified and defined.

2. The entity responsible for each asset or information security process should be assigned and the
details of this responsibility should be documented
3. Authorization levels should be defined and documented

4. To be able to fulfill responsibilities in the information security area the appointed individuals
should be competent in the area and be given opportunities to keep up to date with developments

Coordination and oversight of information security aspects of supplier relationships should be

identified and documented.

Other information

Many organizations appoint an information security manager to take overall responsibility for the
development and implementation of information security and to support the identification of
controls. However, responsibility for resourcing and implementing the controls will often remain
with individual managers. One common practice is to appoint an owner for each asset who then
becomes responsible for its day-to-day protection.

Information security is the responsibility of everyone at the institution. It is important to establish

roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what
is expected of them when handling information. Leadership is also very important, and many
institutions have at least one person who is primarily responsible for organizing the information
security program. Typically this is a Chief Information Security Officer (CISO), Information
Security Officer (ISO), Director of Information Security, although the title may vary depending on
the Organization. No matter what title is selected, there should be someone at the organization who
can provide a high level of decision-making support to leadership when considering information
security issues and solutions. It is also important to establish data ownership and data handling
roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and
document these roles within their information security policies and data management frameworks.

A.6.1.2 Segregation of Duties

Control

Conflicting duties and areas of responsibility should be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization’s assets.

Implementation guidance

Care should be taken that no single person can access, modify or use assets without authorization
or detection. The initiation of an event should be separated from its authorization. The possibility
of collusion should be considered in designing the controls. Small organizations may find
segregation of duties difficult to achieve, but the principle should be applied as far as is possible
and practicable. Whenever it is difficult to segregate, other controls such as monitoring of
activities, audit trails and management supervision should be considered.

Other Information
Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an
organization’s assets.

Segregation of duties reduces the risk of intentional manipulation or error and increases the element
of checking. Functions that should be separated include those of authorization, execution, custody,
and recording and, in the case of a computer-based accounting system, systems development and
daily operations. Segregation of duties is the concept of having more than one person required to
complete a task. Today’s automated solutions and information and communication technologies
allow a few people to handle a great deal of information and processes (e.g., stock exchange
operators and air traffic controllers). While this is good to improve productivity, a potential side
effect is that these few people may end up gathering excessive knowledge and/or privilege over the
operating environment and, in case they are absent or have malicious intent, this can prove to be
an unacceptable risk, which must be handled. This is a best practice, especially in cases where
sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice.
Essentially try to eliminate processes or situations where someone can access, change or use
information assets without detection. For example network access and logging should be conducted
by someone different from those authorized to use the data. If in doubt – no-one holds the keys to
something from which they could gain.

Segregation of duties is a control put in place by many organizations to mitigate the risk of an
insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the
institution should be aware of the risks of a single person having too much access. Ideally, critical
processes or activities should be split up between multiple people. For example, the initiation of a
process, its execution, and authorization should be separated when possible. When this is not
possible, monitoring and auditing critical processes are very important. Segregation of duties refers
to practices where the knowledge and/or privileges needed to complete a process are broken up
and divided among multiple users so that no single one is capable of performing or controlling it
by himself.

The main reason to apply segregation of duties is to prevent the perpetration and concealment of
fraud and error in the normal course of the activities, since having more than one person to perform
a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as
to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive,
and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means
and opportunity (access to and privileges over the process). By implementing segregation of duties,
an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of
segregation of duties to security must be balanced with the increased cost/effort required. By using
the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable
and the most mission-critical elements of the business to which segregation of duties will represent
real added value to the business and other interested parties.

The principles that can be applicable to segregation of duties are:

 Sequential separation, when an activity is broken into steps performed by different persons
(e.g., solicitation, authorization and implementation of access rights)
 Individual separation, when at least two persons must approve an activity before it is done
(e.g., contractor payment)