Overview of
the ISO 27001 Annex A
Annex A of ISO 27001 is an essential operating procedure for
managing security. It provides guidelines of security controls to be used to
improve information security. As you can see from the list below, ISO 27001 is
not fully focused on IT, while IT is very important, IT on its own cannot
protect information. Instead, there is requirement of Physical security, HR
management, organisational issues and legal protection, along with IT are
required to secure the information. A useful way to understand Annex A is to
think of it as a catalogue of security controls – based on the gap analysis and
risk assessments, auditor should then select the ones that are
applicable to the organisation and tie
into your statement of applicability.
Annex A.5 –
Information Security Policies
Annex A.5.1 is about management direction for information
security. The objective of this Annex is to manage direction and support for
information security in line with the organisation’s requirements.
Annex A.5.2 is about review of policies. The policies
must be also reviewed and updated on a regular basis. ISO considers
‘regular’ to be at least annually, which can be hard work if you are manually
managing that many reviews and also dovetailing it with the independent review
as part of A.18.2.1.
READ MORE --https://covid19guide2020.blogspot.com/2020/05/cyber-threats-are-on-rise-as-more.html
READ MORE --https://covid19guide2020.blogspot.com/2020/05/cyber-threats-are-on-rise-as-more.html
Annex A.6 –
Organisation of Information Security
Annex A.6.1 is about internal
organisation and within the stake-holders for making and executing the IS
policies. The objective in this Annex A area is to establish a management
framework to initiate and control the implementation and operation of
information security within the organisation.
Annex A.6.2 is about mobile devices and teleworking. The
objective in this Annex A area is to establish a management framework to ensure
the security of teleworking and use of mobile devices .BYOD can also be considered.
Annex A.7 – Human
Resource Security
Annex A.7.1 is about prior to
employment. The objective in this Annex is to ensure that employees and
contractors understand their responsibilities and are suitable for the roles
for which they are considered.
Annex A.7.2 – the objective in
this Annex is to ensure that employees and contractors are aware of and fulfil
their information security responsibilities during employment. During On-board,
the new joiner should be provided proper IS induction.
Annex A.7.3 is about termination and change of
employment. The objective in this Annex is to protect the organisation’s
interests as part of the process of changing and terminating employment.
Annex A.8 – Asset
Management
Annex A.8.1 is about
responsibility of assets. The objective in the Annex is to identity information
assets in scope for the management system and define appropriate protection
responsibilities.
Annex A.8.2 is about
information classification. The objective in this Annex is to ensure that
information receives an appropriate level of protection in accordance with its
importance to the organisation (and interested parties such as
customers).
Annex A.8.3 is about media handling. The objective in
this Annex is to prevent unauthorised disclosure, modification, removal or
destruction of information stored on media.
Annex A.9 – Access
Control
Annex A.9.1 is about access
control of the organisation. The objective in this Annex is to provide limited
access to information and information processing facilities.
Annex A.9.2 is about user
access management. The objective in this Annex A control is to ensure users are
authorised to access systems and services as well as prevent unauthorised access.
Annex A.9.3 is about user
responsibilities. The objective of this Annex A control is to make users
accountable for safeguarding their authentication information.
Annex A.9.4 is about system and application access
control. The objective in this Annex is to prevent unauthorised access to
systems and applications.
Annex A.10 –
Cryptography
Annex A.10.1 is about Cryptographic controls. The
objective of this Annex is to ensure proper and effective use of cryptography
to protect the confidentiality, authenticity and/or integrity of
information.
Annex A.11 –
Physical & Environmental Security
Annex A.11.1 is about ensuring
secure physical and environmental areas. The objective of this Annex is to check
and prevent unauthorised physical access, damage and interference to the
organisation’s information and information processing facilities.
Annex A.11.2 is about equipment. The objective in this
Annex control is to prevent loss, damage and theft or compromise of assets and
interruption to the organisation’s operations.
Annex A.12 –
Operations Security
Annex A.12.1 is about
operational procedures and responsibilities. The objective of this Annex A area
is to ensure correct and secure operations of information processing
facilities.
Annex A.12.2 is about
protection from malware. The objective here is to ensure that information and
information processing facilities are protected against malware.
Annex A.12.3 is about backup.
The objective here is to protect against loss of data.
Annex A.12.4 is about logging
and monitoring. The objective in this Annex A area is to record events and
generate evidence.
Annex A.12.5 is about control
of operational software. The objective in this Annex A area is to ensure the
integrity of operational systems.
Annex A.12.6 is about technical
vulnerability management. The objective in this Annex A control is to prevent
exploitation of technical vulnerabilities.
Annex A.12.7 is about information systems and audit
considerations. The objective in this Annex A area is to minimise the impact of
audit activities on operational systems.
Annex A.13 –
Communications Security
Annex A.13.1 is about network
security management. The objective in this Annex is to ensure the protection of
information in networks and its supporting information processing
facilities.
Annex A.13.2 is about information transfer. The objective
in this Annex is to maintain the security of information transferred within the
organisation and with any external entity, e.g. a customer, supplier or other
interested party.
Annex A.14 –
System Acquisition, Development & Maintenance
Annex A.14.1 is about security requirements of
information systems. The objective in this Annex area is to ensure that
information security is an integral part of information systems across the
entire lifecycle. This also includes the requirements for information systems
which provide services over public networks.
Annex A.15 –
Supplier Relationships
Annex A.15.1 is about
information security in supplier relationships. The objective here is
protection of the organisation’s valuable assets that are accessible to or
affected by suppliers.
Annex A.15.2 is about supplier service development
management. The objective in this Annex A control is to ensure that an agreed
level of information security and service delivery is maintained in line with
supplier agreements.
Annex A.16 –
Information Security Incident Management
Annex A.16.1 is about management of information security
incidents, events and weaknesses. The objective in this Annex area is to ensure
a consistent and effective approach to the lifecycle of incidents, events and
weaknesses.
Annex A.17 –
Information Security Aspects of Business Continuity Management
Annex A.17.1 is about
information security continuity. The objective in this Annex A control is that
information security continuity shall be embedded in the organisation’s
business continuity management systems.
Annex A.17.2 is about redundancies. The objective in this
Annex A control is to ensure availability of information processing facilities.
Annex A.18 –
Compliance
Annex A.18.1 is about compliance with legal and
contractual requirements. The objective is to avoid breaches of legal,
statutory, regulatory or contractual obligations related to information
security and of any security requirements.
0 Comments