How to improve the information security of the organization– As per the information security Management System Standard – ISO 27001 – There are 114 information security controls that have been identified. Out of 114 information security controls may not be applicable to the organization considering the nature of activities of the organization. So, while selecting the information security controls – the organization should look at the most applicable information Security controls – Then Develop the statement of applicability (SOA) and apply the information security controls in the organization. Once information security controls are implemented – Monitor the controls closely and see if the controls are suitable to meet the information security.
If the Information security Controls are working as per the objective of organization requirements of information security make it a standard practice.
In my last blog – I explained how to implement information security control and explained the Few controls. Hope it was helpful for the reader to understand information security controls – If you have not read my last blog – kindly see the links – Information Security Controls.
In this blog, 8 nos of Information security controls are for your kind reference. I have tried to explain – what is information security controls and how to implement them in the organization.
- Physical entry controls – Organizations need to implement the Physical entry control and that can help to maintain the proper data of every employee
There is some way to implement as below for physical entry
- Organizations need to use the Biometric box at the entrance.
- The organization needs to fix the camera at the entrance
- The organization can use the entry digital entry Register
- Cabling security, Equipment maintenance – the organization needs to take an NDA with everyone to control the cabling security and equipment maintenance.
- Network security – organization shall put a password in every network and that can help to protect from internal and external visitors accessing the network. In this control, we can cover the control like network controls, the security of network services, and segregation in the network.
There are some tools that can help us to control network security:
Anti-malware Software
Anomaly Detection
Data loss prevention (DLP)
Email Security
Endpoint Security
Firewall
Network Segmentation
Security information and event management (SIEM)
Virtual private network (VPN)
Web Security
Wireless Security
- Electronic messaging – This is a very big issue that needs to control by the organization at many stages like massaging through mobile, use of personal mail id, and use of the social site (LinkedIn, Facebook, etc), and the organization has to control this by using of Antivirus.
There are some tools that can help to protect
- Antivirus / Firewall – it can help to block all types of social media.
- Asset Management – The assets management comes in the A.8 section and in this control, we can protect the many point i.e Responsibility of assets, inventory of assets ownership of assets acceptable use of assets, and return of assets.
– Every above control will be monitored by the IT Department to identify the next opportunities and development.
There is a way to control all types of asset point
- Organizations need to manage the datasheet of assets in an excel sheet with some specific points to be covered i.e.
- Product name/assets name
- Date of withdrawn
- Name of Person
- Date of Return
- Name of responsible person or authorized person
- Condition of product at the time of return
- Media Handling – The media handling comes under the A8.3 section and in this control, we can protect the data when the media is going to remove or dispose
There is some point that needs to be covered in this control
- The organization has all records of all media which are in use or removed
- After removable media, they must be disposed of in a proper manner
- Access control – this point comes under the A.9 Section and through access control, organization can control unauthorized person entry in any sector or in any network.
There is a way to control all types of Access
- Put the password in all network
- Segregate all networks as per Department
- Put the password in all types of folder
- Make a policy for access to another network
- Control of Operational software – this point comes under the A 12.5 Section and this control will help to restrict the installation part in any system, which means no one can install any software on any system without permission.
Hope these information security controls explained above help you to understand the implementation process for information security management in the organization for ISO 27001 Certification.
So, if your organization is preparing for ISO 27001 Certification or you are looking at how to ISO 27001 Certified. This blog will be helpful to understand and develop the statement of applicability (SOA)
If you are Looking for more information about ISO 27001 Certification or how to apply for ISO 27001 Certification. Then this information Could be helpful to you. In case you need any further information on information security Controls – Keep following us or writing comments.