The organization preparing for Information Security Management System – ISO 27001 Certification.
Information security compliance – it depends on how effectively Information Security Controls are implemented in the organization by proper Information Security Risk Assessment. The whole intention behind ISO 27001 Certification is to ensure that the information security Management System has been implemented effectively in the organization, which provides confidence to their clients and the interested party that information shared with the organization by the clients is secured and kept confidential. Which builds the long-run trust in the organization.
Information security controls play a very important role to ensure that information shared with the organization is secured.
As per ISO 27001 Standard – there are 114 nos of controls – But all the Controls may not be applicable to the organization considering the nature of business activities.
So in view to user understating some of the Information Security Controls are explained below – which could help the user to have a better understanding of information security controls implemented in the organization
Information Security Control Explained
- Information security policy – It is a set of security policies that need to be developed to protect information security.
- Mobile device – the first organization needs to prepare the mobile device policy and then the organization needs to implement the system based on the policy.
There is some way to implement as below
- Organizations need to provide a separate locker to every employee.
- Organizations can provide the mobile with organization SIM.
- Not Allow the Camera Phone within the organization.
- Information classification policy – for this part organization needs to segregate the information classification as per the department.
- Password policy – the organization needs to prepare a policy which is related to the password that shows when and how the password will change and shared with all employees.
There is some way to implement as below
- Renew the password every week or in a month
- Password can’t disclose to anyone.
- HR policy – that covers the Screening policy, Termination policy, change policy, Joining policy, Disciplinary Process, and HR policy will protect the data from all employees, stockholders, and interested parties.
- Asset management policy – In this policy organization shall cover all assets with a properly recorded or monitoring system
There is some way to implement as below
- The organization can maintain the Data of used and unused assets
- The organization can set a Responsibility
- Access control policy– the organization has a policy related to the document assessment/network access system.
There is some way to implement as below
- The document should be password protected
- Segregation of the network as per the Department
- The network should be password protected
- Clear desk and clear screen policy – The Clear Desk and Clear Screen Policy/clean desk policy document.
There is some way to implement as below
- The desk of every employee should be clean
- Organizations should fix the fine in any case of misconduct that happens on a clean desk system.
- Backup policy – backup policy and system are very important parts for every organization that wants to protect the document from any time of misshaping.
There are some factors to be covered in the policy as below
Where backups are located
Who can access backups and how they can be contacted
How often data should be backed up
What kind of backups are performed and
What hardware and software are recommended for performing backups?
Backup tapes must have at a minimum the following identifying criteria that can be readily
Identified by labels and/or a bar-coding system:
a. System Name
b. Creation Date
c. Sensitivity Classification [Based on applicable electronic record retention regulations.
d. Contact Information
- User registration and de-registration – Organizations have to maintain the user’s access control the user registration and de-registration codes, which means the organization had the practice and policy the change and generate the new registration code for every employee to access.
There is some way to implement as below
- Create a New ID and Password for everyone with Strong Password
- All IDs and Password need to delete after the termination/resignation of the Employee
- Renew the password every week or in a month
- Password can’t disclose to anyone.
In this Blog we have taken 10 Nos of Information security controls – next blog we will add up more controls – So that our users can get an understanding of ISO 27001 Controls that can apply to the organization for better information security.