Skip to content

Information Security Controls

Information Security ISO 27001

The organization preparing for information Security Management System – ISO 27001 Certification.

For information security compliance – it depends on how effectively Information Security Controls are implemented in the organization by proper information Security Risk Assessment.    The whole intention behind ISO 27001 Certification is to ensure that the information security Management System has been implemented effectively in the organization, that provides the confidence to their clients and the interested party that information shared to the organization by the clients are secured and keep confidential. Which build the long run trust to organization.

The information security controls pay very important role to ensure that information shared to organization are secured.

As per ISO 27001 Standard – there 114 nos of controls – But all the Controls may not be applicable to organization considering the nature of business activities.

So in view to user understating the some of Information Security Controls are explained below – which could help the user to have a better understanding of information security controls implemented in the organization

Information Security Control Explained

  1. Information security policy – It is a set of security policy which need to be develop to protect the information security.
  • Mobile device – first organization need to prepare the mobile devise policy and then the organization need to implement the system based on the policy.

There is some way to implement as below

  • Organizations need to provide a separate locker to every employee.
  • Organizations can provide the mobile with organization SIM.
  • Not Allow the Camera Phone within the organization.
  • Information classification policy – for this part organization need to segregate the information classification as per the department.
  • Password policy – the organization needs to prepare the policy which is related to the password that shows when and how the password will change and shared with all employees.

There is some way to implement as below

  • Renew the password in every week or in a month
  • Password can’t disclose to anyone.
  • HR policy – that covers the Screening policy, Termination policy and change policy, Joining policy, Disciplinary Process, and HR policy will protect the date from all employees, stockholders, and interested parties.
  • Asset management policy – In this policy organization shall cover the all asset with a proper recorded or monitoring system

There is some way to implement as below

  • The organization can maintain the Data of used and unused assets
  • The organization can set a responsibility
  • Access control policy– organization has the policy related to the document assess / network access system.  

There is some way to implement as below

  • The document should be password protected
  • Segregation of the network as per department
  • The network should be password protected
  • Clear desk and clear screen policy – The Clear Desk and Clear Screen Policy/clean desk policy document.

There is some way to implement as below

  • Desk of every employee should be clean
  • Organizations should fix the fine in any case of misconduct happen on a clean desk system.
  • Backup policy – backup policy and system is very important part for the every organization who want to protect the document from any time of misshaping.

There are some factors to be cover in the policy as below

Where backups are located

Who can access backups and how they can be contacted

How often data should be backed up

What kind of backups are performed and

What hardware and software are recommended for performing backups?

Backup tapes must have at a minimum the following identifying criteria that can be readily

Identified by labels and/or a bar-coding system:

a. System name

b. Creation Date

c. Sensitivity Classification [Based on applicable electronic record retention regulations.

d. Contact Information

  1. User registration and de-registration – organization have to maintain the user’s access control the user registration and de-registration codes, which means the organization had the practice and policy the change and generate the new registration code for every employee to access.

There is some way to implement as below

  • Create a New ID and Password for everyone with strong Password
  • All ID and Password need to delete after termination/resignation of the Employee
  • Renew the password in every week or in a month
  • Password can’t disclose to anyone.

In this Blog we have taken 10 Nos of Information security controls – next blog we will add up more controls – So that our user can get an understanding of ISO 27001 Controls can apply to the organization for better information security.

Leave a Reply

Your email address will not be published. Required fields are marked *