ISO 27001 – Annex A.6: Organisation of Information Security

What is the objective of Annex A.6.1 of ISO 27001:2013?

Annex A.6.1 is about internal organisation. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organisation. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

See how we’ll get you to ISO 27001

A.6.1.1 Information Security Roles & Responsibilities

All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc.

A.6.1.2 Segregation of Duties

Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorised or unintentional modification or misuse of any of the organisation’s assets. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate. Smaller organisations may struggle with this, but the principle should be applied as far as possible and good governance & controls put in place for the higher risk/higher value information assets, captured as part of the risk evaluation and treatment.

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

A.6.1.3 Contact with Authorities

Appropriate contacts with relevant authorities must be maintained. Remember when adapting this control to think about the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies e.g. around GDPR. Consider how that contact is to be made, by whom, under what circumstances, and the nature of the information to be provided.

A.6.1.4 Contact with Special Interest Groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations must also be maintained. When adapting this control to your specific needs remember that memberships of professional bodies, industry organisations, forums and discussion groups all count towards this control. It is important to understand the nature of each of these groups and for what purpose they have been set up (e.g. is there a commercial purpose behind it).

A.6.1.5 Information Security in Project Management

Information security needs to be addressed in project management, regardless of the type of project. Information Security should be ingrained in the fabric of the organisation and project management is a key area for this. We recommend the use of template frameworks for projects that include a simple repeatable checklist to show that information security is being considered. The auditor will be looking to see that all people involved in projects are tasked to consider information security at all stages of the project lifecycle so this should also be covered as part of the education and awareness in line with HR Security for A.7.2.2.

Smart organisations will also dovetail A.6.1.5 with related obligations for personal data and consider security by design along with Data Protection Impact Assessments (DPIA) and similar processes to demonstrate compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. incorporates simple, practical frameworks and templates for information security in project management as well as DPIA and other related personal data assessments e.g. Legitimate Interest Assessments (LIAs).

What is the objective of Annex A.6.2 of ISO 27001:2013?

Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices.

A.6 seems like an odd place to cover off mobile devices and teleworking policies but it does, and almost everything in A.6.2 connects up with other Annex A controls as much of working life includes mobile and teleworking.  Teleworking in this instance also includes home workers and those in satellite locations that may not need the same physical infrastructure controls as (say) the Head Office but are nonetheless have exposure to valuable information and related assets.

A.6.2.1 Mobile Device Policy

A policy and supporting security measures need to be adopted to manage the risks introduced by using mobile phones and other mobile devices such as laptops, tablets etc. As mobile devices get increasingly smarter this policy area becomes much more significant beyond the traditional use of a mobile phone. The use of mobile devices and teleworking are at the same time an excellent opportunity for flexible working and a potential security vulnerability. BYOD or Bring Your Own Device is also a major part of the consideration. Whilst there are tremendous benefits to enable staff to use their own devices, without adequate controls on in life use and especially exit, the threats can be considerable too.

An organisation needs to be sure that when mobile devices are used or staff are working off-site its information and that of customers and other interested parties remains protected and ideally within its control. That becomes increasingly difficult with consumer cloud storage, automated backup and personally owned devices shared by family members. An organisation should consider implementing a “Defence in Depth” strategy with a combination of complementary physical, technical and policy controls. One of the most important aspects is education, training and awareness around the use of mobile devices in public places too, avoiding the risk of ‘free’ wifi that could compromise information quickly or restricting the uninvited observers from looking at the screen on the train journey home.

The auditor will want to see that there are clear policies and controls put into place which provide assurance that information remains secure when working away from organisational physical sites. Policies should cover off the following areas:

  • registration and management
  • physical protection
  • restrictions on what software can be installed, what services and apps can be added & accessed, use of authorised and unauthorised developers
  • operating device updates and patching applications
  • the information classification accessible and any other asset access constraints (e.g. no infrastructure critical asset access)
  • cryptography, malware and antivirus expectations
  • log on, remote disabling, erasure, lockout and ‘find my device’ requirements
  • backup and storage
  • family and other user access conditions (if BYOD) e.g. separation of accounts
  • use in public places
  • connectivity and trusted networks

A.6.2.2 Teleworking

A policy and supporting security measures must also be implemented to protect information accessed, processed or stored at teleworking sites. Teleworking refers to home-working and other off-site working such as on supplier or customer sites. For teleworking staff, education, training and awareness relating to potential risks is critical. The auditor will expect to see decisions relating to mobile device and teleworking use and security measures based on appropriate risk assessment, balancing the need for flexible working against the potential threats and vulnerabilities such use would introduce.

Teleworking is also closely related to many of the other Annex A controls areas in A.6, A.8, A.9, A .10, A.11, A.12 and A.13 so join those up as part of the office and teleworking approach to avoid duplication and gaps. A.7 is also essential to get right for screening and recruitment of teleworkers and management over the lifecycle becomes key to include in audits and demonstrate to auditors that teleworkers are not a poorly managed threat. includes policies for Annex 6 alongside tools to manage the Organisation of Information Security

A perfect fusion of knowledge and technology for your early ISMS success

We’ll give you a 77% head start on your ISO 27001 certification

How to easily demonstrate A.6 Organisation of information security

The platform makes it easy for you to establish a management framework to initiate and control the implementation and operation of information security within the organisation. You’ll also be able to effortlessly ensure the security of teleworking and the use of mobile devices.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence controls A.6.1.1-A.6.1.5 and A.6.2.1-A.6.2.2. within our platform and easily adapt it to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. A.6 is part of the second section that ARM will guide you on, where you’ll begin to describe your current information security policies and controls in line with Annex A controls.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.