Organisation of Information SecurityISO 27001 Annex A.6
A.6 Organization of information security
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
A.6.1.1 Information security roles and responsibilities
All information security responsibilities shall be defined and allocated.
A.6.1.2 Segregation of duties
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
A.6.1.3 Contact with authorities
Appropriate contacts with relevant authorities shall be maintained.
A.6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
A.6.1.5 Information security in project management
Information security shall be addressed in project management, regardless of the type of the project.
A.6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices
A.6.2.1 Mobile device policy
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001