What is the objective of Annex A.6.1 of ISO 27001:2013?
Annex A.6.1 is about internal organisation. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organisation. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.6.1.1 Information Security Roles & Responsibilities
All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc.
A.6.1.2 Segregation of Duties
Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorised or unintentional modification or misuse of any of the organisation’s assets. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate. Smaller organisations may struggle with this, but the principle should be applied as far as possible and good governance & controls put in place for the higher risk/higher value information assets, captured as part of the risk evaluation and treatment.
We make achieving ISO 27001 easy
Get a 77% headstartOur ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.
Your path to successOur Assured Results Method is designed to get you certified on your first attempt. 100% success rate.
A.6.1.3 Contact with Authorities
Appropriate contacts with relevant authorities must be maintained. Remember when adapting this control to think about the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies e.g. around GDPR. Consider how that contact is to be made, by whom, under what circumstances, and the nature of the information to be provided.
A.6.1.4 Contact with Special Interest Groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations must also be maintained. When adapting this control to your specific needs remember that memberships of professional bodies, industry organisations, forums and discussion groups all count towards this control. It is important to understand the nature of each of these groups and for what purpose they have been set up (e.g. is there a commercial purpose behind it).
A.6.1.5 Information Security in Project Management
Information security needs to be addressed in project management, regardless of the type of project. Information Security should be ingrained in the fabric of the organisation and project management is a key area for this. We recommend the use of template frameworks for projects that include a simple repeatable checklist to show that information security is being considered. The auditor will be looking to see that all people involved in projects are tasked to consider information security at all stages of the project lifecycle so this should also be covered as part of the education and awareness in line with HR Security for A.7.2.2.
Smart organisations will also dovetail A.6.1.5 with related obligations for personal data and consider security by design along with Data Protection Impact Assessments (DPIA) and similar processes to demonstrate compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
ISMS.online incorporates simple, practical frameworks and templates for information security in project management as well as DPIA and other related personal data assessments e.g. Legitimate Interest Assessments (LIAs).
What is the objective of Annex A.6.2 of ISO 27001:2013?
Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices.
A.6 seems like an odd place to cover off mobile devices and teleworking policies but it does, and almost everything in A.6.2 connects up with other Annex A controls as much of working life includes mobile and teleworking. Teleworking in this instance also includes home workers and those in satellite locations that may not need the same physical infrastructure controls as (say) the Head Office but are nonetheless have exposure to valuable information and related assets.
A.6.2.1 Mobile Device Policy
A policy and supporting security measures need to be adopted to manage the risks introduced by using mobile phones and other mobile devices such as laptops, tablets etc. As mobile devices get increasingly smarter this policy area becomes much more significant beyond the traditional use of a mobile phone. The use of mobile devices and teleworking are at the same time an excellent opportunity for flexible working and a potential security vulnerability. BYOD or Bring Your Own Device is also a major part of the consideration. Whilst there are tremendous benefits to enable staff to use their own devices, without adequate controls on in life use and especially exit, the threats can be considerable too.
An organisation needs to be sure that when mobile devices are used or staff are working off-site its information and that of customers and other interested parties remains protected and ideally within its control. That becomes increasingly difficult with consumer cloud storage, automated backup and personally owned devices shared by family members. An organisation should consider implementing a “Defence in Depth” strategy with a combination of complementary physical, technical and policy controls. One of the most important aspects is education, training and awareness around the use of mobile devices in public places too, avoiding the risk of ‘free’ wifi that could compromise information quickly or restricting the uninvited observers from looking at the screen on the train journey home.
The auditor will want to see that there are clear policies and controls put into place which provide assurance that information remains secure when working away from organisational physical sites. Policies should cover off the following areas:
- registration and management
- physical protection
- restrictions on what software can be installed, what services and apps can be added & accessed, use of authorised and unauthorised developers
- operating device updates and patching applications
- the information classification accessible and any other asset access constraints (e.g. no infrastructure critical asset access)
- cryptography, malware and antivirus expectations
- log on, remote disabling, erasure, lockout and ‘find my device’ requirements
- backup and storage
- family and other user access conditions (if BYOD) e.g. separation of accounts
- use in public places
- connectivity and trusted networks
A policy and supporting security measures must also be implemented to protect information accessed, processed or stored at teleworking sites. Teleworking refers to home-working and other off-site working such as on supplier or customer sites. For teleworking staff, education, training and awareness relating to potential risks is critical. The auditor will expect to see decisions relating to mobile device and teleworking use and security measures based on appropriate risk assessment, balancing the need for flexible working against the potential threats and vulnerabilities such use would introduce.
Teleworking is also closely related to many of the other Annex A controls areas in A.6, A.8, A.9, A .10, A.11, A.12 and A.13 so join those up as part of the office and teleworking approach to avoid duplication and gaps. A.7 is also essential to get right for screening and recruitment of teleworkers and management over the lifecycle becomes key to include in audits and demonstrate to auditors that teleworkers are not a poorly managed threat.
ISMS.online includes policies for Annex 6 alongside tools to manage the Organisation of Information Security
A perfect fusion of knowledge and technology for your early ISMS success
How to easily demonstrate A.6 Organisation of information security
The ISMS.online platform makes it easy for you to establish a management framework to initiate and control the implementation and operation of information security within the organisation. You’ll also be able to effortlessly ensure the security of teleworking and the use of mobile devices.
- Step 1 : Adopt, adapt and add
- Step 2 : Demonstrate to your auditors
- Step 3 : A time-saving path to certification
- Step 4 : Extra support whenever you need it
Step 1 : Adopt, adapt and add
You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.
This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.
Step 2 : Demonstrate to your auditors
Step 3 : A time-saving path to certification
Step 4 : Extra support whenever you need it
ISO 27001 requirements
9.2 Internal audit
ISO 27001 Annex A Controls
A.8 Asset management
A.9 Access control
A.12 Operations security
About ISO 27001
Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.
Policies & Controls Management
Easily collaborate, create and show you are on top of your documentation at all times
Measurement & Automated Reporting
Make better decisions and show you are in control with dashboards, KPIs and related reporting
Audits, Actions & Reviews
Reduce the effort and make light work of corrective actions, improvements, audits and management reviews
Mapping & Linking Work
Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Interested Party Management
Visually map and manage interested parties to ensure their needs are clearly addressed
Simply document, easily control and publish your procedures to ensure stakeholders follow them
Other Standards & Regulations
Neatly add in other areas of compliance affecting your organisation to achieve even more for less
Staff Awareness & Compliance Assurance
Engage staff, suppliers and others with dynamic end-to-end compliance at all times
Supply Chain Management
Manage due diligence, contracts, contacts and relationships over their lifecycle
User Management & Permissions
Practical permissions with low cost plans for more regular and occasional users