ISO 27001 - Annex A.6: Organisation of Information Security
What is the objective of Annex A.6.1 of ISO 27001:2013?
Annex A.6.1 is about internal organisation. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organisation. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.6.1.1 Information Security Roles & Responsibilities
All information security responsibilities need to be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission). Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities. Some examples of the business roles which are likely to have some information security relevance include; Departmental heads; Business process owners; Facilities manager; HR manager; and Internal Auditor. The auditor will be looking to gain assurance that the organisation has made clear who is responsible for what in an adequate and proportionate manner according to the size and nature of the organisation. For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. As such, clarifying specific information security responsibilities within existing job roles is important e.g. the Operations Director or CEO might also be the equivalent of the CISO, the Chief Information Security Officer, with overarching responsibility for all of the ISMS. The CTO might own all the technology related information assets etc.
A.6.1.2 Segregation of Duties
Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorised or unintentional modification or misuse of any of the organisation’s assets. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate. Smaller organisations may struggle with this, but the principle should be applied as far as possible and good governance & controls put in place for the higher risk/higher value information assets, captured as part of the risk evaluation and treatment.
A.6.1.3 Contact with Authorities
Appropriate contacts with relevant authorities must be maintained. Remember when adapting this control to think about the legal responsibilities for contacting authorities such as the Police, the Information Commissioner’s Office or other regulatory bodies e.g. around GDPR. Consider how that contact is to be made, by whom, under what circumstances, and the nature of the information to be provided.
A.6.1.4 Contact with Special Interest Groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations must also be maintained. When adapting this control to your specific needs remember that memberships of professional bodies, industry organisations, forums and discussion groups all count towards this control. It is important to understand the nature of each of these groups and for what purpose they have been set up (e.g. is there a commercial purpose behind it).
A.6.1.5 Information Security in Project Management
Information security needs to be addressed in project management, regardless of the type of project. Information Security should be ingrained in the fabric of the organisation and project management is a key area for this. We recommend the use of template frameworks for projects that include a simple repeatable checklist to show that information security is being considered. The auditor will be looking to see that all people involved in projects are tasked to consider information security at all stages of the project lifecycle so this should also be covered as part of the education and awareness in line with HR Security for A.7.2.2.
Smart organisations will also dovetail A.6.1.5 with related obligations for personal data and consider security by design along with Data Protection Impact Assessments (DPIA) and similar processes to demonstrate compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
ISMS.online incorporates simple, practical frameworks and templates for information security in project management as well as DPIA and other related personal data assessments e.g. Legitimate Interest Assessments (LIAs).
What is the objective of Annex A.6.2 of ISO 27001:2013?
Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices.
A.6 seems like an odd place to cover off mobile devices and teleworking policies but it does, and almost everything in A.6.2 connects up with other Annex A controls as much of working life includes mobile and teleworking. Teleworking in this instance also includes home workers and those in satellite locations that may not need the same physical infrastructure controls as (say) the Head Office but are nonetheless have exposure to valuable information and related assets.
A.6.2.1 Mobile Device Policy
A policy and supporting security measures need to be adopted to manage the risks introduced by using mobile phones and other mobile devices such as laptops, tablets etc. As mobile devices get increasingly smarter this policy area becomes much more significant beyond the traditional use of a mobile phone. The use of mobile devices and teleworking are at the same time an excellent opportunity for flexible working and a potential security vulnerability. BYOD or Bring Your Own Device is also a major part of the consideration. Whilst there are tremendous benefits to enable staff to use their own devices, without adequate controls on in life use and especially exit, the threats can be considerable too.
An organisation needs to be sure that when mobile devices are used or staff are working off-site its information and that of customers and other interested parties remains protected and ideally within its control. That becomes increasingly difficult with consumer cloud storage, automated backup and personally owned devices shared by family members. An organisation should consider implementing a “Defence in Depth” strategy with a combination of complementary physical, technical and policy controls. One of the most important aspects is education, training and awareness around the use of mobile devices in public places too, avoiding the risk of ‘free’ wifi that could compromise information quickly or restricting the uninvited observers from looking at the screen on the train journey home.
The auditor will want to see that there are clear policies and controls put into place which provide assurance that information remains secure when working away from organisational physical sites. Policies should cover off the following areas:
- registration and management
- physical protection
- restrictions on what software can be installed, what services and apps can be added & accessed, use of authorised and unauthorised developers
- operating device updates and patching applications
- the information classification accessible and any other asset access constraints (e.g. no infrastructure critical asset access)
- cryptography, malware and antivirus expectations
- log on, remote disabling, erasure, lockout and ‘find my device’ requirements
- backup and storage
- family and other user access conditions (if BYOD) e.g. separation of accounts
- use in public places
- connectivity and trusted networks
A policy and supporting security measures must also be implemented to protect information accessed, processed or stored at teleworking sites. Teleworking refers to home-working and other off-site working such as on supplier or customer sites. For teleworking staff, education, training and awareness relating to potential risks is critical. The auditor will expect to see decisions relating to mobile device and teleworking use and security measures based on appropriate risk assessment, balancing the need for flexible working against the potential threats and vulnerabilities such use would introduce.
Teleworking is also closely related to many of the other Annex A controls areas in A.6, A.8, A.9, A .10, A.11, A.12 and A.13 so join those up as part of the office and teleworking approach to avoid duplication and gaps. A.7 is also essential to get right for screening and recruitment of teleworkers and management over the lifecycle becomes key to include in audits and demonstrate to auditors that teleworkers are not a poorly managed threat.
ISMS.online includes policies for Annex 6 alongside tools to manage the Organisation of Information Security
A perfect fusion of knowledge and technology for your early ISMS success
Accelerate your ISO 27001 implementation
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement