Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Daria Lysakovskaya

ISMS Manual.docx

advertisement 
Information Security Management System Manual
Document Control
Document Name
Information Security Management System Manual
Document Reference Number
BONDAP LTD /ISMS/Manual
Classification
Internal
Version Number
V1.1
Date
13-04-2023
Reviewed by
Approved by
Revision History
Date
13-04-2022
13-04-2023
Version
V1.0
v1.1
Description
First Release
Minor Release
Created by
BONDAP LTD
BONDAP ITS
Distribution
1. File server
Documentation status
This is a controlled document. This document may be printed; however, any printed copies
of the document are not controlled. The electronic version maintained in the file server and
Commune are the controlled copy.
Abbreviations, Acronyms & Definitions
IS
Information Security
ISMS
Information Security Management System
ISO
Information Security Officer
Document Classification: Internal | Version: 1.0
Page 2 of 24
Information Security Management System Manual
Table of Contents
1. Introduction.......................................................................................................................... 6
About BONDAP LTD (BONDAP LTD )................................................................................... 6
2. Purpose................................................................................................................................. 6
3. Context of the organization...................................................................................................6
3.1. Understanding the organization and its context............................................................ 7
3.2. Understanding the needs and expectations of interested parties................................. 7
3.2.1
Stakeholders (External and Internal)................................................................... 7
3.3. Organization’s Risk Acceptance Criteria......................................................................... 8
3.4. Determining the scope of the information security management systems................... 9
3.4.1
Out of Scope:-......................................................................................................9
3.4.2
Scope exclusion Justification:.............................................................................. 9
3.4.3
Interfaces and dependencies for activities:.........................................................9
3.5. Information security management system.................................................................... 9
4. Organizational roles, responsibilities and authorities......................................................... 10
4.1. Leadership and Commitment.......................................................................................10
4.2. Policy:........................................................................................................................... 10
4.3. Organizational roles, responsibilities and authorities.................................................. 11
5. Planning...............................................................................................................................15
5.1. Actions to address Risks and opportunities................................................................. 15
5.2. Information security risk assessment...........................................................................15
5.3. Information security objectives and planning to achieve them................................... 16
6. Support................................................................................................................................17
6.1. Resources..................................................................................................................... 17
6.2. Competence................................................................................................................. 17
6.3. Awareness.................................................................................................................... 17
6.4. Communication............................................................................................................ 17
6.5. Documentation Requirements..................................................................................... 18
6.5.1
General..............................................................................................................18
6.5.2
Creating and updating....................................................................................... 18
6.5.3
Control of documented information................................................................. 18
7. Operation information........................................................................................................ 19
Document Classification: Internal | Version: 1.0
Page 3 of 24
Information Security Management System Manual
7.1. Operational planning and control................................................................................ 19
7.2. Information security risk assessment...........................................................................19
7.3. Information security risk treatment............................................................................. 19
8. Performance Evaluation...................................................................................................... 19
8.1. Monitoring, measurement, analysis and evaluation....................................................19
8.2. Internal Audit............................................................................................................... 19
8.3. Management Review................................................................................................... 20
9. Improvements..................................................................................................................... 20
9.1. Nonconformity and Corrective action..........................................................................20
9.2. Continual Improvement............................................................................................... 21
10. Organization of Information Security................................................................................ 21
10.1. Internal Organisation................................................................................................. 21
10.1.1 Contact with authorities....................................................................................21
10.1.2 Contact with special interest groups................................................................. 21
10.1.3 Information Security in Project Management................................................... 21
Annexure 1: Communication Matrix....................................................................................... 22
Annexure 2: Dependencies................................................................................................ 10-24
1.
Document Classification: Internal | Version: 1.0
Page 4 of 24
Information Security Management System Manual
1. Introduction
About BONDAP LTD
BONDAP LTD (BONDAP LTD) is Data Processing, Hosting and Related Activities.
The purpose of this manual is to communicate management directives in the organization
for conforming to ISO 27001:2013 standard and thereby ensuring consistent and appropriate
protection of information assets in the Head Office, of BONDAP LTD.
2.
Context of the organization
ISO 27001:2013 is the only global international standard that provides requirements for
establishing, implementing, maintaining and continually improving an information security
management system, hereafter referred to as ISMS. The adoption of ISMS is a strategic
decision of the Management of BONDAP LTD. The factors that influence the establishment
and implementation of ISMS include the organization’s needs, objectives, security
requirements, processes, size and structure. All these influencing factors are expected to
change over time and so will the ISMS.
The ISMS of BONDAP LTD takes a holistic view of the organization’s’ information security risk
environment to implement a comprehensive suite of controls in line with the framework. It
helps in protecting the confidentiality, integrity and availability of valuable information
assets of the organization.
The ISMS of BONDAP LTD is scaled in accordance with the organization’s need and is
integrated with overall management structure.
2.1. Understanding the organization and its context
The internal and external context of the organization that are relevant to achieve the
outcome of establishing ISMS are mentioned below:
1. At an enterprise level, BONDAP LTD management understands that in order to
deliver service to its customers, in various locations, protecting its existing assets is
as important as accurately predicting risks.
2. Protecting the IPR (Intellectual Property Rights) of the organization (source code).
3. Cyber security is an enterprise-wide risk management issue and is important as the
organization engages third parties that manage its critical systems and data.
4. ISMS has been established in the context of fulfilling the information security needs
of BONDAP LTD ’s customers, employees, vendors, suppliers and stakeholders in the
most efficient and effective manner. This includes physical, environmental, logical,
information, communications, statutory and data security requirements.
2.2. Understanding the needs and expectations of interested parties
2.2.1 Stakeholders (External and Internal)
a) Interested parties that are relevant to ISMS - All customers (Internal and External),
Vendors, Supporting the Infrastructure in Server Room & other Business operation,
Document Classification: Internal | Version: 1.0
Page 5 of 24
Information Security Management System Manual
all employees providing & getting services to Server Room & other Business
operation.
b) The requirement of these interested parties relevant to Information Security The
needs and expectations from external as well as internal customers are considered as
under and will be reviewed and updated over a period of time as part of continual
improvement.
Internal
Externa
l
Stake holders
Issues
Management
Governance, Resource availability, organization structure,
roles and accountabilities, Policies, objectives, and the
strategies
Employees
Fulfilment of commitments, adherence to organization
policies, processes and guidelines and to ensure seamless /
uninterrupted operations. Expectation of employees in
terms of commitment made by the organization need to
be fulfilled.
Shareholders
Relationship with, and perceptions and values of, internal
stakeholder’s
Board of Directors
Maintaining commitment to customers, goodwill and
repute of the organization, and maintaining return on
investment committed on the business, in totality
Corporate
requirements
Standards, guidelines and models adopted by the
organization
Users
/ Other
departments
Information technology related requirements to the
organization such as access right, IT infra-availability to
internal users and other departments.
HR
Resource availability, resource competence, training,
background verification etc.
Finance
Approval of financial commitments
Legal
Vetting of Legal contracts and protecting the organization
from non-compliance of legal, regulatory and contractual
requirements
Customers
Service delivery
Document Classification: Internal | Version: 1.0
Page 6 of 24
Information Security Management System Manual
Customers
Supply of goods and services to enable the organization to
meet the requirement of the customer
Customer
Risk Assessment & Risk Treatment Procedure for
assessment the risk for internal as well as external
customer
Customer
For managing the customer related security aspects, the
organization has deployed few policies, process and
procedure such as Password Policy, IT Access control Policy,
VPN-Virtual Private Network Policy, IEM-Internet &
Electronic Messaging Usage Policy, Antivirus Policy,
Information Classification, Labelling and Handling Policy,
Asset Handling Process, Business Continuity Plan Process,
Physical Security Management Procedure and many more.
Users / Public
Information technology related requirements to the
organization such as access right, IT infra-availability to
internal users and other departments.
Government
Submission of desired reports and statements and
approvals to carry out the business. Fulfilling the legal,
and regulatory requirement.
Society
environment
Natural and competitive environment, Key drives and
trends having impact on the objectives of the organization,
Political, financial status of the country.
and
2.3. Organization’s Risk Acceptance Criteria
1. The ISMS is designed to address all the major risks that are identified to the security
of BONDAP LTD;
2. The identification of these risks is done on the basis of inputs from stakeholders and
a detailed and repeatable process which takes into account the various Information
Assets and the possible threats and risks applicable to them;
3. Based on BONDAP LTD ’s risk criteria, the risk assessment process segregates
between acceptable and unacceptable risks and helps to select the option for
managing these risks through a Risk Treatment Plan (Refer- Risk Assessment v1.0);
4. In general, BONDAP LTD ’s risk criteria are 12, i.e., the approach of the organization is
not to accept anything but low levels of risks while making efforts to put in place the
mechanisms to handle risks if they occur;
Document Classification: Internal | Version: 1.0
Page 7 of 24
Information Security Management System Manual
2.4. Determining the scope of the information security management systems
The Information Security Management System (ISMS) covers all business functions and
processes associated with information assets to provide customers, employees and business
partner’s benefits and secure services in BONDAP LTD at the following locations:
This is in accordance with the latest Statement of Applicability.
The scope embraces the following business functions, processes and departments in the
Head Office:
1.
2.
3.
4.
5.
6.
7.
IT Infrastructure
IT Application Development
Human Resources
Legal
Admin
Operations
CS Department
2.4.1 Out of Scope: Following Functions/Locations are not part of ISMS scope:
Operations other than IT carried out at Regional and Branch office
2.4.2 Scope exclusion Justification:
IT and other supporting functions which are currently taken into scope are custodians of the
majority of critical data within the organization. We first plan to include these departments
throughout the BONDAP LTD in the scope of ISMS. Then gradually the other departments
will be brought under the scope of ISMS (based on ISO 27001).
2.4.3 Interfaces and dependencies for activities:
Organization should identify the interfaces and dependencies for BONDAP LTD “Refer
Annexure 2”
2.5. Information security management system
An effective ISMS assures management and other stakeholders that the organization’s
information assets are reasonably safe and protected against harm, thereby acting as a
business enabler.
Document Classification: Internal | Version: 1.0
Page 8 of 24
Information Security Management System Manual
3.
Organizational roles, responsibilities and authorities
3.1. Leadership and Commitment
A management framework is established to initiate and control the implementation of
information security within the Organization.
Management of BONDAP LTD actively supports security within the Organization by:
1.
2.
3.
4.
5.
6.
7.
8.
Establishing the security policy
Ensuring that ISMS objectives & plans are established
Establishing roles & responsibilities of information security
Communicating to the organization the importance of meeting information security
objectives & conforming to the information security policy;
Providing sufficient resources to establish, implement, operate, monitor, review,
maintain & improve the ISMS
Deciding the criteria for accepting risks & acceptable level of risks;
Ensuring that internal audits are conducted as per defined frequency
Conducting management reviews of the ISMS
3.2. Policy:
BONDAP LTD is committed to meet the Information Security requirements of its customers,
employees and business partners. It shall do so through effective implementation and
continual improvement of its Information Security Management System (ISMS) by
identifying, evaluating and controlling risks to ensure the confidentiality, integrity and
availability of its Critical and sensitive information assets, and meet legal and statutory
requirements.
Objectives:
This policy ensures:
1. Confidentiality of information by protecting it from deliberate or unintentional
unauthorized access and acquisition.
2. Integrity of information by protecting it from unauthorized modification
3. Availability of information to authorized users when needed
4. Classification of information according to its sensitivity
5. Compliance to regulatory, legislative and contractual requirements
6. Adopting a formal and sustainable Risk Assessment and Management approach for
effective ISMS.
7. Preparing & testing a Business Continuity / Disaster Recovery Plan
8. Training of employees and business partners to achieve a high information security
awareness level.
Document Classification: Internal | Version: 1.0
Page 9 of 24
Information Security Management System Manual
Responsibility:
1. The Chief Information Security Officer has direct responsibility for maintaining the
Policy and providing advice and guidance on its implementation.
2. All employees are responsible to implement this Information Security Policy in
carrying out their respective functions. All process owners are responsible for the
effective implementation of their respective processes.
Review of the Policy:
1. The Information Security Policy shall be reviewed at least once a year or as and when
there are major changes in business requirements.
3.3. Organizational roles, responsibilities and authorities
A formal information security organization structure has been defined as given below:
Document Classification: Internal | Version: 1.0
Page 10 of 24
Information Security Management System Manual
Document Classification: Internal | Version: 1.0
Page 11 of 24
Information Security Management System Manual
Roles
Information Steering
Committee
Information Security Responsibilities
Chief Information
Security Officer
1. Ensuring that information security system conforms to
the requirements of this international standard: and
2. Reporting on the performance of the information
security management system to top management.
3. Report to Information Steering Committee(ISC) on any
security incidents affecting the shareholders, the
business or the organization’s reputation
4. Review audit reports dealing with the information
security issues and ensure that they are placed before
1. Developing and facilitating of the implementation of
information security policy and cyber security policy,
standards and procedures to ensure that all identified
information/system security risks are managed.
2. Approving and monitoring major information security
projects including cyber security and the status of
information and cyber security plans and budgets,
establishing priorities, approving procedures and
guidelines.
3. Supporting the development and implementation of
Information security management programmer
including information and cyber security.
4. Reviewing the position of security incidents and various
information and cyber security assessments and
monitoring activities across the BONDAP LTD.
5. Reviewing the status of security awareness programs
6. Assessing new developments or issues relating to
information security including cyber security.
7. A review on future information security including cyber
security needs on a yearly basis.
8. Minutes of the ISC meetings should be maintained to
document the committee’s activities and decisions.
9. Take Strategic decision pertaining to information
security related issues.
10. Address Security Incidents affecting the shareholders,
the business or the organization’s reputation.
11. Review audit reports pertaining to information systems
12. Check effectiveness of security implementation of
controls
13. Analyze cost effectiveness of security implementation
14. Review security incidents
15. Approve security initiatives
Document Classification: Internal | Version: 1.0
Page 12 of 24
Information Security Management System Manual
5.
6.
7.
8.
9.
the IT Steering committee (ISC) at pre-determined
intervals.
Ensure that the relevant security policy and procedure
are followed by the IT Team, IT suppliers and partners
etc.
Understand the business purpose of the organization,
so as to provide appropriate security protection.
Drive BCP/DRP activities
Reviewing the status of security awareness programs
Assessing new developments or issues relating to
information security including cyber security.
ISO
1. Assist the CISO in managing the overall information
systems security programs
2. Maintaining the Information System Security Policies
and Standards for use throughout the organization
3. Assist business units in the development of specific
standards or guidelines that meet the information
security policies for specific products within the
business unit
4. Remain current/up-to-date on the threats against the
information assets, information protection methods
and controls by receiving internal education, attending
information security seminars and through on-the-job
training.
5. Assume responsibility or assist in tackling potentially
serious and imminent threats to the organization’s
information assets e.g., outbreak of computer virus etc.
6. Co-ordinate or assist in the investigation of security
threats or other attacks on the information assets
7. Assist CISO in BCP/DR Drills
Management
Representatives
1. Should be responsible for managing the overall
information security within the department.
2. Report incident to the appropriate authorities as per
defined procedure.
3. Create security awareness among other employees
4. Responsible for managing the appropriate use of the
information system by the staff.
5. Ensures that any information processing work has
segregation of duties in line with the internal roles so
that there is no opportunity of fraud.
Document Classification: Internal | Version: 1.0
Page 13 of 24
Information Security Management System Manual
End Users
4.
1. Complies with end-user policy, namely IT Acceptable
Usage Policy, which provides guidelines for description
of appropriate information assets usage.
2. Reports security weakness/incidents to the IT
representatives.
3. End Users do not exploit known security weaknesses.
4. Attend yearly User awareness training.
Planning
4.1. Actions to address Risks and opportunities
The information security management system of BONDAP LTD is planned taking into
consideration of requirements, risks and opportunities that need to be addressed to:
1. Ensure the information security management system can achieve its intended
outcomes;
2. Prevent or reduce undesired effects;
3. Achieve continual improvement;
The organization plans to address the above-mentioned risks and opportunities and to take
action to implement control measures.
Effectiveness of the actions taken are also evaluated and assessed.
4.2. Information security risk assessment
An information security risk assessment process is defined and applied that:
1. Establishes and maintains information security risk criteria, including:
● Criteria for accepting risks;
● Criteria for performing information security risk assessments;
2. Ensures that repeated risk assessments produce consistent, valid and comparable
results;
3. Identifies the information security risks;
● Risk assessment process is applied to identify risks associated with financial,
operational, reputational and legal loss of information assets within the scope
of the information security management system;
● Risk owners are identified;
4. The information security risks are analysed by the organization;
● The potential consequences that would result, if the risks identified were to
materialize are assessed;
● The realistic likelihood of the occurrence of the risks identified is assessed;
● The levels of risks are determined;
5. Information security risks are evaluated;
● Results of risk analysis are compared with the risk criteria that are
established;
Document Classification: Internal | Version: 1.0
Page 14 of 24
Information Security Management System Manual
● Analysed risks are prioritized for risk treatment;
6. All documented information about information security risk assessment process is
retained by the organization;
7. Information security risk treatment;
Organization has defined and applied an information security risk treatment process
by:
● Selecting appropriate information security risk treatment options, taking
account of the risk assessment results;
● Determining all controls that are necessary to implement the information
security risk treatment options are chosen;
● Comparing the controls determined in the above point with those in
Annexure-A of ISO 27001:2013 standard, and verifying that no necessary
controls have been omitted;
8. A Statement of applicability that contains the necessary controls and justification for
inclusions; whether they are implemented or not; and the justification for exclusions
of controls from ISO 27001:2013 Annexure-A is produced.
Refer: Statement of Applicability v1.0
9. Information security risk treatment plan is formulated;
10. Risk owners’ approval of the information security risk treatment plan and acceptance
of the residual information security risks is obtained;
● Documented information about information security risk treatment process is
retained by the organization;
Please refer Risk assessment Methodology v1.0 and Risk Assessment v1.0
4.3. Information security objectives and planning to achieve them
Information security objectives at relevant functions and levels in the organization are
established.
The information security objectives are:
1. Consistent with the information security policy;
2. Measurable (wherever practicable);
3. Taken into account the applicable information security requirements and the results
from risk assessment and risk treatment:
Are communicated
Are updated as appropriate
Documented information on information security objectives is retained by the organization.
The organization has determined the following when planning how to achieve its
information security objectives:
1.
2.
3.
4.
5.
What needs to be done;
What resources are required;
Who all are responsible;
When it will be completed;
How the result is evaluated.
Document Classification: Internal | Version: 1.0
Page 15 of 24
Information Security Management System Manual
Please Refer Information Security Objectives v1.0
Document Classification: Internal | Version: 1.0
Page 16 of 24
Information Security Management System Manual
5.
Support
5.1. Resources
The resources needed for establishment, implementation, maintenance and continual
improvement of the information security management system are identified and made
available by the management of BONDAP LTD.
5.2. Competence
1. It is ensured that the person(s) is competent to perform Information security role
related to their area of work;
2. It is ensured that the persons are competent on the basis of appropriate education,
training and experience;
3. Actions to acquire the necessary competence and to evaluate the effectiveness of
the actions are ensured;
4. Appropriate documented information is retained as evidence of competence;
Please Refer Competency Matrix v1.0
5.3. Awareness
Persons doing work under the organization’s control are aware of:
1. The information security policy;
2. Their contribution to the effectiveness of the information security management
system;
3. The implications of not conforming to the information security management system
requirements of the organization;
The awareness training will be conducted on ongoing basis throughout the year for all
the population under purview of ISMS. This will also ensure that all the employee have
at least undergone one cycle of awareness training session.
5.4. Communication
The need for internal and external communications relevant to the information security
management system including the following is determined and defined in the
communication matrix (Refer: Annexure 1):
1.
2.
3.
4.
5.
What to communicate;
When to communicate;
With whom to communicate;
Who will communicate;
Process for effective communication.
Document Classification: Internal | Version: 1.0
Page 17 of 24
Information Security Management System Manual
5.5. Documentation Requirements
5.5.1 General
BONDAP LTD has established the ISMS which include:
1.
2.
3.
4.
ISMS Policies & Objectives
Scope of ISMSs
Processes & controls in support to the ISMS
Risk Assessment Process including methodology and treatment plan
● A risk assessment methodology that is in line with the business information
security, legal and regulatory requirements is identified
● The acceptable level of risk and residual risk values are also identified. This
methodology ensures that risk assessments produce comparable and
reproducible results.
5. Documented processes to ensure effective planning, operation & control of ISMS
(Risk Assessment process Various records)
6. Statement of Applicability
● The control objectives and controls selected in ISMS and reasons for their
inclusion.
● The control objectives and controls currently implemented.
● The exclusion of any control objectives and controls and the justification for
their exclusion
5.5.2 Creating and updating
The following are ensured while creating and updating documented information in the
organization:
1. Identification and description;
2. Format;
3. Review and approval;
5.5.3 Control of documented information
Documented information required by the Information security management system of the
organization and by the International Standard ISO 27001:2013 is controlled to ensure that:
1. It is available and suitable for use, where and when it is needed;
2. It is adequately protected;
The following activities are addressed as applicable for the control of documented
information:
1.
2.
3.
4.
Distribution, access, retrieval and use;
Storage and preservation including preservation of legibility;
Control of changes (version control, etc.);
Retention and disposal;
Document Classification: Internal | Version: 1.0
Page 18 of 24
Information Security Management System Manual
6.
Operation information
6.1. Operational planning and control
The processes needed to meet the information security requirements and to implement the
actions determined are planned, implemented and controlled by the organization. The
documented information is to have confidence that the processes have been carried out as
planned, is kept by the organization. Planned changes are controlled and consequences of
unintended changes, taking action to mitigate any adverse effects, are reviewed. Outsourced
processes are determined and controlled by the organization.
6.2. Information security risk assessment
Information security risk assessments are planned to be conducted on the frequency of once
in a year, taking into account, the risk acceptance criteria. Documented information of the
result of the information security risk assessment is retained by the organization.
6.3. Information security risk treatment
Information security risk treatment plan is implemented. Documented information of the
result of the information security risk treatment is retained by the organization.
7.
Performance Evaluation
7.1. Monitoring, measurement, analysis and evaluation
The information security performance and the effectiveness of the information security
management system are evaluated.
7.2. Internal Audit
Comprehensive audits are conducted at least once in six months to evaluate the:
1. Conformance to the requirements of ISO 27001:2013 & relevant legislation or
regulations
2. Conforms to the identified information security requirements
3. ISMS is effectively implemented & maintained
4. ISMS performed as expected.
The responsibilities & requirements for planning & conducting audits and for reporting
results & maintaining records of these audits as per the Internal Audit process.
Audits are scheduled for each activity based on the process & areas to be audited as well as
results of previous audits.
Trained personnel independent of those having the direct responsibility for the process
being audited carry out audits.
CISO ensures that actions are taken to eliminate detected nonconformities and their causes.
Follow up activities includes the verification of the actions taken & documentation of
verification results.
Please refer IS Audit Framework v1.0.
Document Classification: Internal | Version: 1.0
Page 19 of 24
Information Security Management System Manual
7.3. Management Review
Management Reviews (Steering Committee Review) are conducted at least twice in a year, in
which the ISMS is reviewed for its effectiveness, as per the Management Review Process.
This review includes assessing opportunities for improvement and the need for changes to
the ISMS including the security policy and security objectives.
Steering Committee is a cross functional steering team of management representatives from
various departments in the Organization. It is set up to monitor, review, maintain and
continuously improve the ISMS.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security
management system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results; and
4) Fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) Opportunities for continual improvement.
Records for the Management Reviews are maintained & tracked for the actions if any.
8.
Improvements
8.1. Nonconformity and Corrective action
In order to prevent the recurrence of nonconformities, BONDAP LTD takes action to
minimize the causes of non-conformities.
1.
2.
3.
4.
5.
6.
Determining nonconformities
Determining the causes of nonconformities,
Evaluating the need for action to control re-occurrence of non-conformities,
Determining and implementing corrective action needed,
Records of the results of action taken, and
Reviewing the effectiveness of the corrective action taken.
Document Classification: Internal | Version: 1.0
Page 20 of 24
Information Security Management System Manual
8.2. Continual Improvement
The organization aims to continually improve the effectiveness of the ISMS through the use
of security policy, security objectives and feedback for improvements through audit results,
analysis of monitored events, corrective and preventive actions and through management
reviews.
9.
Organization of Information Security
9.1. Internal Organisation
9.1.1 Contact with authorities
Establish contact with appropriate authorities, whenever required, like law enforcement, fire
department, supervisory authorities, telecommunication providers, water suppliers, other
utilities, emergency services, health and safety, etc. to support information security incident
management procedures, business continuity and contingency planning processes.
9.1.2 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums or
associations shall be maintained as a means to:
1. Improve knowledge about best practices and staying up to date with relevant
security information
2. Ensure the understanding of information security environment is current and
complete
3. Receive early warning of alerts, advisories, and patches pertaining to attacks and
vulnerabilities
4. Gain access to specialist information security advice
5. Share and exchange information about new technologies, products, threats or
vulnerabilities
6. Provide suitable liaison points when dealing with information security incidents
9.1.3 Information Security in Project Management
Information Security is addressed in project management regardless of the type of the
project. It includes:
1.
2.
3.
4.
5.
Include security objectives in overall project objectives
Include security specifications in project description
Perform a risk assessment specifically for the project to be undertaken
Ensure security rules/technology are included in all the steps/tasks of the project
Test if the project deliverables are compliant with security specifications
Document Classification: Internal | Version: 1.0
Page 21 of 24
Information Security Management System Manual
Annexure 1: Communication Matrix
Who Shall
Communicat
e
What to
Communicate
When to
Communicate
With Whom to
Communicate
How to
Communicate
Information
Security
Management
System Manual
Whenever any
change is made
The members of
ISC
Email and ISC
Meetings
CISO/ISO
Processes
related to the
ISMS (Policies
and Procedures)
Whenever any
change is made
Members of the
ISC and Strategy
Committee, all the
internal
stakeholders as
per the scope of
ISMS
Email
CISO/ISO
Minutes of
Management
Review Meeting
After
Management
Review Meeting
Members of the
ISC and other
internal
stakeholders as
per the scope of
ISMS
Email
CISO/ISO
Notification for
Management
Review Meeting
As and when
review meeting
is scheduled
based on
availability.
Members of the
ISC
Email
CISO/ISO
Internal/Externa
l Audit Schedule
15 days before
Audit
All the Auditees
Email
CISO/ISO
Internal Audit
Findings
After the Audit
All the Auditees
Email and
Meetings
Internal
Auditor
Internal Audit
Report
After the Audit
Members of the
ISC
Email and
Meetings
Internal
Auditor
External Audit
Findings
After the Audit
All the Auditees
Email and
Meetings
External
Auditor
Document Classification: Internal | Version: 1.0
Page 22 of 24
Information Security Management System Manual
External Audit
Report
After the Audit
Members of the
ISC
Email and
Meetings
External
Auditor
Potential Risks
As and when
identified.
Members of ISC
and other
stakeholders as
per scope of ISMS
Email and
Meeting
CISO/ISO
Document Classification: Internal | Version: 1.0
Page 23 of 24
Annexure 2: Dependencies
Related documents
CV
CV
Intensive Support - Aberdeen Getting It Right
Intensive Support - Aberdeen Getting It Right
Download
advertisement