Policies for information security
Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Information security roles and responsibilities
Information security roles and responsibilities shall be defined and allocated according to the organization needs.
Segregation of duties
Conflicting duties and conflicting areas of responsibility shall be segregated.
Management responsibilities
Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
** Contact with authorities**
The organization shall establish and maintain contact with relevant authorities.
** Contact with special interest groups**
The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.
Threat intelligence
Information relating to information security threats shall be collected and analysed to produce threat intelligence.
Information security in project management
Information security shall be integrated into project management.
Information security in project management
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Acceptable use of information and other associated assets
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Acceptable use of information and other associated assets
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Classification of information
Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
Labelling of information
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
Information transfer
Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
Access control
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
Identity management
The full life cycle of identities shall be managed.
Authentication information
Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
Access rights
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
Information security in supplier relationships
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Addressing information security within supplier agreements
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Managing information security in the information and communication technology (ICT) supply chain
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Monitoring, review and change management of supplier services
The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
Information security for use of cloud services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
Information security incident management planning and preparation
The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Assessment and decision on information security events
The organization shall assess information security events and decide if they are to be categorized as information security incidents.
Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures.
Learning from information security incidents
Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
Collection of evidence
The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Information security during disruption
The organization shall plan how to maintain information security at an appropriate level during disruption.
ICT readiness for business continuity
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
Intellectual property rights
The organization shall implement appropriate procedures to protect intellectual property rights.
Protection of records
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Privacy and protection of personal identifiable information (PII)
The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Independent review of information security
The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur
Compliance with policies, rules and standards for information security
Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Documented operating procedures
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.