isms04001 information security management system policy v1r0 draft 1

7/31/2019 ISMS04001 Information Security Management System Policy V1R0 Draft 1

1/8

Information Security Management System Policy

V 1.0 Draft 1 Page 1 of 28

Public IT Limited 2011

Information SecurityManagement System Policy

Document Ref. ISMS04001Version: 1.0

Draft 1

Document Author:

Document Owner:


2/8



Revision History

Version Date RFC Number Summary of Changes

Document Review

Date of Next Scheduled Review

Distribution

Name Title

Approval

Name Position Signature Date


3/8



Contents

1 INTRODUCTION .............................................................. ........................................................... 52 SCOPE OF THE ISMS................................................................................................................. 53 INFORMATION SECURITY REQUIREMENTS ............................................................ ........ 54 MANAGEMENT COMMITMENT ................................................................ ............................ 65 MANAGEMENT REPRESENTATIVE .......................................................... ........................... 66 FRAMEWORK FOR SETTING OBJECTIVES AND POLICY ............................................. 6

6.1 SECURITY POLICY ....................................................................................................................... 76.1.1 Information Security Policy ........................................................ ...................................... 7

6.2 ORGANIZATION OF INFORMATION SECURITY .............................................................. ................ 76.2.1 Internal Organization ................................................................. ...................................... 76.2.2 External Parties ............................................................... ................................................. 8

6.3 ASSET MANAGEMENT................................................................................................................. 86.3.1 Responsibility for Assets ............................................................. ...................................... 86.3.2 Information Classification .......................................................... ...................................... 9

6.4 HUMAN RESOURCES SECURITY............................................................. ...................................... 96.4.1 Prior to Employment......................................................................................................... 96.4.2 During Employment ......................................................... ................................................. 96.4.3 Termination or Change of Employment ............................................................ .............. 10

6.5 PHYSICAL AND ENVIRONMENTAL SECURITY .............................................................. .............. 106.5.1 Secure Areas .................................................................................................. ................. 106.5.2 Equipment Security .......................................................... ............................................... 11

6.6 COMMUNICATIONS AND OPERATIONS MANAGEMENT ........................................................ ...... 116.6.1 Operational Procedures and Responsibilities ................. ............................................... 116.6.2 Third Party Service Delivery Management .................................................................... 126.6.3 System Planning and Acceptance .......................................................... ......................... 126.6.4 Protection Against Malicious and Mobile Code ....................................................... ...... 126.6.5 Back-Up ................................................................ .......................................................... 126.6.6 Network Security Management .............................................................. ......................... 136.6.7 Media Handling ............................................................... ............................................... 136.6.8 Exchange of Information ................................................................................................ 136.6.9 Electronic Commerce Services .............................................................. ......................... 146.6.10 Monitoring ....................................................... .......................................................... 14

6.7 ACCESS CONTROL..................................................................................................................... 156.7.1 Business Requirement for Access Control ........................................................ .............. 156.7.2 User Access Management ........................................................... .................................... 156.7.3 User Responsibilities .................................................................. .................................... 156.7.4 Network Access Control ................................................................................ ................. 156.7.5 Operating System Access Control .......................................................... ......................... 166.7.6 Application and Information Access Control ................................................................. 166.7.7 Mobile Computing and Teleworking .............................................................................. 17

6.8 INFORMATION SYSTEMS ACQUISITION,DEVELOPMENT AND MAINTENANCE ........................... 176.8.1 Security Requirements of Information Systems ......................................................... ...... 176.8.2 Correct Processing in Applications ................................................................................ 176.8.3 Cryptographic Controls .................................................................................................. 186.8.4 Security of System Files .................................................................................................. 186.8.5 Security in Development and Support Processes ...................................................... ...... 186.8.6 Technical Vulnerability Management ............................................................... .............. 18

6.9 INFORMATION SECURITY INCIDENT MANAGEMENT............................................................ ...... 196.9.1 Reporting Information Security Events and Weaknesses ................................................ 196.9.2 Management of Information Security Incidents and Improvements ............................... 19


4/8



6.10 BUSINESS CONTINUITY MANAGEMENT ................................................................ ................ 196.10.1 Information Security Aspects of Business Continuity Management ........................... 19

6.11 COMPLIANCE........................................................................................................................ 206.11.1 Compliance with Legal Requirements ........................ ............................................... 206.11.2 Compliance with Security Policies and Standards, and Technical Compliance ........ 216.11.3 Information Systems Audit Considerations .......................................................... ...... 21

7 ROLES AND RESPONSIBILITIES ......................................................................................... 228 CONTINUAL IMPROVEMENT POLICY ................................................................ .............. 229 APPROACH TO MANAGING RISK ...................................................................................... 23

9.1 RISK ASSESSMENT .................................................................................................................... 239.2 RISK EVALUATION CRITERIA .................................................................................................... 24

9.2.1 Likelihood .............................................................. ......................................................... 249.2.2 Impact ......................................................... .............................................................. ...... 24

9.3 RISK ACCEPTANCE CRITERIA.................................................................................................... 2510 HUMAN RESOURCES ............................................................... ............................................... 2511 AUDITING AND REVIEW ........................................................ ............................................... 2512 DOCUMENTATION STRUCTURE AND POLICY .............................................................. 2613 CONTROL OF RECORDS ....................................................................................................... 28


5/8



1 Introduction

This policy defines how Information Security will be set up, managed,measured, reported on and developed within [Organisation name].

The International Standard for Information Security, BS ISO/IEC 2700:2005(referred to in this document as ISO/IEC 27001), is a development of theearlier British Standard, BS 7799.

[Organisation name] has decided to pursue full certification to ISO/IEC 27001in order that the effective adoption of Information Security Best Practice maybe validated by an external third party.

2 Scope of the ISMS

For the purposes of certification within [Organisation Name], the boundaries ofthe Information Security Management System are defined as follows:

[Define the scope of the ISMS in terms of the characteristics of the business,the organisation, its location, assets and technology. Include details of andjustification for any exclusions from the scope.]

3 Information Security Requirements

A clear definition of the requirements for information security will be agreedand maintained with the business so that all ISMS activity is focussed on thefulfilment of those requirements. Statutory, regulatory and contractualrequirements will also be documented and input to the planning process.Specific requirements with regard to the security of new or changed systemsor services will be captured as part of the design stage of each project.

It is a fundamental principle of the [Organisation Name] Information SecurityManagement System that the controls implemented are driven by business

needs and this will be regularly communicated to all staff through teammeetings and briefing documents.


6/8



4 Management Commitment

Commitment to Information Security extends to senior levels of the

organisation and will be demonstrated through this ISMS Policy and theprovision of appropriate resources to provide and develop the ISMS andassociated controls.

Top management will also ensure that a systematic review of performance ofthe programme is conducted on a regular basis to ensure that qualityobjectives are being met and quality issues are identified through the auditprogramme and management processes. Management Review can takeseveral forms including departmental and other management meetings.

5 Management Representative

The [IT Manager] shall have overall authority and responsibility for theimplementation and management of the Information Security ManagementSystem, specifically:

The identification, documentation and fulfilment of information securityrequirements

Implementation, management and improvement of risk managementprocesses

Integration of processes Compliance with statutory, regulatory and contractual requirements

Reporting to top management on performance and improvement

6 Framework for Setting Objectives and Policy

An annual cycle will be used for the setting of objectives for InformationSecurity, to coincide with the budget planning cycle. This will ensure thatadequate funding is obtained for the improvement activities identified. These

objectives will be based upon a clear understanding of the businessrequirements, informed by the annual management review with stakeholders.

ISMS objectives will be documented for the relevant financial year, togetherwith details of how they will be achieved. These will be reviewed on aquarterly basis to ensure that they remain valid. If amendments are required,these will be managed through the change management process.

In accordance with ISO/IEC 27001:2005 the following control objectives andpolicy statements will be adopted by [Organisation Name]. These will bereviewed on a regular basis in the light of the outcome from risk assessmentsand in line with the Risk Treatment Plan (document reference ISMS04007).For references to the controls that implement each of the policy statements


7/8



given please see the Statement of Applicability (document referenceISMS04008).

[Please remove any policy statements below that are defined as notapplicable in your Statement of Applicability]

6.1 Security Policy

6.1.1 Information Security Policy

Objective: To provide management direction and support for informationsecurity in accordance with business requirements and relevant laws andregulations

An information security policy document shall be approved by management,and published and communicated to all employees and relevant externalparties.

The information security policy shall be reviewed at planned intervals or ifsignificant changes occur to ensure its continuing suitability, adequacy, andeffectiveness.

6.2 Organization of Information Security

6.2.1 Internal Organization

Objective: To management information security within the organisation.

Management shall actively support security within the organization throughclear direction, demonstrated commitment, explicit assignment, andacknowledgment of information security responsibilities.

Information security activities shall be co-ordinated by representatives from

different parts of the organization with relevant roles and job functions.

All information security responsibilities shall be clearly defined.

A management authorization process for new information processing facilitiesshall be defined and implemented.

Requirements for confidentiality or non-disclosure agreements reflecting theorganizations needs for the protection of information shall be identified andregularly reviewed.

Appropriate contacts with relevant authorities shall be maintained.


8/8



Appropriate contacts with special interest groups or other specialist securityforums and professional associations shall be maintained.

The organizations approach to managing information security and itsimplementation (i.e. control objectives, controls, policies, processes, and

procedures for information security) shall be reviewed independently atplanned intervals, or when significant changes to the security implementationoccur.

6.2.2 External Parties

Objective: To maintain the security of the organisations information andinformation processing facilities that are accessed, processed, communicatedto or managed by third parties.

The risks to the organizations information and information processing facilitiesfrom business processes involving external parties shall be identified andappropriate controls implemented before granting access.

All identified security requirements shall be addressed before givingcustomers access to the organizations information or assets.

Agreements with third parties involving accessing, processing, communicatingor managing the organizations information or information processing facilities,or adding products or services to information processing facilities shall coverall relevant security requirements.

6.3 Asset Management

6.3.1 Responsibility for Assets

Objective: To achieve and maintain appropriate protection of organisationalassets.

All assets shall be clearly identified and an inventory of all important assets

drawn up and maintained.

All information and assets associated with information processing facilitiesshall be owned 3) by a designated part of the organization.

Rules for the acceptable use of information and assets associated withinformation processing facilities shall be identified, documented, andimplemented.

isms04001 information security management system policy v1r0 draft 1

Documents