ISO 27001 Control A.6

A.6 Organization of information security

A.6.1 Internal organization

Objective: To manage information security within the organization.

A.6.1.1 Management commitment to information security

Control

Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

A.6.1.2 Information security coordination

Control

Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.

A.6.1.3 Allocation of information security responsibilities

Control

All information security responsibilities shall be clearly defined.

A.6.1.4 Authorization process for information processing facilities

Control

A management authorization process for new information processing facilities shall be defined and implemented.

A.6.1.5 Confidentiality agreements

Control

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.

A.6.1.6 Contact with authorities

Control

Appropriate contacts with relevant authorities shall be maintained.

A.6.1.7 Contact with special interest groups

Control

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.8 Independent review of information security

Control

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

_______________________________________________________________________________________________________________

A.6.2 External parties

Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

A.6.2.1 Identification of risks related to external parties

Control

The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.

A.6.2.2 Addressing security when dealing with customers

Control

All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.

A.6.2.3 Addressing security in third party agreements

Control

Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *