ISO 27001 Control A.6

A.6 Organization of information security

A.6.1 Internal organization

Objective: To manage information security within the organization.

A.6.1.1 Management commitment to information security


Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

A.6.1.2 Information security coordination


Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.

A.6.1.3 Allocation of information security responsibilities


All information security responsibilities shall be clearly defined.

A.6.1.4 Authorization process for information processing facilities


A management authorization process for new information processing facilities shall be defined and implemented.

A.6.1.5 Confidentiality agreements


Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.

A.6.1.6 Contact with authorities


Appropriate contacts with relevant authorities shall be maintained.

A.6.1.7 Contact with special interest groups


Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.8 Independent review of information security


The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.


A.6.2 External parties

Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

A.6.2.1 Identification of risks related to external parties


The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.

A.6.2.2 Addressing security when dealing with customers


All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.

A.6.2.3 Addressing security in third party agreements


Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.