A.6 Organization of information security
A.6.1 Internal organization
Objective: To manage information security within the organization.
A.6.1.1 Management commitment to information security
Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.
A.6.1.2 Information security coordination
Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
A.6.1.3 Allocation of information security responsibilities
All information security responsibilities shall be clearly defined.
A.6.1.4 Authorization process for information processing facilities
A management authorization process for new information processing facilities shall be defined and implemented.
A.6.1.5 Confidentiality agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
A.6.1.6 Contact with authorities
Appropriate contacts with relevant authorities shall be maintained.
A.6.1.7 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
A.6.1.8 Independent review of information security
The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.
A.6.2 External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
A.6.2.1 Identification of risks related to external parties
The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.
A.6.2.2 Addressing security when dealing with customers
All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.
A.6.2.3 Addressing security in third party agreements
Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.