Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 6 March 2017

A detailed look at ISO 27001: Part 4

Section 10:  Cryptography 

 

A cryptography policy must be developed and implemented.  This must include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes; 

 

Section 11:  Physical and Environmental Security 

 

Critical or sensitive information processing facilities must be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.  It must also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like  an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets must be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling must be secured. IT equipment must be maintained properly and disposed of securely.

Access to and within application systems must be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls must be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment


To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities must be inspected regularly to detect damage and malfunction.
Cabling must be protected and checked for unauthorised interception.

Clear desk and clear screen policies must be in use.

Section  12:  Operations Security


This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures must be available to all users who need them.

Change control procedures must be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management must be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

 

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3  Backup

 

Systems  must be backed up to protect against data loss.

12.4    Logging and monitoring

 

To record events and generate evidence.

12.5    Control of operational software

 

To ensure the integrity of operational systems.

12.6  Technical vulnerability management

 

To prevent exploitation of technical vulnerabilities.

12.7   Information systems audit considerations

 

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

 

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

 

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

 

Automated and manual security control requirements must be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases. Purchased software must be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

 

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

 

To ensure the protection of data used for testing.

Section  15:  Supplier relationships

 

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

 

Information security events, incidents and weaknesses (including near-misses) must be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses 

 

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There must be a central point of contact, and all employees, contractors etc. must be informed of their incident reporting responsibilities.  Feedback to the person reporting an incident must take place.


16.2 Management of Information Security Incidents and Improvements 

 

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management          

                                  

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process must be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

 

18.1 Compliance with Legal and Contractual Requirements         

                                       

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2  Information Systems Reviews

 

System audits must be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

No comments:

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design