This clause, A6, of the ISO 27001 standard is there to provide some background and management framework guidance.
It is a little bit "hodgepodge" of requirements. Plus the requirements don’t seem to match with one another but there you go.
It covers such disparate requirements like: responsibilities, segregating duties, dealing with authorities, special interest groups, project management, mobile devices and teleworking.
In any case the clause is split into two sub-clauses.
The clause A6.1 covers off the internal organisation requirements.
It starts with responsibilities. As with any management system, being really clear about everyone’s roles, responsibilities and authorities is a key for having a successful system. I have written about roles, responsibilities and authorities previously, click here for more details.
Next up, and similar to being clear with responsibilities, is segregation of duties. The standard spells it out that segregation helps “reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets”. So make sure that your system has segregated duties effectively.
Then follows that you need to be in contact with authorities and local special interest groups. For Mango, we have a direct link with CERTNZ, the local cyber-security Government Agency here in New Zealand. Plus we are part of the local Tech Society to keep ourselves abreast of the latest tech news and developments.
Then there is the requirement that information security shall be address in project management. This is good practise anyway. Here at Mango we have information security at each stage of our development, implementation and support stages.
The increasing use of mobile devices in business can be a reasonably significant risk to business. As more and more application are moving to mobile, keeping the information secure is an on-going problem. A few things we did here at Mango were:
For tele-working staff here at Mango we reviewed and updated our policies and procedures for keeping them secure and well protected.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clauses A5.1