Annex A.6 Organization of Information Security

6.1 Internal Organization

Annex A.6 Organization of Information Security its object is to establish a management framework for initiating and controlling the implementation and functioning of information security within the organization.

6.1.1 Information Security Roles and Responsibilities

Control- All responsibilities related to information security should be well defined and assigned.

Implementation Guidance- Allocation of information security responsibilities should be carried out in compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual assets and the implementation of specific information security procedures should be defined. Responsibilities for information security risk management activities and, in particular, for the acceptance of residual risks should be defined. When necessary, further guidance should be provided for specific sites and information processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for the protection of assets and for the implementation of specific security processes. Individuals with assigned responsibility for information security can delegate security tasks to others. But they remain responsible and must decide whether any delegated tasks are conducted correctly or not

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:
1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details describing the responsibility should be documented;
3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of supplier relations.

Other Information- Many organizations assign an information security officer to take ultimate responsibility for information security development and implementation, and to help access recognition. However, individual management will often remain responsible for the resourcing and implementation of the controls. It is common practice to appoint an owner for all assets which are then responsible for their regular security.

6.1.2  Segregation of Duties

Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.

Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of collusion in should be considered while designing the controls. Small organizations may find it impossible to accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If segregation is challenging, other measures such as task reporting, audit trails and management supervision should be considered.

Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional abuse of the assets of the organization.

6.1.3  Contact with Authorities

Control- It is necessary to maintain proper communications with the relevant authorities.

Implementation Guidance- Organizations should have processes in place that determine when and by whom officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have been violated).

Other Information- Internet-assaulted organizations may require authorities to take measures against the attack. Holding these connections may also be a necessity to support incident management  or business continuity and contingency planning processes in information security. Contacts with regulatory bodies are also useful when anticipating and preparing potential changes in the laws or regulations that the organization needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and safety , and protection such as fire departments, telecommunication (routing and availability) suppliers, and water (equipment cooling).

6.1.4  Contact with Interest groups

Control- Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.

 Implementation Guidance

  •  Membership of community groups or forums  should be considered as a way to:
    1. Improve skills and keep up to date on appropriate safety details about the best practices;
    2. Ensuring an up-to – date and complete understanding of information security;
    3. Receive early warnings about threats and vulnerabilities, updates and patches;
    4. Enable expert information security advice;
    5. Share and exchange information on new technology, products, threats or vulnerabilities;  
    6. provide correct liaison points for events relevant to information security

Other Information- Information sharing agreements to enhance co-operation and coordination of security issues can indeed be developed. These agreements will define confidential information security requirements.

Also Read : 5 Information Security Policies

6.1.5  Information Security in Project Management

Control- Throughout project management, the confidentiality of information should be discussed irrespective of project type

Implementation Guidance- Information security should be incorporated with the project management method(s) of the organization to ensure the identification and response to threats in information security as part of a project. This is commonly applicable to any project irrespective of its purpose , e.g. a core business process project, IT, facilities management, and other supporting processes.

  • The methods of project management should consider:
    1. The goals of information security are part of the project’s priorities;
    2. An early assessment of the information security risk in order to determine appropriate controls are carried out in the project;
    3. Information security is part of all phases of the project methodology;

Information security issues will be discussed and reviewed on a regular basis in all programs. Responsibilities for information security should be specified and delegated to different roles as specified in project management methods.

At Infosavvy we help you get acquainted with every control belonging to the standard ISO 27002 and make you understand the various role and responsibilities required by the organization, keeping in mind the confidentiality of assets. we provide training for IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI)) (training certified by TÜV SÜD) and also  incorporate faculties that make learning easy and experiential for the participants so that they can excel in managing ISMS.

Questions related to this topic
  1. What is Annex A.6 Organization of Information Security ?
  2. What is Implementation Guidance for Information Security Roles and Responsibilities?
  3. What is Segregation of Duties?
  4. What is Information Security in Project Management?

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *