ISO 27001 Annex A.6 – Organisation of Information Security

Annex A.6.1 requires the company to follow best practices and establish an effective management framework to control the implementation and operation of information security within the company. Having the framework independently audited and certified as ISO 27001 compliant gives clients and potential clients confidence in your company’s security posture.

A.6.1 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the five controls listed below.

A.6.1.1 Information Security Roles and Responsibilities

Annex 6.1.1 or Control A.6.1.1 stipulates that all information security responsibilities should be well defined and allocated in accordance with the company’s information security policies. The Adoptech Roles and Responsibilities Policy outlines the process for allocating these responsibilities.The allocation of information security responsibilities can be easily managed within the Adoptech platform and clearly demonstrated to an auditor. 

Responsibilities for information security risk management activities and in particular for acceptance of residual risks is defined as part of the risk assessment process. Responsibility for the protection of individual assets is outlined within the asset register maintained within Adoptech. 

Oversight of the information security aspects of supplier relationships should be defined in the supplier / third-party register.

Many companies appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.

A.6.1.2 Segregation of Duties

Annex 6.1.2 or Control A.6.1.2 requires appropriate care to be taken to ensure that conflicting duties and areas of responsibility are segregated to reduce risk of accidental or deliberate misuse of the company’s assets. 

For example, ensuring that no single person can access, modify or use assets without authorisation or detection. This is detailed in the Adoptech Access Controls policy. The policy and processes in place aim to ensure that the initiation of an event is separated from its authorisation. In smaller companies it may not be so easy to segregate duties and so other controls such as monitoring of activities, audit trails and management supervision should be implemented.

A.6.1.3 Contact with Authorities

Annex 6.1.3 or Control A.6.1.3 requires appropriate contacts to be maintained with relevant authorities. 

The company must maintain procedures that specify when and by ‘whom’ authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken). The relationship owner is outlined in Adoptech’s Roles and Responsibilities Policy, and Adoptech’s Cyber Incident Management Policy outlines how incidents are managed. In addition, Adoptech’s Information Security Legal Register can be used to outline relevant legislation and reviews of compliance.

A.6.1.4 Contact with Special Interest Groups

Annex 6.1.4 or Control A.6.1.4 covers the need to maintain appropriate contacts with special interest groups or other specialist security forums and professional associations and industry organisations. This ensures that your company has a network of expertise in information security to improve knowledge about best practices and stay up to date with relevant security information. Understanding the purpose of such groups is important as some may be commercially driven.

A.6.1.5 Information Security in Project Management

Annex 6.1.5 or Control A.6.1.5 stipulates that information security should be an integral part of all company projects and include an assessment of the potential impact to data and cyber security. The information security assessment steps should be in line with the SDLC policy and change management procedures and be regularly reviewed.

The ISO 27001 certification audit will require evidence that all project staff are aware of the need to consider information security at all phases of the project lifecycle. This should be part of the company’s education, training and awareness programme.

What is the objective of Annex A.6.2?

Annex A.6.2 requires the company to follow best practices and establish an effective management framework to ensure the security of teleworking (including home working and working from satellite offices) and use of mobile devices.

A.6.2 forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the two controls listed below.

A.6.2.1 Mobile Device Policy

Annex 6.2.1 or Control A.2.1 requires a policy and supporting security measures to be adopted to clarify the acceptable use of mobile devices, manage the risks introduced by using mobile devices and protect a company’s information. 

Mobile devices, including mobile phones, laptops and tablets are becoming more and more sophisticated enabling truly flexible working but this also presents a security and compliance risk to the company. BYOD or Bring Your Own Device is also increasingly common and adds a level of complexity to the level of risk and requires specific controls to manage it. 

The auditor will want to know that the company has processes in place to ensure that its data and that of its customers is protected on mobile devices. The Adoptech Mobile Device Policy goes into further detail than the Acceptable Use policy and provides broader guidance on the appropriate use of business and personal equipment.

This policy should also be part of the company’s education, training and awareness programme.

A.6.2.2 Teleworking

Annex 6.2.2 or Control A.6.2.2 is about teleworking. Teleworking is also known as remote working and covers not just working from home, but working from any location that is outside the office including ‘workspaces’. Access granted should be based on a risk assessment. Adoptech’s Home Working and Remote Access Policies outline the  process, procedures and controls that must be followed to reduce the information security risks associated with working outside the office and reassure the auditor that the company protects information accessed, processed or stored remotely.

This policy should also be part of the company’s education, training and awareness programme.