Information Security Management System Policy
iso27001templates.com ŠPublic IT Limited 2011
Information Security Management System Policy
Document Ref. ISMS04001 Version: 1.0 Draft 1 Document Author: Document Owner:
V 1.0 Draft 1
Page 1 of 28
Information Security Management System Policy
Revision History Version
Date
RFC Number
Summary of Changes
Document Review Date of Next Scheduled Review
Distribution Name
Title
Approval Name
V 1.0 Draft 1
Position
Signature
Page 2 of 28
Date
Information Security Management System Policy
Contents 1
INTRODUCTION......................................................................................................................... 5
2
SCOPE OF THE ISMS................................................................................................................. 5
3
INFORMATION SECURITY REQUIREMENTS .................................................................... 5
4
MANAGEMENT COMMITMENT ............................................................................................ 6
5
MANAGEMENT REPRESENTATIVE ..................................................................................... 6
6
FRAMEWORK FOR SETTING OBJECTIVES AND POLICY ............................................. 6 6.1 SECURITY POLICY ....................................................................................................................... 7 6.1.1 Information Security Policy .............................................................................................. 7 6.2 ORGANIZATION OF INFORMATION SECURITY .............................................................................. 7 6.2.1 Internal Organization ....................................................................................................... 7 6.2.2 External Parties ................................................................................................................ 8 6.3 ASSET MANAGEMENT ................................................................................................................. 8 6.3.1 Responsibility for Assets ................................................................................................... 8 6.3.2 Information Classification ................................................................................................ 9 6.4 HUMAN RESOURCES SECURITY................................................................................................... 9 6.4.1 Prior to Employment......................................................................................................... 9 6.4.2 During Employment .......................................................................................................... 9 6.4.3 Termination or Change of Employment .......................................................................... 10 6.5 PHYSICAL AND ENVIRONMENTAL SECURITY ............................................................................ 10 6.5.1 Secure Areas ................................................................................................................... 10 6.5.2 Equipment Security ......................................................................................................... 11 6.6 COMMUNICATIONS AND OPERATIONS MANAGEMENT .............................................................. 11 6.6.1 Operational Procedures and Responsibilities ................................................................ 11 6.6.2 Third Party Service Delivery Management .................................................................... 12 6.6.3 System Planning and Acceptance ................................................................................... 12 6.6.4 Protection Against Malicious and Mobile Code ............................................................. 12 6.6.5 Back-Up .......................................................................................................................... 12 6.6.6 Network Security Management ....................................................................................... 13 6.6.7 Media Handling .............................................................................................................. 13 6.6.8 Exchange of Information ................................................................................................ 13 6.6.9 Electronic Commerce Services ....................................................................................... 14 6.6.10 Monitoring ................................................................................................................. 14 6.7 ACCESS CONTROL ..................................................................................................................... 15 6.7.1 Business Requirement for Access Control ...................................................................... 15 6.7.2 User Access Management ............................................................................................... 15 6.7.3 User Responsibilities ...................................................................................................... 15 6.7.4 Network Access Control ................................................................................................. 15 6.7.5 Operating System Access Control ................................................................................... 16 6.7.6 Application and Information Access Control ................................................................. 16 6.7.7 Mobile Computing and Teleworking .............................................................................. 17 6.8 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE ........................... 17 6.8.1 Security Requirements of Information Systems ............................................................... 17 6.8.2 Correct Processing in Applications ................................................................................ 17 6.8.3 Cryptographic Controls .................................................................................................. 18 6.8.4 Security of System Files .................................................................................................. 18 6.8.5 Security in Development and Support Processes ............................................................ 18 6.8.6 Technical Vulnerability Management ............................................................................. 18 6.9 INFORMATION SECURITY INCIDENT MANAGEMENT .................................................................. 19 6.9.1 Reporting Information Security Events and Weaknesses ................................................ 19 6.9.2 Management of Information Security Incidents and Improvements ............................... 19
V 1.0 Draft 1
Page 3 of 28
Information Security Management System Policy 6.10 BUSINESS CONTINUITY MANAGEMENT ................................................................................ 19 6.10.1 Information Security Aspects of Business Continuity Management ........................... 19 6.11 COMPLIANCE ........................................................................................................................ 20 6.11.1 Compliance with Legal Requirements ....................................................................... 20 6.11.2 Compliance with Security Policies and Standards, and Technical Compliance ........ 21 6.11.3 Information Systems Audit Considerations ................................................................ 21 7
ROLES AND RESPONSIBILITIES ......................................................................................... 22
8
CONTINUAL IMPROVEMENT POLICY .............................................................................. 22
9
APPROACH TO MANAGING RISK ...................................................................................... 23 9.1 RISK ASSESSMENT .................................................................................................................... 23 9.2 RISK EVALUATION CRITERIA .................................................................................................... 24 9.2.1 Likelihood ....................................................................................................................... 24 9.2.2 Impact ............................................................................................................................. 24 9.3 RISK ACCEPTANCE CRITERIA .................................................................................................... 25
10
HUMAN RESOURCES .............................................................................................................. 25
11
AUDITING AND REVIEW ....................................................................................................... 25
12
DOCUMENTATION STRUCTURE AND POLICY .............................................................. 26
13
CONTROL OF RECORDS ....................................................................................................... 28
V 1.0 Draft 1
Page 4 of 28
Information Security Management System Policy
1 Introduction This policy defines how Information Security will be set up, managed, measured, reported on and developed within [Organisation name]. The International Standard for Information Security, BS ISO/IEC 2700:2005 (referred to in this document as ISO/IEC 27001), is a development of the earlier British Standard, BS 7799. [Organisation name] has decided to pursue full certification to ISO/IEC 27001 in order that the effective adoption of Information Security Best Practice may be validated by an external third party.
2 Scope of the ISMS For the purposes of certification within [Organisation Name], the boundaries of the Information Security Management System are defined as follows: [Define the scope of the ISMS in terms of the characteristics of the business, the organisation, its location, assets and technology. Include details of and justification for any exclusions from the scope.]
3 Information Security Requirements A clear definition of the requirements for information security will be agreed and maintained with the business so that all ISMS activity is focussed on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project. It is a fundamental principle of the [Organisation Name] Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.
V 1.0 Draft 1
Page 5 of 28
Information Security Management System Policy
4 Management Commitment Commitment to Information Security extends to senior levels of the organisation and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls. Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings.
5 Management Representative The [IT Manager] shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:
The identification, documentation and fulfilment of information security requirements Implementation, management and improvement of risk management processes Integration of processes Compliance with statutory, regulatory and contractual requirements Reporting to top management on performance and improvement
6 Framework for Setting Objectives and Policy An annual cycle will be used for the setting of objectives for Information Security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the annual management review with stakeholders. ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process. In accordance with ISO/IEC 27001:2005 the following control objectives and policy statements will be adopted by [Organisation Name]. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with the Risk Treatment Plan (document reference ISMS04007). For references to the controls that implement each of the policy statements V 1.0 Draft 1
Page 6 of 28
Information Security Management System Policy
given please see the Statement of Applicability (document reference ISMS04008). [Please remove any policy statements below that are defined as not applicable in your Statement of Applicability]
6.1 6.1.1
Security Policy Information Security Policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations An information security policy document shall be approved by management, and published and communicated to all employees and relevant external parties. The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. 6.2 6.2.1
Organization of Information Security Internal Organization
Objective: To management information security within the organisation. Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions. All information security responsibilities shall be clearly defined. A management authorization process for new information processing facilities shall be defined and implemented. Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed. Appropriate contacts with relevant authorities shall be maintained.
V 1.0 Draft 1
Page 7 of 28
Information Security Management System Policy
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur. 6.2.2
External Parties
Objective: To maintain the security of the organisation’s information and information processing facilities that are accessed, processed, communicated to or managed by third parties. The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access. All identified security requirements shall be addressed before giving customers access to the organization’s information or assets. Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements. 6.3 6.3.1
Asset Management Responsibility for Assets
Objective: To achieve and maintain appropriate protection of organisational assets. All assets shall be clearly identified and an inventory of all important assets drawn up and maintained. All information and assets associated with information processing facilities shall be ‘owned’ 3) by a designated part of the organization. Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented.
V 1.0 Draft 1
Page 8 of 28