Standard Section

5 Information Security Policies

5.1 Management direction for information security

5.1.1 Policies for information

security

Review of the
5.1.2 Information Security
Policy

6 Organisation of Information Security

6.1 Internal Organisation

Information security
6.1.1 roles and
responsibilities

6.1.2 Segregation of duties

6.1.3 Contact with

authorities

6.1.4 Contact with special

interest groups

6.1.5 Information security in

project management

6.2 Mobile devices and teleworking

6.2.1 Mobile device policy

6.2.2 Teleworking

7 Human resources security

7.1 Prior to employment

7.1.1 Screening

7.1.2 Terms and conditions

of employment

7.2 During employment

7.2.1 Management
Responsibilities

Information security,
7.2.2 awareness, education
and training

7.2.3 Disciplinary process

7.3 Termination and change of employment

Termination or change
7.3.1 of employment
responsibilities

8 Asset management
8.1 Responsibility for assets

8.1.1 Inventory of Assets

8.1.2 Ownership of assets

8.1.3 Acceptable Use of

Assets

8.1.4 Return of assets

8.2 Information classification

8.2.1 Classification of
information

8.2.2 Labelling of
information

8.2.3 Handling of assets

8.3 Media handling

8.3.1 Management of
removable media

8.3.2 Disposal of media

8.3.3 Physical media in
transit

9 Access control
9.1 Business requirements of access control

9.1.1 Access Control Policy

9.1.2 Access to networks

and network services

9.2 User access management

9.2.1 User registration and

de-registration

9.2.2 User access

provisioning

9.2.3 Management of
privileged access rights

Management of secret
9.2.4 authentication
information of users

9.2.5 Review of user access

rights

9.2.6 Removal or adjustment

of access rights

9.3 User responsibilities

Use of secret
9.3.1 authentication
information

9.4 System and application access control

9.4.1 Information access

restriction

9.4.2 Secure log on

procedures

9.4.3 Password management

system
9.4.4 Use of privileged utility
programs

9.4.5 Access to program

source code

10 Cryptography
10.1 Cryptographic controls

10.1.1 Policy on the use of

cryptographic controls

10.1.2 Key Management

11 Physical and environmental security

11.1 Secure areas

11.1.1 Physical security

perimeter

11.1.2 Physical entry controls

11.1.3 Securing offices,

rooms and facilities

Protecting against
11.1.4 external and
environmental threats

11.1.5 Working in Secure

Areas

11.1.6 Delivery and loading

areas

11.2 Equipment

11.2.1 Equipment siting and

protection

11.2.2 Supporting utilities

11.2.3 Cabling Security

11.2.4 Equipment
maintenance

11.2.5 Removal of assets

Security of equipment
11.2.6 and assets off-
premises

11.2.7 Secure disposal or re-

use of equipment

11.2.8 Unattended user

equipment

11.2.9 Clear desk and clear

screen policy

12 Operations security
12.1 Operational procedures and responsibilities

12.1.1 Documented operating

procedures

12.1.2 Change management

12.1.3 Capacity management

Separation of
12.1.4 development, testing
and operational
environments
12.2 Protection from malware

12.2.1 Controls against

malware

12.3 Backup

12.3.1 Information Backup

12.4 Logging and monitoring

12.4.1 Event logging

12.4.2 Protection of Log
Information

12.4.3 Administrator and

operator logs

12.4.4 Clock Synchronisation

12.5 Control of operational software

12.5.1 Installation of software

on operational systems

12.6 Technical vulnerability management

12.6.1 Management of
technical vulnerabilities

12.6.2 Restrictions on
software installation

12.7 Information systems audit considerations

12.7.1 Information systems

audit controls

13 Communications security
13.1 Network security management

13.1.1 Network controls

13.1.2 Security of network

services

13.1.3 Segregation in
Networks

13.2 Information transfer

Information transfer
13.2.1 policies and
procedures

13.2.2 Agreements on
information transfer
13.2.3 Electronic Messaging

13.2.4 Confidentiality or non-

disclosure agreements

14 System acquisition, development and maintenance

14.1 Security requirements of information systems

Information security
14.1.1 requirements analysis
and specification

Securing application
14.1.2 services on public
networks

14.1.3 Protecting application

services transactions

14.2 Security in development and support processes

14.2.1 Secure development

policy

14.2.2 System change control

procedures

Technical review of
14.2.3 applications after
operating platform
changes

Restrictions on
14.2.4 Changes to Software
Packages

14.2.5 Secure system

engineering principles

14.2.6 Secure development

environment

14.2.7 Outsourced
development

14.2.8 System security

testing
14.2.9 System acceptance
testing

14.3 Test data

14.3.1 Protection of test data

15 Supplier relationships
15.1 Information security in supplier relationships

Information security
15.1.1 policy for supplier
relationships

Addressing security
15.1.2 within supplier
agreements

Information and
15.1.3 communication
technology supply
chain
15.2 Supplier service delivery management

15.2.1 Monitoring and review

of supplier services

15.2.2 Managing changes to

supplier services

16 Information security incident management

16.1 Management of information security incidents and improvements

16.1.1 Responsibilities and

procedures

16.1.2 Reporting information

security events

16.1.3 Reporting information

security weaknesses

Assessment of and
16.1.4 decision on information
security events

Response to
16.1.5 information security
incidents
16.1.6 Learning from
Incidents

16.1.7 Collection of Evidence

17 Information security aspects of business continuity management

17.1 Information security continuity

17.1.1 Planning information

security continuity

Implementing
17.1.2 information security
continuity

Verify, review and

17.1.3 evaluate information
security continuity

17.2 Redundancies

Availability of
17.2.1 information processing
facilities

18 Compliance
18.1 Compliance with legal and contractual requirements
Identification of
18.1.1 applicable legislation
and contractual
requirements

18.1.2 Intellectual Property

Rights (IPR)

18.1.3 Protection of records

Privacy and protection

18.1.4 of personally
identifiable information

18.1.5 Regulation of
Cryptographic Controls

18.2 Information security reviews

18.2.1 Independent review of

information security
 Compliance with
18.2.2 security policies and
standards

18.2.3 Technical compliance

review
 Details Category Sub-cat

n Security Policies
nt direction for information security

Whether the organisation has comprehensive policies for information security that are
approved by management, published and communicated to all employees and relevant Organization ISMS policies
external parties

Whether the Security Policy has an owner defining responsibility for its maintenance and
review according to a defined review process. Whether the process ensures that a review Organization ISMS policies
of supporting procedures and processes is undertaken if policy changes

on of Information Security
ganisation

Whether information security for information and IT assets has been assigned to People
individuals and acknowledged

Whether conflicting duties and areas of responsibility are segregated to reduce

opportunities for unauthorised or unintentional modification or misuse of the People
organisation's assets

Whether there are policies or procedures in place that specify when and by whom Services Emergency, H&S, Utilities, telecom
authorities should be contacted

Whether contacts with special interest groups or other specialist security forums and Organization
professional associations are maintained

Whether information security is addressed in project management methodologies Organization Projects

regardless of the type of project

ces and teleworking

Whether a formal policy is adopted to manage the risks introduced by using mobile Hardware Mobile devices
devices

Whether there is any policy, procedure and/ or standard to control teleworking activities,
this should be consistent with organisation's security policy. Whether the teleworking site Services Branches
is protected from theft and unauthorised access

ources security
ployment

Whether verification checks on permanent staff were carried out at the time of job
applications. This should include character reference, confirmation of claimed academic People
and professional qualifications and independent identity checks

Whether terms and conditions of the employment covers the employee's responsibility for People
information security

ployment
 Whether managers are aware of their responsibilities with regard to ensuring that
established policies and procedures are applied by external parties, contractors and Organization Management
employees

Whether employees, third parties and contractors receive appropriate awareness training
and regular updates in organisational policies and procedures as relevant for their job People Employees
function

Whether a formal and communicated disciplinary process is implemented to handle People Employees
employees who have committed a security breach

n and change of employment

Whether a formal procedure exists for performing employment terminations or change of

employment and assignment of responsibility for this. This includes the requirement to Organization Employees
maintain confidentiality after employment ceases

agement
ity for assets

Whether an inventory or register is maintained for assets associated with each Hardware,Software, People, Network, Services, Organization
information system

Whether a procedure exists to assign asset ownership at the time the asset is created or Hardware,Software, People, Network, Services, Organization
when assets are transferred to the organisation

Whether rules for acceptable use of information and assets associated with information People Employees
processing are documented and implemented

Whether procedures have been implemented to ensure that organisational assets are Organization Hardware,Software, People, Network,
returned as part of the termination process

n classification

Whether there is an information classification scheme or guideline in place which will Hardware,Software, People, Network, Services, Organization
assist in determining how the information is to be handled and protected

Whether an appropriate set of procedures are defined for information labelling and Information paper
handling in accordance with the classification scheme adopted by the organisation

Whether procedures for handling assets have been established and implemented in Hardware,Software, People, Network, Services, Organization
accordance with the information classification scheme adopted by the organisation

dling

Whether there exists a procedure for management of removable media in all its forms
particularly the use of devices that plug into a USB port. This includes backup media and Hardware Removable Media
CDs, DVDs and portable hard drives

Whether media that is no longer required is disposed off securely and safely. Whether the Media Confidential media
disposal of sensitive items is logged where necessary in order to maintain an audit trail
 Whether security of media while being transported taken into account. Whether the Media containing Info Backup media in transit
media is well protected from unauthorised access, misuse or corruption

trol
equirements of access control

Whether asset owners have determined appropriate access control rules, access rights
and restrictions for specific user roles. The strictness of the access rules must reflect the Organization
associated information security risks

Whether users are only able to gain access to the network (e.g. specific shares, menus Network Network services
etc) or network services that they have been specifically authorised to use

s management

Whether the organisation has a formal registration and de-registration procedure and Organization
documents where shared user IDs have been approved

Whether there is a documented procedure for approving and setting up user access in Organization
accordance with access control policies. This should be based on job role requirements

Whether the allocation and use of any privileges in multi-user information system
environment is restricted and controlled e.g. Privileges are allocated on need-to-use Organization
basis; privileges are allocated only after formal authorisation process

The allocation and reallocation of secret authentication information - e.g. passwords

should be controlled through a formal management process. Whether the users are asked Organization
to sign a statement to keep this information confidential

Whether there exists a process to review user access rights at regular intervals - e.g. Organization
Special privilege review every 3 months, normal privileges every 6 months

Whether procedures are clearly established for removing access rights upon termination Organization
and adjusting access rights upon change of employment

nsibilities

Whether there are any guidelines in place to guide users in selecting and maintaining Organization
secure passwords

d application access control

Whether access to information held in shares or applications is restricted based on need Network services Shares
to know principles and documented in an access control statement

Whether access to information system is attainable only via a secure log-on process Network services

Whether there exists a password management system that enforces various password
controls such as individual password for accountability, enforce password changes, store Network services
passwords in encrypted form, not display passwords on screen etc.
 Whether the utility programs that come with computer installations, but may override Network services Software
system and application control is tightly controlled

Whether there are controls in place to prevent the introduction of unauthorised

functionality, unintentional changes and to maintain the confidentiality of valuable Software Source code/lib
intellectual property

hy
hic controls

Whether there is a Policy in place for the use of cryptographic controls for protection of Network services Information
confidential or sensitive information

Whether there is a management system is in place to support the organisation's use of

cryptographic techniques such as secret key technique and public key techniques. Network services Information
Whether the Key management system is based on agreed set of standards and
procedures
d environmental security
as

What physical security facilities have been implemented to protect the Information Offices,Building
processing service. Some examples of such security facility are card control entry gate, perimeter,
walls, manned reception etc. Datacenter

What entry controls are in place to allow only authorised personnel into various areas employees, contractors and external parties
within organisation

Whether adequate physical security has been implemented based on the criticality and offices, rooms and facilities
sensitivity of the information and the processing facility

Offices,Building
Whether the organisation has considered the implementation of physical protection
mechanisms against natural disasters, malicious attack or accident
perimeter,
Datacenter

Whether there exists any security controls for third parties or for personnel working in Archives
secure area
Secure areas

Whether the delivery and loading areas are isolated and secure to prevent unauthorised Delivery and loading areas
access to information processing facilities

Whether the equipment was located to minimise unnecessary access into work areas.
Whether the items requiring special protection were isolated to reduce the general level hardware Datacenter
of protection required including those relating to environmental threats

Whether the equipment is protected from power failures and other disruptions by using
the likes of multiple feeds, uninterruptible power supply (ups), backup generator and hardware Datacenter
other supporting utilities

Whether the power and telecommunications cables are protected from interception,
interference or damage. Whether there are any additional security controls in place for Cables Network
sensitive or critical information systems
 Whether the equipment is maintained as per the supplier's recommended service
intervals and specifications. Whether the maintenance is carried out only by authorised Hardware
personnel. Whether fault and maintenance logs are maintained

Whether equipment, information or software can be taken offsite without appropriate

authorisation. Whether spot checks or regular audits were conducted to detect Organization hardware
unauthorised removal of property

Whether any equipment usage outside an organisation's premises for information

processing has to be authorised by the management and information security Organization hardware
considerations taken into account for the different risks of working offsite

Whether equipment or media is verified to ensure that any sensitive information, data or Hardware Storage media
software is removed prior to disposal or re-use

Whether the users and contractors are made aware of the security requirements and
procedures for protecting unattended equipment, as well as their responsibility to Hardware Software
implement such protection. Example: Logoff when session is finished or set up auto log
off

Whether automatic computer screen locking and password protected screen savers are
enabled. Whether employees are advised to leave any confidential material in the form of Organization removable stor
paper documents, media etc, in a locked drawer or cupboard out of sight

security
l procedures and responsibilities

Whether there are documented operating procedures to support operational activities

associated with information processing and communication facilities - e.g. computer start Operational actiities
up and shut down, backup, equipment maintenance etc

Whether change management controls have been implement to ensure satisfactory Organization Business proces
control of all changes.

Whether use of resources are monitored, tuned and protections made of future capacity Organization Staf
requirements to ensure systems continue to perform at optimum levels

Whether the development and testing facilities are isolated from operational facilities e.g. Dev, Test,
development software should run on a different computer to that of the computer with Operation
production software. Development and production networks should be separate environments
from malware

Whether adequate detection, prevention and recovery controls to protect against malware Desktops Servers
are implemented and combined with a high level of user awareness

Whether backups of essential business information e.g. production server, critical network
components, configuration etc are taken regularly Whether the backup media along with information software
the restore procedure are stored securely and well protected

d monitoring

Whether systems are configured for recording user activities, exceptions, faults and Organization software
information security events
 Whether log information and audit trails are adequately protected by security controls to Organization Audit Logs
prevent tampering

Whether system administrator and system operator activities are logged and the logs Organization software
protected and regularly reviewed

Whether the computer or communication device has the capability of operating a real
time clock, it should be set to an agreed standard such as Universal coordinated time or Organization software
local standard time

operational software

Whether there are any controls in place for the implementation of software on operational Application software
systems. This is to minimise the risk of corruption of operational systems

ulnerability management

Whether the organisation subscribes to any alerting services or receives advisory

information about technical vulnerabilities and that technical staff use this information to Network hardware
mitigate potential risks to information systems

Whether rules governing the installation of software by users have been established and hardware Software
implemented

n systems audit considerations

Whether audit requirements and activities involving the verification of operational Operational systems
systems are carefully planned and carried out with minimal impact on business processes

ations security
curity management

Whether there are controls implemented to ensure the security of information in networks Network
and the protection of connected services from unauthorised access

Whether security requirements to enable a service provider to manage agreed services in Network Network services
a secure way have been determined and regularly audited and monitored

Whether the network is segregated appropriately to facilitate effective information

security. This may relate to separate network domains based on entity, location, Networks Websites
workgroup or technology considered less trusted

n transfer

Whether there are procedures and controls in place to protect the transfer of information
and whether staff are reminded to maintain the confidentiality of sensitive information information Email
while using technology such as email, phones, fax and voicemail

Whether agreements address the secure transfer of business information between the Organization External parties
organisation and external parties
 Whether there is a policy in place for the acceptable use of email, instant messaging and information Email
other electronic communications

Whether the requirements for confidentiality or non-disclosure are identified, reviewed, Organization
documented and reflect the organisation's needs for the protection of information

quisition, development and maintenance

quirements of information systems

Whether information security related requirements are included in the requirements for Information systems Software
new information systems or enhancements to existing information systems

Whether information involved in application services passing over a public network is well
protected from fraudulent activity, contract dispute and disclosure or modification of Information systems Software
information

Whether application service transactions are adequately protected to prevent incomplete Information systems Applcation information
transmission, misrouting, message alteration, unauthorised disclosure etc

development and support processes

Whether security has been integrated in all phases of software development and Software Application
documented in a secure development policy

Whether there is evidence that major system changes are controlled by the use of formal Software Application
change control procedures

Whether there are process or procedure in place to ensure application systems are Software Application
reviewed and tested after changes to the operating system

Whether there are any restrictions in place to limit changes to software packages. Vendor
supplied software modifications should be made through standard maintenance. Changes Software Application
to software development inhouse is subject to change control procedures

Whether principles and procedures for engineering secure systems have been established, Software Application
documented, maintained and applied to any information system implementation efforts

Whether the organisation has appropriately assessed the risks associated with individual
system development and integration efforts that cover the entire system development Software Application
lifecycle

Whether there are controls in place over outsourcing software. The points to be noted
includes: Licensing arrangements, escrow arrangements, contractual requirement for Software Application
quality assurance, testing before installation to detect malware

Whether a procedure for testing is included in software development projects including

test inputs and expected outputs under a range of conditions and whether this is Software Application
appropriate to the criticality of the application
 Whether acceptance testing programs have been established for new information Software Application
systems, upgrades and new versions

Whether system test data is protected and controlled. The use of operational database
containing personal information should be avoided for test purposes. If such information
is used, the data should be depersonalised before use

lationships
n security in supplier relationships

Whether there is a policy for addressing supplier access to the organisation's information Organization Suppliers
based on the organisation's access control criteria

Whether the requirements for security have been established and agreed with individual
suppliers that may access, process, store, communicate or provide IT infrastructure Organization Suppliers
components for the organisation's information

Whether documented agreements with suppliers include requirements to address

information security risks associated with the information and communications technology Organization Suppliers
services and product supply chain

rvice delivery management

Whether there are procedures in place to ensure the audit and monitoring of supplier Organization Suppliers
service delivery and the evidence that monitoring has taken place

Whether there are management procedures for authorising and implementing changes to
supplier services including whether information security policies, procedures and controls Organization Suppliers
are managed in accordance with its classification

n security incident management

nt of information security incidents and improvements

Whether management responsibilities and procedures have been established to ensure a Organization
quick, effective and orderly response to information security incidents

Whether a formal reporting procedure exists, to report security incidents through Organization
appropriate management channels as quickly as possible

Whether a formal reporting procedure or guideline exists for users, to report security Organization
weakness in, or threats to, systems or services

Whether there is a procedure for assessing information security problems and issues and Organization
classifying them as information security incidents

Whether there are documented procedures in place for responding to an information Organization
security incident
 Whether there are mechanisms in place to enable the types, volumes and costs of Organization
incidents and malfunctions to be quantified and monitored

Whether procedures for the identification, collection, acquisition and preservation of Organization
information which can serve as evidence are documented and known by staff

n security aspects of business continuity management

n security continuity

Whether the organisation has determined its requirements for information security and
the continuity of information security management in adverse situations in accordance Organization
with ISO22301 and ISO22313

Whether the organisation has documented processes, procedures and controls that are
regularly maintained and implemented to ensure an appropriate level of business Organization
continuity during an adverse situation

Whether information security continuity controls are reviewed at regular intervals to Organization
ensure that they are valid and effective during adverse situations

ies

Whether consideration has been given to the resilience of information systems and where
availability cannot be guaranteed using existing systems architecture, redundant Organization Information systems
components or architecture to guarantee business continuity

e
e with legal and contractual requirements

Whether all relevant statutory, regulatory and contractual requirements were explicitly
defined and documented for each information system. Whether specific controls and Organization
individual responsibilities to meet these requirements were defined and documented

Whether there are procedures to ensure compliance with legal restrictions on use of
material in respect of which there may be intellectual property rights such as copyright, software or document copyright, design rights, trademarks,
design rights, trade marks

Whether important records of the organisation are protected from loss, destruction, Organization Information
falsification unauthorised access and unauthorised release

Whether there is a policy and appropriate procedures and controls in place to protect the Information
privacy of personal information in accordance with legislation and regulation

Whether effective regulation of cryptographic controls is demonstrated in accordance with Encryption controls Keys
relevant agreements, legislation and regulations

n security reviews

Whether policies, processes, procedures, controls and control objectives are subject to . control objectives, controls, policies, processes and proced
regular independent reviews at planned intervals or when significant changes occur
Whether information systems were regularly checked for compliance with security Organization
implementation standards by Managers

Whether technical security reviews are carried out either manually or using automated
tools to confirm information security objectives are achieved - e.g. penetration testing Information systems
and vulnerability assessments
Emergency, H&S, Utilities, telecom

Mobile devices

Partners
 Third parties Contractors

Contractor

eople, Network, Services, Organization

eople, Network, Services, Organization

External parties

Hardware,Software, People, Network, Services, Organization for employees, contractors, external parties

eople, Network, Services, Organization

eople, Network, Services, Organization

Removable Media

Confidential media
Backup media in transit Paper

Network services

Applications
 Utility programs

program source code and associated items (such as designs, specifications, verification plans and validation plans

Encryption keys

rs and external parties

Datacenters Secure offices

Telephone Power
information software

information software

Copiers/Printer

papers

Hardware Faciltiies

Office Faciltiies

system images

Hardware Personnel
 Hardware

Hardware

Software

Network

Network services

Public apps Wireless External

Phone Fax voicemail Video

External parties
 websites

Applcation information

OS
 Information systems

t copyright, design rights, trademarks, patents and source code licences

Paper

Certificates

ontrols, policies, processes and procedures for information security