ISO 27001 Information Security Management Standard - Clause A6

Posted by Craig Thornton

Part 25 - Clause A6 Organisation of information security

This clause, A6, of the ISO 27001 standard is there to provide some background and management framework guidance.

It is a little bit "hodgepodge" of requirements. Plus the requirements don’t seem to match with one another but there you go.

It covers such disparate requirements like: responsibilities, segregating duties, dealing with authorities, special interest groups, project management, mobile devices and teleworking.

In any case the clause is split into two sub-clauses.

Warehouse managers and worker talking in a large warehouse 

A6.1 Internal Organisation

The clause A6.1 covers off the internal organisation requirements.

It starts with responsibilities.  As with any management system, being really clear about everyone’s roles, responsibilities and authorities is a key for having a successful system.  I have written about roles, responsibilities and authorities previously, click here for more details.

Next up, and similar to being clear with responsibilities, is segregation of duties. The standard spells it out that segregation helps “reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets”. So make sure that your system has segregated duties effectively.

Then follows that you need to be in contact with authorities and local special interest groups. For Mango, we have a direct link with CERTNZ, the local cyber-security Government Agency here in New Zealand.  Plus we are part of the local Tech Society to keep ourselves abreast of the latest tech news and developments.

Then there is the requirement that information security shall be address in project management.  This is good practise anyway. Here at Mango we have information security at each stage of our development, implementation and support stages.

A6.2 Mobile devices and teleworking

The increasing use of mobile devices in business can be a reasonably significant risk to business. As more and more application are moving to mobile, keeping the information secure is an on-going problem. A few things we did here at Mango were:

  1. Increase the strength of passwords
  2. Move to 2-factor authentication
  3. Regularly update the apps
  4. Check the app privacy

For tele-working staff here at Mango we reviewed and updated our policies and procedures for keeping them secure and well protected. 

Takeaways

  1. Be clear with roles, responsibilities and authorities
  2. Make sure duties of staff are well segregated
  3. Keep in constant contact with authorities and special interest groups
  4. Ensure information security is covered off in project management
  5. Put some strong controls in place for Mobile Devices and Tele-workers.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clauses A5.1

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification