2. An Information Security Management System
(ISMS) is a systematic approach to managing
sensitive company information so that it
remains secure. It encompasses people,
processes and IT systems.
3. ISO stands for International Organization for
Standardization
ISO/IEC 27001:2013 is the latest International
Standard an organization must be measured
against to implement a successful ISMS.
It helps identify, manage and minimize the
range of threats to which information is
regularly subjected.
4. Demonstrates company’s commitment in
protecting information
Improved customer, employee and partner
confidence
Improved information security throughout
the organization
Improved security planning
Security management effectiveness
Ongoing protection over Information
Reduced risk over information
5. The objective of having an organizational information
security framework is to help achieve an effective and
efficient way of managing Information security within
the organization. A management framework shall be
established to manage and control activities related to
information security within the organization.
Security Management forum consisting of leadership
team shall be established to approve the information
security policy, assign security roles and co-ordinate
the implementation of security across the
organization.
6. Information security advisory forum shall be established and
made available within the organization. Contacts with external
security specialists shall be developed to keep up with industrial
trends, monitor standards and assessment methods. This would
help to apply the latest countermeasures while dealing with
security incidents.
A multi-disciplinary approach to information security should be
encouraged, e.g. involving the co-operation and collaboration of
managers, users, administrators, application designers, auditors
and security staff, and specialist skills in areas such as Legal,
Business Continuity Planning, insurance and risk management.
There is a need to define the roles and responsibilities of the
individual functions so as to cover the entire the spectrum of the
Information Security. This would help establish accountability
and streamlining the operations.
7.
8. TABLE OF CONTENTS
DOCUMENT HISTORY AND RETENTION
DOCUMENTATION APPROVAL
DISTRIBUTION LIST
TABLE OF CONTENTS
1.INTRODUCTION
2. LINE OF BUSINESS
9. 3.ORGANIZATION STRUCTURE
3.1 DEVELOPMENT
3.2 INTEGRATION
3.3 PROJECT MANAGEMENT
3.4 PRODUCT MANAGEMENT
3.5 RELEASE & CONFIGURATION MANAGEMENT
3.6 CUSTOMER HELP DESK AND TECHNICAL SUPPORT
3.7 SETUP& IMPLEMENTATION
3.8 SALES AND ACCOUNT MANAGEMENT
3.9 PR & MARKETING
3.10 INFORMATION TECHNOLOGY
3.11 HUMAN RESOURCE
3.12 ADMIN
3.13 FINANCE
10. 4.1 UNDERSTANDING THE ORGANISATION AND ITS CONTEXT –CLAUSE 4
4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES – CLAUSE
4.3 DETERMINING THE SCOPE OF THE ORGANISATION SECURITY MANAGEMENT SYSTEM –
CLAUSE
4.4 INFORMATION SECURITY MANAGEMENT SYSTEM – CLAUSE
5. LEADERSHIP – CLAUSE
5.1 LEADERSHIP AND COMMITMENT – CLAUSE
5.2 POLICY – CLAUSE
5.3 ORGANISATIONAL ROLES, RESPONSIBILITY AND AUTHORITIES – CLAUSE
6. PLANNING – CLAUSE
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES – CLAUSE
6.1.1 General – Clause
6.1.2 Information security risk assessment – Clause
6.1.3 Information security risk treatment – Clause
6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM – CLAUSE
11. 7 SUPPORT – CLAUSE
7.1 RESOURCES – CLAUSE
7.2 COMPETENCE – CLAUSE
7.3 AWARENESS – CLAUSE
7.4 COMMUNICATION – CLAUSE
7.5 DOCUMENTED INFORMATION – CLAUSE
7.5.1 General – Clause
7.5.2 Creating and updating – Clause
7.5.3 Control of documented information – Clause