ISO 27001 - Annex A.6 - organisation of information security

What is Annex A.6?

According to the ISO 27001 standard, the purpose of Annex A.6 is to “establish a management framework to initiate and control the implementation & operation of information security within the organisation”. It is a critical component of the Information Security Management System (ISMS), especially if you want to attain ISO 27001 certification.

Annex A.6 is subdivided into two sections. Annex A.6.1 and Annex A.6.2. A.6.1 verifies that the organisation has obtained an ISO-compliant structure. Information security is made easier to install and maintain with the aid of this solution. A.6.2, on the other hand, focuses on mobile devices and remote working. This practice is mainly for those who work from home or while travelling, either part-time or full-time.

Annex A.6.1 : Internal Organisation

In Annex 6.1, the need for top management in the installation and control of the ISMS is reemphasized. Mainly, because there needs to be order and structure in the system operations in order to guarantee that it is effective.

Annex A.6.1.1: Information security roles and responsibilities

The management must define and approve all aspects of information security before they can be put into action. The obligations could be general (e.g., preserving information) or specific (e.g., enforcing confidentiality). The following tips can make understanding Annex 6.1.1 easier:

• According to ISO 27001 Annex 5.1.1, responsibility for information security should be assigned in accordance with the organisation's security policy.
• When determining the responsibility of types of information, it is important to take into account who owns certain information assets or categories of information assets.
• It is important that key staff members, such as CEOs, business owners, general managers, HR managers, and internal auditors, have access to information security.
• Responsibilities of individual asset security, information security risk management, and the execution of particular information security processes should all be outlined. Furthermore, local responsibility for asset protection and the implementation of particular security measures should be identified.
• Individuals who have been given responsibility for information security can delegate some of their duties to others. However, they are still accountable for ensuring that any activities outsourced by them are carried out appropriately.

Annex A.6.1.2: Segregation of duties

To minimise the chances of unauthorised or unintentional alteration or exploitation of the organisation's assets, it is necessary to divide conflicting duties and areas of responsibility.

Access, modification, and use of the assets will only be available to those who have been granted permission or authorisation. This allows you to distinguish between what happened and what was authorised. Controls should be designed with the possibility of collaboration in mind. Even if job division may be impossible for smaller organisations, the idea should be followed to the greatest extent possible. It is important to examine other options if segregation is not an option, such as task reporting, audit trails, and increased management oversight.

Annex A.6.1.3: Contact with authorities

Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.

Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce.

Annex A.6.1.4: Contact with interested groups

Special Interest Groups (SIGs) are communities inside larger organisations that have a common interest in a certain field of knowledge, learning, or technology. When working on a specific problem, the members can communicate, meet, and plan conferences to work together to find answers in their specific sector. Those who need access to the information should only be granted the authority to do so.

You should keep in mind that memberships in professional organisations, trade associations, discussion groups, and forums all count toward this control when customising it to fit your needs. It is critical to comprehend the nature of each of these organisations and the reasons for their formation.

Annex A.6.1.5: Information Security in project management

Information security should be integrated into the organisation's project management methods to guarantee that risks in information security are identified and responded to as part of a project's implementation. Whatever the project's goal, this approach may be used effectively.

During the ISO 27001 certification process, the auditor will be seeking to ensure that all personnel participating in projects are charged with considering information security at all phases of the project lifecycle. As stated in Annex A.7.2.2, education and awareness should also include this.

Annex A.6.2: Mobile devices and teleworking

According to Annex 6.2, organisations aiming to achieve ISO 27001 certification must have a security strategy for teleworking and mobile devices in place as a condition of compliance. BYOD (Bring Your Own Device) is an option. The whole mobile and networking infrastructure should be protected by a secure channel that eliminates the risk of information security breaches.

Annex A.6.2.1: Mobile device policy

This policy issue is becoming increasingly important beyond the typical usage of a cell phone as mobile devices grow increasingly intelligent. The usage of mobile devices and telework is both a fantastic opportunity for flexible working and a possible security risk.

BYOD is also a crucial factor in the decision-making process. There are significant advantages in allowing employees to bring their own devices to work, but without sufficient controls on usage and exit, the risks may be substantial as well.

When mobile devices are utilised or employees are working off-site, an organisation must ensure that its information and that of its customers and other interested parties is safeguarded and, if possible, under its control. When operating away from the organisation's physical premises, an auditor will want to examine these rules and procedures to ensure that information stays safe. The following is a list of some areas that these policies should cover:

• Restrictions on software installations
• Updated and patching applications on devices
• Malware and anti-virus solutions
• Log out, remote disabling and ‘find my device’ requirements
• Connectivity and trusted networks
• Use of the device in public places and on public connections
• Backup and storage
  

Annex A.6.2.2: Teleworking

One of the largest internal hazards to a company's data is posed by teleworking, remote working, or telecommuting especially in today's digital age, when commerce is increasingly conducted over the internet. While working remotely, auditors will check to determine if you have taken precautions to prevent data loss or harm.

When seeking certification, Annex 6 is important to implement. When all of these areas are well-covered, your firm is less likely to have data security loopholes.

Conclusion

Annex A.6 is among the ISO 27001 controls that must be implemented in order to be certified. It provides guidelines on how to implement and organise your information security measures efficiently. Whether your organisation is large or small, it is imperative in this digital age to take measures such as this to protect your information.

Interested in implementing ISO 27001 controls? Book an appointment and get in touch with us today.