In our last blog we have discussed, ISO Controls for Annex A:5 regarding Information security Today, we will explore more on the Annex A:6, which is all about the internal organization. The major objective in this Annex A: 6 is to establish a management framework to initiate and control the implementation of an effective information security management system. It also helps to guide the operation of information security within the organisation in a direction that encourages the best practices of cyber security to be implemented in your organisation to inspire customer confidence and meet all necessary regulatory requirements.
It is highly recommended to learn about ISMS controls, especially if you’d like to achieve ISO 27001 certification. Let’s first gain an understanding of these requirements, and how can they benefit your organization, and determine exactly what is Annex A:6.
What is Annex A:6?
As per the ISO 27001 Standard, the purpose of Annex A:6 is:
To establish a management framework to initiate and control the implementation & operation of information security within the organization.
It’s subdivided into two sections Annex A.6.1 ensuring that the organization has acquired a framework under ISO standards. It helps in the implementation and maintenance of information security within the organization. Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed for anyone who works from home or on the go – either part-time or full-time – follows appropriate practices.
A.6.1.1 Information security roles and responsibilities
All information security and its responsibilities need to be defined and approved by the management. The responsibilities can be general (e.g. protecting information) or specific (e.g. the responsibility for accessing particular permissions). Tips to understand Annex 6.1.1 incude:
- Consideration should be given to the ownership of information assets or groups of assets when identifying responsibilities.
- Access to information security should be granted to relevant staff members for eg; CEOs, Business Owners, General Manager; HR managers; and Internal auditors.
- The auditor will be looking to gain confidence that the organization has made clear who is responsible for, and what is adequate according to the size and nature of the organization.
For smaller organisations, it is generally unrealistic to have full-time roles associated with these roles and responsibilities. To protect information security one can choose relevant authority with in the organisation to-hold the responsibly and implementing the process.
A.6.1.3 Contact with Authorities
The auditor or the Security officer must maintain contact with relevant authorities. When applying this control always consider to think about the legal responsibilities of contracting authorities. All the duties and responsiblities should be segregated to reduce unauthorised access in the organisation.
A.6.1.4 Contact with Special Interest Groups
A Special Interest Group (SIG) is a community within a larger organization with a shared interest in having a specific area of knowledge, learning, or technology. The members shall cooperate to affect or to produce solutions within their particular field, and may communicate, meet, and organize conferences.These contacts should only be given appropriate authority to access the information security.
A.6.1.5 Information Security in Project Management
Information security needs to be presented to project management, regardless of the type of project. Information Security should be hidden in the group of the organization and project management. The auditor will assess the people involved in projects to consider information security at all stages. This should also be covered as part of the education and awareness in line with HR Security for A.7.2.2.
A.6.2 Mobile devices and remote working
Annex 6.2 says, any organization that is looking to achieve ISO 27001, must maintain a policy of security of teleworking and mobile devices. The electronic device could be your’s or employee’s BYOD. All the mobile and networking should be covered under a secure channel where the threat of information security can be eliminated.