MWMPL

INFORMATION SECURITY MANAGEMENT SYSTEM (MANUAL)

Manak Waste Management Pvt Ltd
 MWMPL

Document Details
Document Name Information Security Management Systems (ISMS)
Document Number MMWPL_ISMS_V0.1_9th July’20
Current Version Released Version 0.1
Date of release
Document
Confidential
Classification

Document History
Version Date Created by Reviewed by Approved by

References
No. Reference Title Remarks
1 ISO Framework ISO 27001

A current version of this document is available only to authorized members of MWMPL.

This procedure was approved by the CTO on <> and is issued on a version-controlled basis
under his signature.

Strictly NO Uncontrolled Distribution

 MWMPL

PREAMBLE
This Information Security Management System (ISMS) manual and all related documentation
viz., Scope, Risk Assessment and Treatment Methodology, Statement of Applicability, relevant
ISMS policies and Operational Control Procedures have been authored by Management
Representative (MR).
The Core Group has been formed out of members drawn from Organization’s cross-functional
teams to provide requisite support to MR in preparing the ISMS documents and in
implementing and maintaining the ISMS subsequently.
Members of Steering Committee (SC) have been involved in the ISMS documentation phase to
provide MR all management support and coordination. Steering Committee members have
reviewed the ISMS documentation and based on their recommendation, CTO (Manak Waste
Management Pvt. Ltd. ) has approved the ISMS documentation.
It is the responsibility of MR to release these documents in a version-controlled manner to all
the stakeholders. The MR shall maintain relevant control of revision updates.
The CTO – MWMPL, by putting his signature to this Preamble, approves the ISMS documents to
be released by MR for implementation and maintenance.

Date: Mr. Amit Sethi, CTO

MANAK WASTE MANAGEMENT PVT. LTD
 MWMPL

DOCUMENT REVISION HISTORY

Revisio
Date Author(s) Revision Notes Approved by
n

DISTRIBUTION LIST
 Management Representative (Master Copy)
 Others on request – Copy
 MWMPL

LIST OF ABBREVIATIONS
Abbreviation Description

BCM Business Continuity Management

DRP Disaster Recovery Plan

IEC International Electro technical Committee

IM Incident Management

IPR Intellectual Property Rights

IS Information Security

ISIC Information Security Implementation Committee

ISMS Information Security Management System

ISO International Organization for Standardization

IT Information Technology

MR Management Representative

MRM Management Review Meeting

MWMPL Manak Waste Management Pvt Ltd.

NC Non-Conformity

NDA Non-Disclosure Agreement

PT Penetration Testing

RA Risk Assessment

RTP Risk Treatment Plan

SoA Statement of Applicability

VA Vulnerability Assessment
 MWMPL

1 INTRODUCTION
General
This manual specifies the requirements for establishing, implementing, monitoring, reviewing,
maintaining, and improving documented ISMS within the context of the Organization – Manak
Waste Management Pvt. Ltd. division’s overall business requirements. This is further
elaborated in section 4.1.1 of this manual and forms the basis for implementation of security
controls customized to the needs of Organization – Manak Waste Management Pvt. Ltd.
division.

The ISMS is designed to ensure adequate and appropriate security controls that maintain
Confidentiality, Integrity and Availability (CIA) of information assets and and information
processing facilities.

Refer ‘MANAK WASTE MANAGEMENT PVT. LTD./M/004: Statement of Applicability (SoA)’ for
details on Applicability of ISMS Controls with Rationale and Exclusion of ISMS Controls with
Justification.

List of Abbreviations Used

Commonly used abbreviations in ISMS documentation:

Abbreviation Description

BCM Business Continuity Management

DRP Disaster Recovery Plan

IEC International Electrotechnical Committee

IM Incident Management

IPR Intellectual Property Rights

IS Information Security

ISIC Information Security Implementation Committee

ISMS Information Security Management System

ISO International Organization for Standardization

IT Information Technology
 MWMPL

MR Management Representative

MRM Management Review Meeting

NC Non Conformity

NDA Non Disclosure Agreement

PT Penetration Testing

RA Risk Assessment

RTP Risk Treatment Plan

SoA Statement of Applicability

VA Vulnerability Assessment
 MWMPL

2 SCOPE OF ISMS MANUAL

This manual meets the requirements to plan, establish, implement, operate, monitor, review,
maintain and continually improve a documented Information Security Management System
(ISMS) within the context of operations at Organization – Manak Waste Management Pvt. Ltd.
division, operating from Gurgaon location and covers all business assets and associated
infrastructure for security of information and information processing facilities.

With context to management system for Information Security, it aims to include the
assessment and treatment of information security risks tailored to the operations and
maintenance needs of Organization – Manak Waste Management Pvt. Ltd. division.

Refer ‘MANAK WASTE MANAGEMENT PVT. LTD./M/001: Information Security Management

System SCOPE DOCUMENT’ for details on applicable organizational Scope and Boundaries.

3 REFERENCES
The following documents are referred for establishing and maintaining this manual:

 ISO/IEC 27001:2013, Information technology – Security techniques – Information

security management systems – Requirements
 ISO/IEC 27002:2013, Information technology – Security techniques – Code of practice
for information security management

4 TERMS and DEFINITION

 Asset – Anything that has a value to the organization.
 Availability – The property of being accessible and useable upon demand by an
authorized entity.
 Business Continuity Plan (BCP) – A plan to build-in proper redundancies and avoid
contingencies to ensure continuity of Business.
 Computer Media – Includes all devices that can electronically store information. This
includes but not limited to diskettes, CD’s, tapes, cartridges, and portable hard disks.
 Confidentiality – Ensuring that information is accessible only to those authorized to have
access.
 Continual Improvement – Continual Improvement refers to stage improvement
programs that facilitate rapid improvement phases with intermediate stabilized phases.
 Control – A mechanism or procedure implemented to satisfy a control objective.
 MWMPL

 Control Objective – A statement of intent with respect to a domain over some aspects of
an organization’s resources or processes. In terms of a management system, control
objectives provide a framework for developing a strategy for fulfilling a set of security
requirements.
 Disaster Recovery (DR) - A plan for the early recovery of Business operations in the
event of an incident that prevents normal operation.
 Fallback – Provisions to provide service in the event of failure of computing or
communications facilities.
 Information Security – Security preservation of Confidentiality, Integrity and Availability
of Information.
 Information Security Event – An identified occurrence of a system, service or network
state indicating a possible breach of information security policy or failure of safeguards,
or a previously unknown situation that may be involved.
 Information Security Incident – A single or series of unwanted or unexpected
information security events that have a significant probability of compromising business
operations and threatening information security.
 Information Security Management System (ISMS) – That part of overall management
system based on business risk approach, to establish, implement, operate, monitor,
review, maintain, and improve information security. The management system includes
organizational structure, policies, planning activities, responsibilities, practices,
procedures, processes and resources.
 Integrity – Safeguarding the accuracy and completeness of information and processing
methods.
 Organization – Refers to Organization – Manak Waste Management Pvt. Ltd. division,
unless specified otherwise.
 PDCA – Refers to Plan-Do-Check-Act model applied to ISMS processes.
 Risk – The combination of the probability of an event and its consequence.
 Residual Risk – The risk remaining after risk treatment.
 Risk Acceptance – Decision to accept risk.
 Risk Analysis – Systematic use of information to identify sources and to estimate the
risk.
 Risk Assessment – Overall process of risk analysis and risk evaluation.
 Risk Evaluation – Process of comparing the estimated risk against given risk criteria to
determine the significance of the risk.
 Risk Management – Coordinated activities to direct and control an organization with
regard to risk.
 MWMPL

 Risk Treatment – Process of selection and implementation of measures to modify risk.

 Statement of Applicability – Document describing the control objectives and controls
that are relevant and applicable to Organization – Manak Waste Management Pvt. Ltd.
division’s ISMS, based on which the results and conclusions of the Risk Assessment and
Risk Treatment process is determined. It shall clearly indicate exclusions with
appropriate reasons.

5 CONTEXT OF THE ORGANIZATION

Understanding the Organization and Its Context
5.1.1 Organization Background and the brief about the Organization-MANAK WASTE
MANAGEMENT PVT. LTD. division
Manak Waste Management Pvt. Ltd.– operating from Gurgaon location

The domains / area of operations for Manak Waste Management Pvt. Ltd. are well established
and enumerated as below:

Manak Waste Management Pvt. Ltd. offers a variety of e-solutions to businesses worldwide
with core competencies in providing device diagnostic services, data wipe which can be
customized as per the client requirement.

Organization’s Quality Assurance Team does evaluation for all divisions to verify and validate it
for use and spearheads the development, maintenance and institutionalization of its defined
Management Systems for Quality and Information Security.

Implementation of ISMS for its working has been taken as the first agenda to provide assurance
to its customers and stakeholders that good security practices are in place.

Refer ‘MWMPL/Doc No: Information Security Management System SCOPE DOCUMENT’ –

section 2 for details on business operations and characteristics.

5.1.2 Operational Processes of MANAK WASTE MANAGEMENT PVT. LTD. and its Interactions
(Process Stream diagram)
Refer ISMS Scope (MWMPL/Doc No) document.

 For operational processes and its interactions within as well as external to MANAK
WASTE MANAGEMENT PVT. LTD. division, refer section 2- MWMPL/Doc No:
Information Security Management System SCOPE DOCUMENT’.
 For scoping purposes, refer section 4.3.
 MWMPL

5.1.3 Internal and External Issues

Issues external and internal relevant to the operations of MANAK WASTE MANAGEMENT PVT.
LTD. Division have been identified, but not limited to, that can affect the ability to achieve the
intended ISMS outcome(s) are as follows:

Internal issues:

 Attrition of key personnel (resignation/ transfer)

 Failure of system (hardware, operating system, network) and / or application
 Infrastructure failures
 Capacity bottlenecks
 Internal losses and inefficiencies
 Insider problems
 Inability to meet customer / end-customer expectations
 Failure to comply with laws and regulations

External issues:

 Operational changes introduced by Organization – Manak Waste Management Pvt. Ltd.

division
 New / Changed Laws & Regulations affecting end-consumers
 Increasing costs
 Natural disasters, environmental threats like pandemics, fire, earthquake, etc., and man-
made disasters such as terrorist, wars, etc.

Understanding Needs and Expectations of the Interested Parties

Organization – Manak Waste Management Pvt. Ltd. division has determined Understanding the
Needs and Expectations of Interested Parties through a process of discussions &
understanding of all involved parties. These requirements are under constant review and
undergo changes as required.

S No. Interested Party Needs & Expectations Compliances & Executive

Communications Responsible for
1. Employees Employees expect a safe & Compliance status HAF
secure environment, job of statutes such as
satisfaction, timely Minimum Wages
 MWMPL

payment of salary & Act, IT act etc.

increments and career
enhancement
opportunities. As the
information of Organization
MWMPL is spread among
the workforce, preservation
of CIA is an issue
2. Senior Information security Compliance status Management
Management compliance status of Information Representative
Security Policies,
ISMS Internal &
External Audits,
Assessments,
Incidents, Events,
Improvements,

Establish the
criteria to evaluate
the risks. Approval
of Residual risks,
identification of
any potential
threats &
Vulnerabilities and
Changes to them
3. Vendors Vendors providing IT Compliance to HAF
support, Network SLAs/Master
Bandwidth, resources etc. Services Agreement
Non-Disclosure Agreements
with respect to Vendors
have been obtained.
4. Partners Partners using our services Compliance to MWMPL
expect delivery as per SLAs/Master
agreed quality and Services Agreement
timelines. Non-Disclosure
Agreements with respect to
Customers have been
obtained.
 MWMPL

5. Customers Customers using our Compliance status MWMPL

services directly or of Information
indirectly expect services as Security Policies &
promised and data other Data
protection & privacy. protection/privacy
policies
6. Other Govt. They may inspect us Inspection / Audit Top
Agencies/Investo periodically to evaluate Policy Management
rs compliance to policies & MWMPL
procedures

Determining the Scope of ISMS

Based on the external and internal issues (as per section 4.1.3 above), interfaces and
dependencies between activities (identified in section 4.1.2 above), and requirements stated
(as per section 4.2 above), the scope of ISMS at Organization – Manak Waste Management Pvt.
Ltd. division has been determined and the scope statement documented in ISMS Scope
document (MANAK WASTE MANAGEMENT PVT. LTD./M/001) section 3.1.

The boundaries of ISMS implementation along with the main activities performed from each
location is documented in ISMS Scope document (MANAK WASTE MANAGEMENT PVT.
LTD./M/001) section 3.2.

Information Security Management System

Based on the external and internal issues (identified in section 4.1.3 above), operational
processes and its interactions (identified in section 4.1.2 above), needs and expectations of
interested parties (identified in section 4.2 above) and the scope statement (refer in section 3.1
of MANAK WASTE MANAGEMENT PVT. LTD./M/001:ISMS Scope document, the ISMS
framework at Organization – Manak Waste Management Pvt. Ltd. division is established on
following parameters:

 Legal and Contractual requirements – Legal & Statutory compliance, safeguarding

organizational records and meeting contractual requirements.
 Business requirements – Compliance with policies and standards, control of outsourcing
and use of third party services.
 Risk Assessment requirements – Evaluating potential security breaches, unauthorized
access (physical & logical) and environmental threats and plan for risk treatment.
 MWMPL

 Business Continuity requirements – Incident and management of crisis / IT disaster

recovery procedures.
The details of this framework are organized and presented in the 'Documentation
Requirements'(refer Section 7.5 – Document and Record Control) of this manual. Appropriate
selection and implementation of a set of controls is identified in Manak Waste Management
Pvt. Ltd._M_004_SoA: Statement of Applicability (SoA) to support the defined ISMS policies,
processes and procedures.

Refer “Annexure-B: Developing the Management System for Information Security” to

understand (in flowchart depiction) the ISMS deployment and proposed sustenance and
improvement of implemented ISMS at Organization – Manak Waste Management Pvt. Ltd..