Scribd
Upload
75 views

ISO Family:: A5:Information Security Policies

The document discusses several ISO standards related to information security management systems (ISMS). ISO/IEC 27001 specifies requirements for an ISMS and includes Annex A which lists 114 commonly accepted information security controls across 35 categories. ISO/IEC 27002 provides guidance for implementing the controls in Annex A. Other related standards address overview terms and definitions, implementation guidance, performance monitoring, risk management, auditing and certification. Sector-specific standards also exist for telecommunications and financial services. The document also lists some example controls from ISO/IEC 27001 and provides a brief overview of COBIT, which is an IT governance standard issued by ISACA.

Uploaded by

Kansha Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
75 views

ISO Family:: A5:Information Security Policies

The document discusses several ISO standards related to information security management systems (ISMS). ISO/IEC 27001 specifies requirements for an ISMS and includes Annex A which lists 114 commonly accepted information security controls across 35 categories. ISO/IEC 27002 provides guidance for implementing the controls in Annex A. Other related standards address overview terms and definitions, implementation guidance, performance monitoring, risk management, auditing and certification. Sector-specific standards also exist for telecommunications and financial services. The document also lists some example controls from ISO/IEC 27001 and provides a brief overview of COBIT, which is an IT governance standard issued by ISACA.

Uploaded by

Kansha Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

ISO/IEC 27001

 A systematic framework to protect information inside an organization.


 It specifies the requirements for an ISMS(Information Security Mgmt. system)
 It is different from other mgmt. standards because it has annex A.
 Annex A- It is a list of control objectives and controls of information security. There are 114
info. Sec. controls under 35 categories which are commonly accepted.
2.ISO/IEC 27002
 It is a guidance for the implementation of controls in Annex A of ISO/IEC 27001 controls.

ISO Family:
1.ISO/IEC 27001- specifies the requirement for an ISMS.
2.ISO/IEC 27002- guideline for implementation of the controls in Annex A
3.ISO/IEC 27000- a general overview of information security &terms & definitions.
4.ISO/IEC 27003- general guidance for the implementation of an ISMS.
5.ISO/IEC 27004- advice on how organizations can monitor and measure the performance of their
ISMS.
6.ISO/IEC 27005-Guidance on risk management.
7.ISO/IEC 27006-for audit & certification of ISMS.
8.ISO/IEC 27007-guideline on how to audit an ISMS.
Sector Specific
9.ISO/IEC 27011-application of security controls in telecommunication
10.ISO/IEC TR 27015-information security management in financial services

ISO 27001 Controls:


 
A5:Information Security Policies
A5.1: Management direction for information security: Information security policy must be
communicated to staff, persons working for organization and external parties

 
A6: Roles, Responsibilities & Segregation of Duties: Roles & responsibilities of each employee must
be clearly defined & allocated. Segregation of duties must be practices as it reduces opportunities
for unauthorized or unintentional modification of misuse of assets.
 
A7: Human Resource Security:
A7.1Prior to employment: Screening including the process of background checks must be done to
ensure right person is joining org.
A7.2During employment: Employee are required to apply information security policies & procedures
defined by org. Appropriate awareness and training on information security must be given to all
employees
A7.3Termination of employment: During termination ensure logical and physical access rights are
removed.
COBIT: The Common Objectives for IT is issued by IT Governance of Institute of ISACA. The objective
of COBIT is to provide generally applicable and accepted standard for IT security & control practices.
It works on 5 principles & 7 enablers.
7 Enablers:
1. Confidentiality 2. Integrity 3. Availability 4. Effectiveness 5. Reliability 6. Efficiency 7.
Compliance 
5 Principles:
1. People 2. Data 3. Application 4. Technology 5.Facilities
COBIT brings together 5 principles that allow enterprise to build an effective governance and
management framework based on a holistic set of 7 enablers that optimizes information &
technology investment and use for the benefit of stakeholders.

You might also like