Annex A

A.5: Information Security Policies

Verify if the organization has a clear set of policies to keep its information systems secure. The IS policy should be communicated to the employees and external parties. The auditors will check if the policies are reviewed at planned interval or when there is a significant change.

A.6: Organization of Information Security

This domain is about ensuring that the policies outlines in A.5 can be implemented throughout the organization. A management framework needs to be established which initiates and controls the implementation of information security. You need to ensure that the IS roles and responsibilities are communicated. Segregation of duties in maintained. Contact with relevant authorities such as ICO and special interest groups such as ISACA should be maintained. All projects should include IS.

A.7: Human Resource Security

The first objective is related to pre-employment requirements. Background verification on all candidates need to be conducted. Need to ensure that the employment contracts state the IS responsibilities. The second objective is during employment. Need to ensure that the individuals are aware of IS responsibilities. To ensure this, the management should require all employees and contractors to adhere to IS policies and procedures. Periodic security awareness training should be conducted. A formal and communicated disciplinary process must be implemented so that an action can be taken against an individual who is responsible for a security breach. The final objective is to protect an organization's interest when an employee changes roles or leaves the organization by ensuring any restrictive covenants are defined and enforced.

A.8: Asset Management

The first objective is to identify the information assets. This can be done by implementing as inventory of assets. This inventory should include the designated owners. Acceptable usage policy for these assets must be documented. Assets must be protected by obtaining them back from the employees and contractors upon termination. The second objective is that the information should be protected appropriately. Each information assets should be classified as per the criticality and should be labelled accordingly. Process should be available for handling each type of asset. The last objective related to the prevention of unauthorized disclosure, modification, removal or destruction of information stored on media. Media disposal should be done is a secured manner. Adequate protection should be available for transfer of media.

A.9: Access Control

The first objective is to limit the access to information and information processing facilities. This can be ensured by following an access control policy and the users should be provided only the required amount of access that is necessary to perform the duties. The second objective is to ensure authorized access and prevent unauthorized access. This can be ensured by following a formal registration and de-registration process, a formal user access provisioning process, the restriction of the allocation and use of privileged access rights, a formal management process to control the allocation of passwords,, PINs etc., review of access rights, removal of access rights. The third objective focuses on making the users accountable for safeguarding their passwords, PINs etc. The final objective is to prevent unauthorized access to systems and applications. This can be ensured by restricting the access to information and systems where appropriate. Use of utility program must be restricted to avoid it overriding of system and application controls. Organization needs to have a password management system.

A.10: Cryptography

The objective is to ensure cryptography is used effectively to protect the CIA triad. A policy on the use of cryptographic controls for protection of information should be developed and implemented. Along with that a policy should be implemented for the protection of cryptographic keys.

A.11: Physical and Environment Security

The first objective is to prevent unauthorized physical access. This can be done in following ways. Defining and using physical security perimeter. Ensuring that the physical entry controls are in place. Establishing procedures for working in secure areas. The second objective is to prevent the loss, damage, theft of assets and interruption to operations. Physical protection against natural disasters, malicious attacks should be applied. Equipment, information and software should not be taken off-site without prior authorization. A clear desk and clear screen policy should be implemented.

A.12: Operations Security

The first objective is to ensure that the information processing facilities are operated correctly and securely. Operating procedures need to be documented and made available. These include change management and capacity management. Development, testing and operational environments should be separated. The second objective is to ensure that the information is protected against malware attacks. Anti-malware software must be installed to detect, protect and recover from attack. The third objective is related to protecting against the loss of data. Organizations need to have back up copies of the information. The fourth objective is related to recording of events. Organizations should have a log capture and review process. Clocks on all relevant information processing systems must be synchronized by using NTP. The fifth objective is related to ensuring of integrity of operational systems. This can be ensured by implementing control practices to manage the installation of software on operational systems. The sixth objective is to prevent the exploitation of technical vulnerabilities. Organizations need to evaluate the technical vulnerabilities and take appropriate measures to address to associated risk. The final objective is to minimize the impact that the audit services have on operational systems. Organizations should carry out audit of information systems to minimize the disruptions to business processes.

A.13: Communication Security

The objective is to maintain the security of information transferred both internally and externally. Security and other requirements should be identified and included in network services agreements. Organization should ensure secure transfer of business information between the organization and external parties. Information involved in electronic messaging shall be appropriately protected.

A.14: System acquisition, development and maintenance

The first objective is to ensure that information security is an integral part of the information systems. Organizations should consider information security when developing new systems or enhancing existing systems. Information in application services that pass over public networks should be protected. The second objective is related to the design and development of activities to ensure that IS is designed and implemented within the development lifecycle. Organizations should test the security functionality during development. The final objective is to ensure the protection of data for testing. Organizations need to conduct security acceptance testing for new system and upgrades.

A.15: Supplier Relationship

The first objective is to protect assets that can be accessed by suppliers. Organizations need to document information security requirements for supplier. Formal agreements must be established and implemented with each supplier including all relevant requirements. The second objective is to maintain an agreed level of information security and service delivery, in line with supplier agreements. Organizations should regularly monitor and review the suppliers. The must be even audited. Organizations should also manage and control changes to processes and services by suppliers.

A.16: Information Security Incident Management

The objective is to ensure a consistent and effective approach to the management of security incidents. Organizations need to have defined responsibilities and procedures of IS incident management. Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. They even need to define and apply procedures for the identification, collection, acquisition and preservation of information which can be used as evidence.

A.17: Information Security Continuity

Organizations need to determine its requirements for information security and the continuity of information security management in adverse situations. They need to verify the effectiveness of IS continuity controls at regular intervals. The second objective is to ensure the availability of information processing facilities. IS facilities need to be implemented with redundancy sufficient to meet availability requirements.

A.18: Compliance

The first objective is to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Compliance must be ensured with intellectual rights and use of proprietary software products. Privacy and protection of personally identifiable information. The second objective is to ensure that the IS is implemented and operated in accordance with the organization's policies and procedures. There should be a regulation on cryptographic controls. Managers should regularly review the compliance processing and procedures within their area of responsibility. IS systems should be regularly reviewed for compliance through penetration tests.