Information Security Management System Policy

iso27001templates.com
Public IT Limited 2011

Information Security
Management System Policy

Document Ref. ISMS04001

Version: 1.0
Draft 1
Document Author:
Document Owner:

V 1.0 Draft 1

Page 1 of 28

Information Security Management System Policy

Revision History
Version

Date

RFC Number

Summary of Changes

Document Review
Date of Next Scheduled Review

Distribution
Name

Title

Approval
Name

V 1.0 Draft 1

Position

Signature

Page 2 of 28

Date

Information Security Management System Policy

Contents
1

INTRODUCTION......................................................................................................................... 5

SCOPE OF THE ISMS................................................................................................................. 5

INFORMATION SECURITY REQUIREMENTS .................................................................... 5

MANAGEMENT COMMITMENT ............................................................................................ 6

MANAGEMENT REPRESENTATIVE ..................................................................................... 6

FRAMEWORK FOR SETTING OBJECTIVES AND POLICY ............................................. 6

6.1 SECURITY POLICY ....................................................................................................................... 7
6.1.1
Information Security Policy .............................................................................................. 7
6.2 ORGANIZATION OF INFORMATION SECURITY .............................................................................. 7
6.2.1
Internal Organization ....................................................................................................... 7
6.2.2
External Parties ................................................................................................................ 8
6.3 ASSET MANAGEMENT ................................................................................................................. 8
6.3.1
Responsibility for Assets ................................................................................................... 8
6.3.2
Information Classification ................................................................................................ 9
6.4 HUMAN RESOURCES SECURITY................................................................................................... 9
6.4.1
Prior to Employment......................................................................................................... 9
6.4.2
During Employment .......................................................................................................... 9
6.4.3
Termination or Change of Employment .......................................................................... 10
6.5 PHYSICAL AND ENVIRONMENTAL SECURITY ............................................................................ 10
6.5.1
Secure Areas ................................................................................................................... 10
6.5.2
Equipment Security ......................................................................................................... 11
6.6 COMMUNICATIONS AND OPERATIONS MANAGEMENT .............................................................. 11
6.6.1
Operational Procedures and Responsibilities ................................................................ 11
6.6.2
Third Party Service Delivery Management .................................................................... 12
6.6.3
System Planning and Acceptance ................................................................................... 12
6.6.4
Protection Against Malicious and Mobile Code ............................................................. 12
6.6.5
Back-Up .......................................................................................................................... 12
6.6.6
Network Security Management ....................................................................................... 13
6.6.7
Media Handling .............................................................................................................. 13
6.6.8
Exchange of Information ................................................................................................ 13
6.6.9
Electronic Commerce Services ....................................................................................... 14
6.6.10
Monitoring ................................................................................................................. 14
6.7 ACCESS CONTROL ..................................................................................................................... 15
6.7.1
Business Requirement for Access Control ...................................................................... 15
6.7.2
User Access Management ............................................................................................... 15
6.7.3
User Responsibilities ...................................................................................................... 15
6.7.4
Network Access Control ................................................................................................. 15
6.7.5
Operating System Access Control ................................................................................... 16
6.7.6
Application and Information Access Control ................................................................. 16
6.7.7
Mobile Computing and Teleworking .............................................................................. 17
6.8 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE ........................... 17
6.8.1
Security Requirements of Information Systems ............................................................... 17
6.8.2
Correct Processing in Applications ................................................................................ 17
6.8.3
Cryptographic Controls .................................................................................................. 18
6.8.4
Security of System Files .................................................................................................. 18
6.8.5
Security in Development and Support Processes ............................................................ 18
6.8.6
Technical Vulnerability Management ............................................................................. 18
6.9 INFORMATION SECURITY INCIDENT MANAGEMENT .................................................................. 19
6.9.1
Reporting Information Security Events and Weaknesses ................................................ 19
6.9.2
Management of Information Security Incidents and Improvements ............................... 19

V 1.0 Draft 1

Page 3 of 28

Information Security Management System Policy

6.10
BUSINESS CONTINUITY MANAGEMENT ................................................................................ 19
6.10.1
Information Security Aspects of Business Continuity Management ........................... 19
6.11
COMPLIANCE ........................................................................................................................ 20
6.11.1
Compliance with Legal Requirements ....................................................................... 20
6.11.2
Compliance with Security Policies and Standards, and Technical Compliance ........ 21
6.11.3
Information Systems Audit Considerations ................................................................ 21
7

ROLES AND RESPONSIBILITIES ......................................................................................... 22

CONTINUAL IMPROVEMENT POLICY .............................................................................. 22

APPROACH TO MANAGING RISK ...................................................................................... 23

9.1 RISK ASSESSMENT .................................................................................................................... 23
9.2 RISK EVALUATION CRITERIA .................................................................................................... 24
9.2.1
Likelihood ....................................................................................................................... 24
9.2.2
Impact ............................................................................................................................. 24
9.3 RISK ACCEPTANCE CRITERIA .................................................................................................... 25

10

HUMAN RESOURCES .............................................................................................................. 25

11

AUDITING AND REVIEW ....................................................................................................... 25

12

DOCUMENTATION STRUCTURE AND POLICY .............................................................. 26

13

CONTROL OF RECORDS ....................................................................................................... 28

V 1.0 Draft 1

Page 4 of 28

Information Security Management System Policy

1 Introduction
This policy defines how Information Security will be set up, managed,
measured, reported on and developed within [Organisation name].
The International Standard for Information Security, BS ISO/IEC 2700:2005
(referred to in this document as ISO/IEC 27001), is a development of the
earlier British Standard, BS 7799.
[Organisation name] has decided to pursue full certification to ISO/IEC 27001
in order that the effective adoption of Information Security Best Practice may
be validated by an external third party.

2 Scope of the ISMS

For the purposes of certification within [Organisation Name], the boundaries of
the Information Security Management System are defined as follows:
[Define the scope of the ISMS in terms of the characteristics of the business,
the organisation, its location, assets and technology. Include details of and
justification for any exclusions from the scope.]

3 Information Security Requirements

A clear definition of the requirements for information security will be agreed
and maintained with the business so that all ISMS activity is focussed on the
fulfilment of those requirements. Statutory, regulatory and contractual
requirements will also be documented and input to the planning process.
Specific requirements with regard to the security of new or changed systems
or services will be captured as part of the design stage of each project.
It is a fundamental principle of the [Organisation Name] Information Security
Management System that the controls implemented are driven by business
needs and this will be regularly communicated to all staff through team
meetings and briefing documents.

V 1.0 Draft 1

Page 5 of 28

Information Security Management System Policy

4 Management Commitment
Commitment to Information Security extends to senior levels of the
organisation and will be demonstrated through this ISMS Policy and the
provision of appropriate resources to provide and develop the ISMS and
associated controls.
Top management will also ensure that a systematic review of performance of
the programme is conducted on a regular basis to ensure that quality
objectives are being met and quality issues are identified through the audit
programme and management processes. Management Review can take
several forms including departmental and other management meetings.

5 Management Representative
The [IT Manager] shall have overall authority and responsibility for the
implementation and management of the Information Security Management
System, specifically:

The identification, documentation and fulfilment of information security

requirements
Implementation, management and improvement of risk management
processes
Integration of processes
Compliance with statutory, regulatory and contractual requirements
Reporting to top management on performance and improvement

6 Framework for Setting Objectives and Policy

An annual cycle will be used for the setting of objectives for Information
Security, to coincide with the budget planning cycle. This will ensure that
adequate funding is obtained for the improvement activities identified. These
objectives will be based upon a clear understanding of the business
requirements, informed by the annual management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together
with details of how they will be achieved. These will be reviewed on a
quarterly basis to ensure that they remain valid. If amendments are required,
these will be managed through the change management process.
In accordance with ISO/IEC 27001:2005 the following control objectives and
policy statements will be adopted by [Organisation Name]. These will be
reviewed on a regular basis in the light of the outcome from risk assessments
and in line with the Risk Treatment Plan (document reference ISMS04007).
For references to the controls that implement each of the policy statements
V 1.0 Draft 1

Page 6 of 28

Information Security Management System Policy

given please see the Statement of Applicability (document reference

ISMS04008).
[Please remove any policy statements below that are defined as not
applicable in your Statement of Applicability]

6.1
6.1.1

Security Policy
Information Security Policy

Objective: To provide management direction and support for information

security in accordance with business requirements and relevant laws and
regulations
An information security policy document shall be approved by management,
and published and communicated to all employees and relevant external
parties.
The information security policy shall be reviewed at planned intervals or if
significant changes occur to ensure its continuing suitability, adequacy, and
effectiveness.
6.2
6.2.1

Organization of Information Security

Internal Organization

Objective: To management information security within the organisation.

Management shall actively support security within the organization through
clear direction, demonstrated commitment, explicit assignment, and
acknowledgment of information security responsibilities.
Information security activities shall be co-ordinated by representatives from
different parts of the organization with relevant roles and job functions.
All information security responsibilities shall be clearly defined.
A management authorization process for new information processing facilities
shall be defined and implemented.
Requirements for confidentiality or non-disclosure agreements reflecting the
organizations needs for the protection of information shall be identified and
regularly reviewed.
Appropriate contacts with relevant authorities shall be maintained.

V 1.0 Draft 1

Page 7 of 28

Information Security Management System Policy

Appropriate contacts with special interest groups or other specialist security

forums and professional associations shall be maintained.
The organizations approach to managing information security and its
implementation (i.e. control objectives, controls, policies, processes, and
procedures for information security) shall be reviewed independently at
planned intervals, or when significant changes to the security implementation
occur.
6.2.2

External Parties

Objective: To maintain the security of the organisations information and

information processing facilities that are accessed, processed, communicated
to or managed by third parties.
The risks to the organizations information and information processing facilities
from business processes involving external parties shall be identified and
appropriate controls implemented before granting access.
All identified security requirements shall be addressed before giving
customers access to the organizations information or assets.
Agreements with third parties involving accessing, processing, communicating
or managing the organizations information or information processing facilities,
or adding products or services to information processing facilities shall cover
all relevant security requirements.
6.3
6.3.1

Asset Management
Responsibility for Assets

Objective: To achieve and maintain appropriate protection of organisational

assets.
All assets shall be clearly identified and an inventory of all important assets
drawn up and maintained.
All information and assets associated with information processing facilities
shall be owned 3) by a designated part of the organization.
Rules for the acceptable use of information and assets associated with
information processing facilities shall be identified, documented, and
implemented.

V 1.0 Draft 1

Page 8 of 28