Tag: confidentiality

ISO 27001

ISO 27001 Annex : A.14.1.2 Securing Application Services on Public Networks

info savvy

Control- ISO 27001 Annex : A.14.1.2 Securing Application Services on Public Networks Information about application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification.

Implementation Guidance – Information security requirements will include the following for application services that cross public networks:

  1. Each party requires a level of trust in the identity claimed by each other, for example, through authentication;
  2. Authorizations for those who may authorize the content of key transnational documents, issue or sign them;
  3. Ensure that communication parties are fully aware of their service provision or usage authorizations;
  4. Determination and compliance with the conditions of confidentiality, integrity, proof that key documents and contracts, for instance, related to contracts and tendering process, have been dispatched and received;
  5. The level of trust required in key documents’ integrity;
  6. Protection of any confidential information requirements;
  7. Confidentiality and Integrity of any order transactions, payment details, delivery address information and receipt confirmation;
  8. the appropriate verification degree for the verification of a customer’s payment information;
  9. Choosing the most appropriate form of payment settlement for fraud protection;
  10. the extent of security required for keeping information about the order confidentiality and integrity;
  11. Avoidance of transaction information loss or duplication;
  12. liability for all transactions involving fraud;
  13. Requirements for insurance.

The application of cryptographic controls will resolve many of the above concerns in compliance with legal requirements.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

An agreement that is registered and binds all parties to the agreed terms of service, including specifics of the authorization, will help the application service arrangement between partners.

Resilience requirements should be considered against attacks that may include conditions to protect the application servers or ensure that network interconnections required to provide the service are available.

Other Information – Applications accessible through public networks are threatened by a number of networks, for example, fraudulent activity, contractual disputes, and public information. Detailed assessments of risk and an appropriate range of controls are therefore important. The needed controls also involve authentication and data transfer via cryptographic methods.

Secure authentication methods, e.g. using the public encryption key and digital signatures, can be used to reduce risks by application services. Trusted third parties, if such services are necessary, can also be used.

Also Read : ISO 27001 : Annex 14 System Acquisition, Development and Maintenance

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner.  Infosavvy, an institute in Mumbai conducts training and certification for multiple domains in Information Security which includes IRCA CQI ISO 27001:2013 Lead Auditor (LA)ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards. Trainers will also help to understand that the requirements of information security for new information systems or improvements to existing information systems are important in order to ensure that systems function effectively and efficiently throughout their life cycle. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

Read More : https://info-savvy.com/iso-27001-annex-a-14-1-2-securing-application-services-on-public-networks/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

ISO 27001

ISO 27001 : Annex 14 System Acquisition, Development and Maintenance

info savvy

ISO 27001 : Annex 14 System Acquisition , Development and Maintenance in this article is explain  A.14.1  Security Requirements of Information Systems & A.14.1.1  Information Security Requirements Analysis and Specification.

A.14.1  Security Requirements of Information Systems

Its objective is ensuring the information management for the entire lifecycle is an important part of information systems. This also includes the information systems requirements that provide services over a public network.

A.14.1.1  Information Security Requirements Analysis and Specification

Control- Information security requirements for new information systems or enhancements to existing information systems should be included

Implementation Guidance – Information security needs should be defined using various approaches such as derivation of policy and regulation enforcement criteria, threat analysis, incident assessment, and the use of thresholds of vulnerability. All stakeholders will log and review the identification results.

The business assessment of the information concerned and possible negative effects on business resulting from lack of sufficient protection should reflect information security standards and inspections.

Early stages of projects for information systems will include the definition and management of information security specifications and related processes. Early consideration of information security requirements can lead, for example, to more efficient and effective solutions at the design level.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The requirements of information security should also take into account:

  1. confidence in the claimed identity of users required to meet the requirement to obtain user authentication;
  2. Processes for access and authorization of all business users and privileged or skilled users;
  3. Inform users and managers of their roles and responsibilities;
  4. the necessary protection needs of the assets concerned, including accessibility, confidentiality, and integrity;
  5. business process specifications, such as transaction recording and monitoring, non-repudiation specifications;
  6. Requirements required by other security controls, such as logging and monitoring interfaces or data leak detection systems.

Dedicated controls should be considered for applications that deliver infrastructure through public networks or that carry out transactions.

A structured testing and procurement process must be followed if goods are purchased. Supplier contracts will meet the security requirements found. If a proposed product has no safety features, the risk identified and the associated controls should be reconsidered before the product is purchased.

The available security configuration guidance should be evaluated and implemented for the product aligned with the system ‘s final software / service stack.

Product acceptance criteria, e.g. in terms of functionality, should be defined to ensure that the security criteria identified are complied with. Before acquisition, products should be assessed according to these criteria. Further functionality should be checked in order to ensure that additional risks are not unacceptable.

Other Information – In order to identify controls to meet information security requirements, ISO / IEC 27005 and ISO 31000 provide guidance on the use of risk management processes.

Read More : https://info-savvy.com/iso-27001-annex-14-system-acquisition-development-and-maintenance/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Uncategorized

ISO 27001 Annex : A.13.2.3 Electronic Messaging & A.13.2.4 Confidentiality or Non-Disclosure Agreements

info savvy

In this article explain ISO 27001 Annex : A.13.2.3 Electronic Messaging & A.13.2.4 Confidentiality or Non-Disclosure Agreements .

A.13.2.3  Electronic Messaging

Control- Electronic messaging information should be adequately protected.

Implementation Guidance – The following should include information security aspects for electronic messages:

  1. Protecting messages against unauthorized access, change or denial of services in line with the organization’s classification scheme;
  2. ensure that the message is correctly addressed and transported;
  3. Service reliability and availability;
  4. Legal considerations, such as electronic signature requirements;
  5. Approval before using external public authorities, such as instant messaging, social networking or sharing of files;
  6. Stronger standards of publicly accessible network authentication access management.

Other Information – There are various kinds of messages, such as e-mail systems, an exchange of electronic data, and social networking.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner. Infosavvy, a Mumbai- based institute, provides multi-domain certifications and training, which include IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards. It also helps to understand how the operating systems and software integrity can be controlled or administered when they are transferred from one system to another or even from outside the organization, as well as the types of controls required to safeguard the access to confidential information and software. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques

Also Read : ISO 27001 Annex : A.13.2 Information Transfer

A.13.2.4  Confidentiality or Non-Disclosure Agreements

Control- Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.

Implementation Guidance – The requirement to protect confidential information by legal enforceability should be addressed by confidentiality or non-disclosure agreements. Confidentiality or non-disclosure provisions extend to third parties or to the organization’s employees. In view of the kind of the other party and its allowed access or handling of confidential information, elements should be selected or added. to identify confidentiality requirements or non-disclosure agreements,

It should be considered the following elements:

  1. Definition of protected information ( e.g. confidential information);
  2. Expected duration of an agreement, including cases of permanent confidentiality;
  3. the actions needed for termination of an agreement;
  4. Signatory responsibilities and actions to prevent unauthorized disclosure of information;
  5. Information ownership, business secrets and intellectual property, as well as how this relates to privacy;
  6. Made use of the details of confidentiality and signatory ‘s rights to use the data;
  7. the right to audit and monitor confidential information activities;
  8. the notification and reporting process of unauthorized disclosure or leakage of confidential information;
  9. Conditions for the return or destruction of information on cessation of agreement;
  10. Expected measures should only be taken if an agreement is violated.

Other elements may be included during the confidentiality or non-disclosure agreement depending on the information security requirements of an organization.

Confidentiality and non-disclosure agreements would comply with all the laws and codes of integrity applicable to them.

Confidentiality and non-disclosure agreements provisions should be regularly reviewed and these conditions should be impacted when there are changes.

Other Information – Confidentiality and non-disclosure agreements protect organizational information and inform signatory in an authorized and accountable fashion of their responsibility to protect the use of and disclosure of information.

Read More : https://info-savvy.com/iso-27001-annex-a-13-2-3-electronic-messaging-a-13-2-4-confidentiality-or-non-disclosure-agreements/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

ISO 27001

ISO 27001 Annex : A.11.2.7 Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User Equipment & A.11.2.9 Clear Desk and Clear Screen Policy

info savvy

In this article explain ISO 27001 Annex : A.11.2.7  Secure Disposal or Re-use of Equipment, A.11.2.8 Unattended User Equipment & A.11.2.9 Clear Desk and Clear Screen Policy

A.11.2.7  Secure Disposal or Re-use of Equipment

Control- To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.

Implementation Guidance- Equipment should be tested to ensure that the storage media is contained or not until disposal or re-use. In order to make original information inaccessible instead of using the standard delete or a software functionality, the storage media with confidential or copyrighted information should physically be destroyed or information destroyed, deleted, or overwritten using techniques.

Other information- Determining whether the items should be physically destroyed rather than sent to repair or discard damaged equipment containing storage media can require a risk assessment. The use or reuse of equipment may compromise information.

In addition, full disk encryption reduces the risk of confidential information being disclosed when equipment is disposal or redeployed if:

  1. Encryption process is strong enough to cover the entire disk (including slack space, swap files, etc.);
  2. Encryption keys are sufficient to resist attacks by brute force;
  3. The encryption keys are confidential themselves (e.g. never stored on the same disk). (Refer Clause 10)

Safe overwriting techniques for storage media differ according to the technology for storage media. To ensure they are applicable to storage media technology, overwriting tools should be reviewed.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.11.2.8  Unattended User Equipment

Control- Unattended equipment should be adequately protected by users.

Implementation Guidance- Every user should be informed of their responsibility to implement the security requirements and procedures for protecting unattended equipment. Following should be informed to users:

  1. Once done, terminate active sessions, unless protected with correct locking mechanisms, for example. A screen saver protected with a password
  2. When no longer required, log-off from apps or network services;
  3. Unauthorized use by key locks or devices, such as access to passwords, of secure computers or mobile devices, when not in use.

The Organization wishes that its information equipment to remain within the CIA triads. They also ensure that the security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities even at the time of their disposal. The disposal or reuse of any device containing storage medium, covered in Annex 11.2 of ISO 27002. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization’s critical information. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the security controls of your organization that is necessary to protect the operations and information equipment (assets)of your organization from attacks even at the time of their demise. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques

Also Read : ISO 27001 Annex : A.11.2.4 Equipment Maintenance, A.11.2.5 Removal of Assets & A.11.2.6 Security of Kit and Assets Off-Premises

A.11.2.9  Clear Desk and Clear Screen Policy

Control- A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.

Implementation Guidance- Clear desk and clear screen policy should include organization’s information classifications, legal, contractual requirements, and associated risk and cultural aspects. It is important to consider the following guidelines:

  1. When not needed, confidential or critical information for businesses (e.g. on paper or in electronic storage media), especially when the office is vacated, should be closed away (ideally in safe or cabinet or in some type of safe furniture).
  2. Computers and terminals should be left signed off or secured by a password, token, or similar users’ authentication mechanism, regulated with screen and keyboard locking mechanism, when unattended.
  3. It should not be permitted to use photocopiers and other reproductive technology ( e.g. scanners, digital cameras);
  4. Sensitive or classified information media should immediately be removed from printers.

Other Information- A clear desk/screen policy minimizes the risk of unexpected access, information loss, and damage during and outside normal hours of work. Security systems or other forms of safe storage may also protect information stored on them from disasters such as earthquakes, floods, or explosions.

Consider the use of PIN-code printers, so only originators are able to get their print-outs and only when they stand beside the printer.

This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.comhttps://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.9.3 User Responsibilities

info savvy

ISO 27001 Annex : A.9.3 User Responsibilities Its objective is the Responsibility of users for safeguarding their authentication information.

A.9.3.1 Use of Secret Authentication Information

Control- Use of secret authentication information should be allowed for users to follow the organization’s practices.

Implementation Guidance- It is recommended that all users:

  1. maintain confidential information on secure authentication to ensure that it is not leaked to the other parties, including people of authority;
  2. Avoid maintaining a record of confidential authentication details (e.g. on a document, software file or mobile device) unless it can be stored safely and the storage system (e.g. password vault) has been approved;
  3. Change details regarding secret authentication where potential vulnerability signs exist;
  4. When passwords are used as secret authentication information, select quality passwords with a minimum length of:
     It’s easy to remember;
    – Will not endorse something that anyone else might easily guess or access using personal details, e.g. names, phone numbers, dates of birth, etc.;
    – Not susceptible to dictionary attacks (i.e. don’t contain words included in dictionaries);
    – Free of identical, all-numeric or all-alphabetical characters consecutively;
    – If temporary, change the first time you log on;
  5. Do not disclose information about secret authentication of individual users;
  6. Ensure proper password security when passwords are used in automated log-on procedures and stored as hidden authentication information;
  7. Do not use the same information regarding secret authentication for business or non-business purposes.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Other Information- Providing Single Sign On (SSO) or other secret information management tools for authentication reduces the amount of secret authentication information that users need to protect, and can thus increase the effectiveness of this control. But these tools can also increase the impact of disclosure of information about secret authentication.

At the end of the day, the goals are simple: safety and security.

– Jodi Rell

Also Read : ISO 27001 Annex : A.9.2.5 Review of User Access Rights & A.9.2.6 Removal or Adjustment of Access Rights

Similarly, the Organization’s also aims of keeping its confidential information safe and in proper security. There are various roles in the organization and every user has its access rights, after the segregation of roles and access rights, now it’s the duty of the users to keep their credentials, information and assets of the organization safe, where we see, keeping password is most common way for securing any information, those passwords should be of better quality. Annex 9.3 talks about the Responsibility of users for safeguarding their authentication information. All the annexures are being covered by doing this famous certification of Lead Auditor and Lead Implementer. Infosavvyan institute in Mumbai, provides certification and training for multiple domain-like information security management, cybersecurity, and many others in which one of them is IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers various controls that should be implemented in an organization to keep it away from destructors also trainers in Infosavvy are well-skilled and experienced in providing proper guidance and knowledge for keeping the Information security management system secure. This will help the applicant to develop the expertise necessary to carry out the ISMS audit by applying broadly recognized audit principles, procedures, and techniques.

Read More : https://www.info-savvy.com/iso-27001-annex-a-9-3-user-responsibilities/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.8.2 Information Classification

info savvy

ISO 27001 Annex : A.8.2 Information Classification Its objective is To ensure that the information is properly secured, in accordance with its significance to the organization.

A.8.2.1 Classification of Information

Control- Information should be classification the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration

Implementation Guidance- Classifications and associated information security measures will also include regulatory standards, which take into account market demands for information sharing or restriction. Assets other than information may also be classified according to the information classification stored, processed, otherwise handled or protected by the asset. Information asset owners would be responsible for their classification.

The classification system will include classification standards, as well as classification analysis guidelines over time. The level of security found in the system will be determined by evaluating confidentiality, integrity and availability, and all other information specifications under consideration. The scheme should be aligned with policy on access control

The scheme will be consistent with the policy on access management. Each level should be given a name which makes sense for the application of the classification scheme. The scheme should be consistent across the organization to ensure that everyone classifies information and related assets in the same way, has a common understanding of the security standards, and applies appropriate protection.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Classification should be part of the organization ‘s processes and be consistent across the organization. Classification results may highlight the importance of assets, depending on their sensitivity and their criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Classification findings should be revised to reflect changes in their importance, responsiveness, and criticality during their life-cycle.

Other Information- Classification offers a concise summary of how to manage and secure knowledge for those who deal with it. This is facilitated by establishing information groups with similar protection needs and defining information security procedures that apply to all or some of the information in each group. This approach eliminates the need for case-by-case risk assessment, as well as personalized control design.

Information can cease to be sensitive or critical after a certain duration of the time, when the information is made public, for example. These aspects should be taken into account, as over-classification may result in the implementation of unnecessary controls resulting in additional expenditure or, on the contrary, under-classification may threaten the achievement of business goals.

At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Also Read : ISO 27001 Annex : A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets

An example of a classification scheme for the confidentiality of information may be based on four levels as follows:-

  1. Disclosure does not cause harm;
  2. Disclosure leads to mild humiliation or organizational discomfort;
  3. The short-term impact of the disclosure on operations or tactical objectives is significant.
  4. Our putting the survival of an organization at risk a serious impact on long-term strategic goals

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-2-information-classification/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.6 Organization of Information Security

info savvy

6.1 Internal Organization

ISO 27001 Annex : A.6 Organization of Information Security its object is to establish a management framework for initiating and controlling the implementation and functioning of information security within the organization.

6.1.1 Information Security Roles and Responsibilities

Control- All responsibilities related to information security should be well defined and assigned.

Implementation Guidance- Allocation of information security responsibilities should be carried out in compliance with information security policies (Refer A.5.1.1). Responsibilities for the security of individual assets and the implementation of specific information security procedures should be defined. Responsibilities for information security risk management activities and, in particular, for the acceptance of residual risks should be defined. When necessary, further guidance should be provided for specific sites and information processing facilities in order to supplement these responsibilities. Local responsibilities should be defined for the protection of assets and for the implementation of specific security processes. Individuals with assigned responsibility for information security can delegate security tasks to others. But they remain responsible and must decide whether any delegated tasks are conducted correctly or not

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Areas for which individuals are responsible should be defined. In fact, the subsequent should take place:
1. Assets as well as the information security processes should be identified and well defined;
2. An individual candidate should be assigned for each asset and information security processes and details describing the responsibility should be documented;
3. Levels of authorization should be described and documented;
4. The appointed persons should be competent in this area and be given opportunities to keep up to date with their progress, in order to meet responsibilities in the information security area;
5. Coordination and monitoring should be identified and documented on information security aspects of supplier relations.

Other Information- Many organizations assign an information security officer to take ultimate responsibility for information security development and implementation, and to help access recognition. However, individual management will often remain responsible for the resourcing and implementation of the controls. It is common practice to appoint an owner for all assets which are then responsible for their regular security.

6.1.2  Segregation of Duties

Control- Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.

Implementation Guidance- No one shall be allowed without authorization or approval to access, modify or use the assets. This will distinguish the execution of an occurrence from its authorization. The probability of collusion in should be considered while designing the controls. Small organizations may find it impossible to accomplish division of tasks, but the principle should be enforced as far as is practicable and feasible. If segregation is challenging, other measures such as task reporting, audit trails and management supervision should be considered.

Other Information- Segregation of duties may be a method to reduce the risk of unintentional or intentional abuse of the assets of the organization.

6.1.3  Contact with Authorities

Control- It is necessary to maintain proper communications with the relevant authorities.

Implementation Guidance- Organizations should have processes in place that determine when and by whom officials (e.g. law enforcement, regulatory agencies, supervisory officials) should communicate and how information security violations detected will be recorded in a timely manner (e.g. if the law is alleged to have been violated).

Other Information- Internet-assaulted organizations may require authorities to take measures against the attack. Holding these connections may also be a necessity to support incident management  or business continuity and contingency planning processes in information security. Contacts with regulatory bodies are also useful when anticipating and preparing potential changes in the laws or regulations that the organization needs to enforce. Contacts with other authorities include utilities, emergency services, suppliers of energy and safety , and protection such as fire departments, telecommunication (routing and availability) suppliers, and water (equipment cooling).

6.1.4  Contact with Interest groups

Control- Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.

 Implementation Guidance

  •  Membership of community groups or forums  should be considered as a way to:
    1. Improve skills and keep up to date on appropriate safety details about the best practices;
    2. Ensuring an up-to – date and complete understanding of information security;
    3. Receive early warnings about threats and vulnerabilities, updates and patches;
    4. Enable expert information security advice;
    5. Share and exchange information on new technology, products, threats or vulnerabilities;  
    6. provide correct liaison points for events relevant to information security

Read More : https://www.info-savvy.com/iso-27001-annex-a-6-organization-of-information-security/
———————————————————


Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ