ISO 27001 - Annex A.6 - Organisation of Information Security

by Maya G

Annex A controls are necessary to address risks that an organization may face in achieving ISO 27001 certification. Annex A.6 provides guidelines for information security operations within the organization to inspire consumer trust and fulfil regulatory requirements.



Annex A.6.1: Internal Organisation, iso 27001

In this blog, you will learn about Annex 6, its two subsections, their contents, and how they apply to your organization in this article. 

What is Annex A.6?

Annex A.6 of ISO 27001 is a set of information security risk management requirements. The standard defines Annex A.6 as “the application of risk management to information security within the context of the organization’s overall risk management strategy and process.”

In other words, Annex A.6 provides a framework for implementing ISO 27001 risk management requirements within an organization’s existing risk management processes.

The Annex A.6 requirements are organized into four phases: risk assessment, risk treatment, risk communication, and risk monitoring.

There are two sections in Annex A.6. both Annex A.6.1 and A.6.2.

  • 6.1 confirms that the organization has a structure that complies with ISO standards. With the help of this solution, information security is made simpler to implement and maintain.
  • 6.2 concentrates on portable technology and remote work. This method is primarily used by people who work remotely or while traveling, either full- or part-time.

Annex A.6.1: Internal Organisation

Annex A.6.1 of ISO 27001 requires organizations to establish, document, and maintain an internal organization, including:

  • Roles, responsibilities, and authorities.
  • Management commitment and responsibility for the ISMS.
  • ISMS policy.
  • ISMS objectives.
  • Structure and hierarchy of the organization.
  • Communication channels.

The purpose of this requirement is to ensure that the organization has the necessary elements in place to support the effective implementation and management of the ISMS. It helps to ensure that there is clear responsibility and accountability for the ISMS within the organisation and that there is a clear ISMS policy against which the effectiveness of the ISMS can be measured.

Annex A.6.1.1: Information security roles and responsibilities

Annex A.6.1.1 of ISO/IEC 27001:2013 lists information security roles and responsibilities. The roles and responsibilities should be documented and allocated to individuals or groups. The list of roles and responsibilities in Annex A.6.1.1 is not exhaustive and should be adapted to the specific needs of the organization.

The roles and responsibilities included in Annex A.6.1.1 are:

  • Executive management: responsible for developing the information security policy and for ensuring that it is communicated and implemented.
  • Information security management: responsible for developing and implementing the information security management system.
  • Information security roles and responsibilities (iso 27001)
  • Information security officer: responsible for ensuring that the information security management system is implemented and for coordinating information security activities.
  • Information security roles and responsibilities (iso 27001)
  • Information security team: responsible for implementing the information security management system and for performing information security tasks.

Annex A.6.1.2: Segregation of duties

ISO 27001 Annex A.6.1.2 requires that the segregation of duties is implemented in order to reduce the risk of errors or fraud. Segregation of duties is the separation of conflicting roles and responsibilities within an organization, for example, between the roles of requisitioner and approver of purchase orders.

  • When designing the segregation of duties policy, organizations should consider the following:
  • The business needs of the organization
  • The risks to the organization
  • The segregation of duties controls that are needed
  • How the segregation of duties will be achieved in practice

Annex A.6.1.3: Contact with authorities:

The Annex A.6.1.3: Contact with authorities (iso 27001) is a regulation that outlines the requirements for a company's communication with public and private authorities. This regulation covers all interactions between a company and an authority, including but not limited to: phone calls, emails, letters, and face-to-face meetings.

The purpose of this regulation is to protect a company's proprietary information, as well as to ensure that a company is in compliance with all relevant laws and regulations. This regulation is essential for any company that interacts with authorities on a regular basis.

 annex a.6.1.3: contact with authorities (iso 27001) covers the requirements for a company's communication with public and private authorities. This regulation is essential for any company that interacts with authorities on a regular basis.

 Annex A.6.1.4: Contact with interested groups:

Organizations should identify and assess the interests of relevant external parties in order to Annex A.6.1.4: Contact with interested groups (iso 27001) to determine their information security requirements. Annex A.6.1.4: Contact with interested groups (iso 27001) Annex A.6.1.4: Contact with interested groups (iso 27001) Organizations should consider the following when determining their information Annex A.6.1.4: Contact with interested groups (iso 27001) security requirements:

The types of information that are important to the organization and its operation.

  • The sensitivity of the information.
  • The applicable legal and regulatory requirements.
  • The contractual obligations of the organization.
  • The expectations of the interested parties.

Annex A.6.1.5: Information Security in project management:

Annex A.6.1.5: Information Security in project management  (iso 27001) is a security standard for information systems management. It is a guidance document that provides an overview of the risks associated with information security and outlines a risk management approach for mitigating these risks.

The standard is divided into four parts:

  • Part 1: Introduction
  • Part 2: Conceptual framework
  • Part 3: Implementation guidance
  • Part 4: Annexes

Annex A.6.1.5: Information Security in project management (iso 27001) is an important standard for organizations to implement to protect their information assets from security risks.

Throughout the ISO 27001 certification process, the auditor will be looking to ensure that all project participants are responsible for taking information security into account at all stages of the project lifecycle. Education and awareness efforts ought to cover this, as indicated in Annex A.7.2.2.

6.2 Mobile devices and teleworking:

Organizations wishing to obtain ISO 27001 certification must comply with Annex 6.2 by implementing a security policy for mobile devices and teleworking. Bring Your Own Device is a choice. A secure channel that eliminates the possibility of data security breaches should protect the whole mobile and networking infrastructure.

The standard requires that organizations take appropriate security measures to protect information assets stored on or accessed via mobile devices. This includes measures to prevent the unauthorized access, use, disclosure, interception, or destruction of information.

In order to comply with this requirement, teleworkers and mobile device users must take appropriate security measures when working with mobile devices. This includes ensuring that the devices are locked when not in use, encrypting data in transit, and only downloading apps from trusted sources.

In addition, organizations must have a policy that sets out the acceptable use of mobile devices and teleworking. This policy should be communicated to all employees and regularly reviewed.

 Annex A.6.2.1: Mobile device policy:

Organizations must adopt Annex A.6.2.1: Mobile device policy (iso 27001) in order to ensure the confidentiality, integrity, and availability of data when employees are working with mobile devices.

  • The policy should cover the following:
  • The types of devices that are allowed to be used for work purposes
  • The circumstances under which mobile devices can be used for work purposes
  • The security controls that must be implemented on mobile devices
  • The procedures for lost or stolen devices
  • The training and awareness requirements for employees who use mobile devices for work purposes

Annex A.6.2.1: Mobile device policy (iso 27001) is critical to any data security strategy and should be given due diligence by organizations.

Annex A.6.2.2: Teleworking

Teleworking, also known as remote working, is a flexible working arrangement in which employees do not have to commute to a central place of work. Instead, they can work from home or other locations outside of the office.

Teleworking has many benefits, such as reduced carbon emissions from commuting, improved work-life balance, and increased productivity. However, teleworking also has some risks, such as data security breaches and difficulty maintaining communication and collaboration with team members.

To mitigate the risks of teleworking, it is important to have a well-defined policy in place. This policy should be aligned with the organization’s overall security policy and should be reviewed on a regular basis.

Annex A.6.2.2 of the ISO/IEC 27001 standard guides on developing a secure teleworking policy. This annex covers the following topics:

  • Introduction
  • Definitions
  • Security objectives
  • Security controls
  • Implementation considerations
  • Management considerations

 Conclusion:

This is the final blog in a series of blogs on Annex A.6 of ISO 27001. This blog will provide a brief overview of the Annex and its contents. We will also offer some tips on how to implement the Annex in your organization effectively.

Annex A.6 of ISO 27001 guides selecting and implementing security controls. The Annex is divided into two parts: Part 1 provides an overview of the security control selection process, and Part 2 provides guidance on implementing security controls.

The first step in the selection process is to identify the security risks that your organization faces. Once the risks have been identified, you can then select the security controls that are best suited to mitigate those risks.

The second step in the process is to implement the selected security controls. This step includes documenting the security controls, implementing them, and testing them to ensure they are effective.

The Annex also includes a number of annexes that provide more detailed information on specific topics. These annexes include information on risk assessment methodologies, security