3rd March 2014
Holders of the ISO 27001:2005 Standard will be aware that the “Clock is ticking” and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered. However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.
Over the next few weeks we will be showing simple steps to the transition; here is information about the mandatory policies that are required:
- Information Security Policy – sets out the policy of the company and covers C.I.A (confidentiality, integrity and availability)
- Mobile Device Policy – sets out the protections and controls for mobile devices, which includes tablets, laptops/notebooks and smart phones.
- Termination of Employment Policy – sets out the controls and actions to be taken when an employment ends; both resignation and dismissal or redundancy is covered.
- Teleworking Policy – sets the information security controls required for off-site workers.
- Acceptable Use of Assets Policy – sets out the policy on use of equipment and also the uses which are not permitted.
- Cryptographic Policy – sets out the controls for the use of cryptographic controls necessary to maximize the benefits and minimise the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
- Cryptographic keys Lifetime Protection Policy – Sets out the controls for the issue, protection, storage and actions for retiring keys.
- Security for Assets while Off Site Policy- Controls to protect equipment and data when outside the protection of the organisation.
Unattended Equipment Policy – sets out the controls to protect unattended equipment on site.
- Clear Desk Policy – sets out the controls to protect sensitive documents or data on desks.
- Clear Screen Policy – sets out then controls for screens to be protected from being viewed by unauthorised people.
- Formal Information Transfer Policy – sets out the controls and protocols for the transfer of data. This include the methods of transfer and the requirement for cryptographic controls where necessary.
These policies are required in addition to the policy usually displayed. We recommend that these policies are prepared and kept available in a file or document repository.
This is an important stage in the transition to the new standard.
The official blog for independent Management Training
Consultancy, Quality Matters Limited.