Call us today 01621 857841 or Email us
Quality Matters Logo 25 years of Quality Matters 1991-2016
"Quality Matters in your Business"

A detailed look at ISO 27001: Part 2

6th February 2017

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS).  There are 15 main sections 4.0 to 18.0:


Section 0:  Introduction

Starting from ‘What is information security?’ the introduction explains about information and how to make use of the standard.

Section 1: Scope 

The Standard gives information on the extent of cover for an ISMS.

Section 2:  Normative References. 

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4:  Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls. 

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management must define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria
C –  Confidentiality
I  –  Integrity
A –  Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework must be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation must meet regularly.

6.1 Information Security Roles and Responsibilities


The organisation must have a management structure for information security. Senior management must provide direction and commit their support, for example by approving information security policies. Roles and responsibilities must be defined for the information security function. Other relevant functions must cooperate and coordinate their activities. IT facilities must be authorised.

Confidentiality agreements must reflect the organisation’s needs. Contacts must be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security must be independently reviewed.

6.2 Mobile Devices and Teleworking


Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.
Mobile devices must be protected from theft and where possible must have the ability to be remotely wiped of information when needed.

Section 7:  Human Resources Security

The organisation must manage system access rights etc. for ‘new starters, promotion and leavers’, and must undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment


Background verification checks must be carried out in accordance with relevant laws, regulations and ethics and must be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks. 

Security responsibilities must be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2  During Employment


The organisation must ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security must be defined. Employees and (if relevant) third party IT users must be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment


Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.
Changes in roles must be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

Leave a Reply

Your email address will not be published. Required fields are marked *


Blog Archives

Scopulus Articles

Creative Commons Licence

Quality Matters Limited

Heybridge Business Centre
110 The Causeway, Heybridge
Essex CM9 4ND

T: 01621 857841
M: 07702 193788

The First and Genuine Quality Matters

© 2020 Quality Matters Ltd. All rights reserved. Responsive Design