Labeling procedures should cover all formats of information and associated assets, reflecting how things are classified (5.12), with easily recognizable labels attached appropriately. Guidance should cover how the labels are placed, and where, based on media type. Procedures should also define cases for omission and handling where labeling is impossible. Metadata should be used … [Read more...] about 5.13 Labelling of information

Establish topic-particular policies on classifying information, align it to access control policy, and account for privacy, integrity, and accessibility. Classifications should include conventions and criteria for review, and be consistent throughout the organization. Owners should be accountable and assets instead of information can be classified. The classification can be … [Read more...] about 5.12 Classification of information

Formalize change/termination process for return of physical and digital assets owned or entrusted to the organization. Procedures for transferring relevant info and securely deleting from personal equipment. Document/transfer important knowledge to org. Keep any unauthorized IP copying during notice period. Identify/document returnable assets: user devices, portable storage, … [Read more...] about 5.11 Return of assets

Inform personnel and external parties of information security requirements and establish a policy on acceptable use. Develop procedures for the full lifecycle of information, considering access restrictions, authorized users, copy protection, storage, marking, disposal, and deletion. … [Read more...] about 5.10 Acceptable use of information and other associated assets

Identify and classify assets, maintain accurate inventory, and assign ownership. Owners manage assets, inventory, classification, component support, acceptable use, access restrictions, and secure disposal. Granularity should be appropriate and ownership reassigned when necessary. … [Read more...] about 5.9 Inventory of information and other associated assets

Integrate information security into project management so that the organization can better address risks. Assess and treat InfoSec risks, address requirements, and consider communication security. Review progress and allocate responsibilities. Determine security requirements for all projects and consider information classification, protection, authentication, access, user … [Read more...] about 5.8 Information security in project management

Collect and analyze threat intelligence to prevent harm and reduce impact. Consider strategic, tactical, and operational layers. Ensure relevance, insightfulness, context, and actionability. Establish objectives, vet sources, collect and process information, analyze and communicate it. Use threat intelligence to manage risks, enhance controls, and test processes. Share … [Read more...] about 5.7 Threat intelligence

Join interest groups to improve knowledge, understand the security environment, get early warnings and access advice, exchange information, and provide liaison points for security incidents. … [Read more...] about 5.6 Contact with special interest groups

Specify who and when to contact authorities for identified security incidents, and report promptly. Use contacts to understand authorities' expectations and regulations. … [Read more...] about 5.5 Contact with authorities

Management must support policies, protocols, and controls for information security. Ensure personnel are briefed on roles and obligations, guidelines, policy compliance, awareness, and qualifications. Enforce employment terms and conditions. Provide confidential reporting channels and adequate resources for security processes and controls. … [Read more...] about 5.4 Management responsibilities

Segregate conflicting duties to keep one user from executing them alone. Identify which obligations need segregation, such as change approval, access rights, code design, and security control assurance. Consider collusion risk and use other controls if segregation is difficult. Avoid conflicting roles in any access control system, use automation to pinpoint conflicts, and … [Read more...] about 5.3 Segregation of duties

Assign security positions and obligations according to policy. Identify and govern responsibilities for asset protection, security processes, risk management, and personnel. Provide detailed guidance where necessary. Those with assigned responsibilities may delegate tasks, but remain accountable. Define security areas and authorization levels, and ensure competence and ongoing … [Read more...] about 5.2 Information security roles and responsibilities

The organization's InfoSec policy should be defined, approved by top management, and take into account business requirements, regulations, and risks. It should contain specific statements and be supported by topic-specific policies. Relevant personnel should develop and approve topic-specific policies, and policies should be reviewed regularly. Organizations should communicate … [Read more...] about 5.1 Policies for information security

Glossary Item … [Read more...] about Clause 10.2.g

Keep records of all the actions taken after a security incident. … [Read more...] about Clause 10.2.g

The organization should develop a method of logging Information Security incidents and following through with a cause analysis and a corrective action if it not doing so in another system. … [Read more...] about Clause 10.2.a

Use sources such as client feedback (internal and external clients), audits (internal and external), metrics (see clause 9) and Management Review (9.3) … [Read more...] about Clause 10.1: Continual improvement

The question in this clause should be an agenda item in meetings. … [Read more...] about Clause 9.3.3: Management review outputs

The questions in Clause 9.3.2 should be agenda items in meetings. … [Read more...] about Clause 9.3.2.a

See clause 9.3 for the agenda items that should be covered in this meeting. Not every agenda item needs to be covered in one meeting. … [Read more...] about Clause 9.3.1: General