ISO 27002
ISO 27002 is a standard for data security management. It's a family of security controls for data management.
Section 5 - Information security policies
π Ensure principles, policies... were defined to protect information.
π It's important to regularly reviews policies to ensure that they are relevant and up-to-date.
5.1 Information security policies
- Provide guidance to management on information security. Ensure it aligns with business needs and applicable laws/regulations.
- Develop information security policies, approved by management, and communicated to employees and relevant parties.
5.1.2 Review of the information security policies: periodically reviewing the information security policies at planned intervals or when major changes occur to ensure their continued relevance, compliance, and effectiveness.
Section 6 - Organization of information security
π Ensure a structure was defined to ensure information security.
π It's important that everyone is aware of their role and their responsibilities in the organization.
6.1 Internal organization: Define a management framework to initiate and control the implementation and operation of information security within the organization.
- Define and assign all roles and responsibilities related to information security.
- Separate conflicting duties and responsibilities to reduce the risk of misuse of organizational assets, accidental or intentional.
- Establish and maintain relationships with relevant legal and judicial authorities and suppliers for business continuity.
- Establish and maintain relationships with relevant interest groups and professional associations.
- Consider information security in project management, regardless of the project type.
6.2 Mobile devices and teleworking:
- Develop and adopt policies and appropriate controls to reduce risks associated with mobile devices and teleworking.
- Develop and adopt policies and appropriate controls to protect information accessed, processed, or stored at teleworking sites.
Section 7 - Human resource security
π Ensure the organization took appropriate measures to protect information from security risks.
7.1 Prior to employment
- Background checks must be carried out for all job candidates in accordance with the laws, regulations, and ethical codes in force. The extent of the background check should be proportionate to the business requirements, the classification of the information that will be accessed, and the perceived risks.
- Employment contracts must specify the person's responsibilities with regard to information security.
7.2 During employment
-
Managers must require employees and contractors to apply the information security measures as established in the organization's policies and procedures.
-
All employees and contractors in the organization must receive the necessary training to understand and apply the relevant information security policies and procedures to their tasks. This training should be regularly updated.
-
There must be a disciplinary process in place to sanction individuals who have committed a fault in information security.
7.3 Termination and change of employment: The responsibilities regarding information security that are applicable after the end of employment or the transfer to a new role must be defined, communicated to the individuals concerned, and applied.
Section 8 - Asset management
π Ensure the organization inventoried and manage every asset.
8.1 Responsibility for assets
- An inventory of information assets should be created and kept up-to-date.
- Information assets must be the responsibility of someone in the organization.
- Rules regarding the use of information assets should be identified, documented, and put in place.
- Information assets must be returned to the organization at the end of an employee's or contractor's employment or contract.
8.2 Information classification
- Information must be classified based on legal requirements, its value, criticality, and sensitivity.
- Procedures should be developed and implemented to ensure that the information classification is attached and visible.
- Procedures should be developed and implemented to ensure that information assets are handled correctly based on their classification.
8.3 Media handling
- Procedures should be developed and implemented to manage removable media in compliance with information classification.
- Media that is no longer required should be disposed of based on its classification.
- Media should be protected against unauthorized access and unwanted modification during transport.
Section 9 - Access control
π Ensure the organization defined proper access control.
9.1 Business requirements of access control
- A documented and regularly reviewed access control policy must be established to reflect the organization's business and information security needs.
- Users must be granted access only to authorized networks.
9.2 User access management
- A formal process for user registration and de-registration must be implemented to ensure proper access rights management.
- A formal process for granting and revoking access rights must be established for all users and information systems. Access to privileged accounts must be restricted and controlled.
- A formal process for the use of secret authentication information must be established.
- Access rights must be periodically reviewed by trustees.
- Access rights must be revoked or adjusted when employees end their employment or mandate or change their roles.
9.3 User responsibilities
- Users must be made responsible for protecting their authentication information.
- Users must follow established organization practices for the use of authentication information.
9.4 System and application access control
- Access to information and application functions must be restricted in accordance with the access control policy.
- Secure procedures must be implemented to control system and application logins when required.
- An interactive password management system must be implemented to ensure strong passwords.
- Utilities with privileged access must be restricted and controlled. Access to application source code must be restricted.
Section 10 - Cryptography
π Ensure the organization uses appropriate encryption techniques to protect information.
10.1 Cryptographic controls
- Ensure the correct use of cryptography to protect the confidentiality and integrity of information.
- Define a policy on the use of encryption must be defined and implemented.
- Define a policy on the protection and life cycle of encryption keys must be defined and implemented.
Section 11 - Physical and environmental security
π Ensure the organization took measures to protect physical assets.
11.1 Secure areas
- Physical security perimeters should be defined and used to protect critical or sensitive information assets.
- Controlled entry mechanisms should be implemented to prevent unauthorized access to secure areas.
- Security rules for offices, rooms, and other facilities should be defined and enforced.
- Protection against environmental threats such as natural disasters, accidents, and physical attacks should be defined and implemented.
- Procedures for working in secure areas should be defined and implemented.
- Loading areas accessible from the outside should be controlled and isolated from secure areas.
11.2 Equipment
- Physical security perimeters should be defined and used to protect critical or sensitive information assets.
- Equipment should be protected against power failures and other public services disruptions.
- Cables that power data centers should be protected against interceptions, interference, and damage.
- Equipment should be properly maintained to support business continuity.
- Equipment should not be removed from their site without authorization.
- Off-site equipment should be secured according to the risks.
- Sensitive information should be erased from equipment before disposal or reuse.
- Users should ensure the protection of their equipment when they are absent.
- A policy for desktop and screensavers should be defined and implemented.
Section 12 - Operations security
π Ensure the organization performs its operations such as backups.
12.1 Operational procedures and responsibilities
- To ensure proper and secure information processing
- Operational procedures must be documented and made available to those who need them.
- Changes to processes and systems that affect data management must be controlled.
- Resource utilization must be monitored, adjusted, and future needs forecasted to ensure availability of information.
- Development, testing, and production must be in separate environments to reduce the risk of unauthorized access or changes.
12.2 Protection from malware
- Protection against Malware to ensure information assets are protected against malware.
- Mechanisms to prevent, detect, and counter malware must be implemented, and users must be educated about malware threats.
12.3 Backup
- Backup Copies to protect against data loss
- Backup copies of data must be taken and tested regularly in accordance with approved backup policies.
12.4 Logging and monitoring
- Logging and Monitoring to record events and accumulate evidence.
- A log of user activities, exceptions, and security breaches must be established, maintained, and analyzed regularly.
- The event log must be protected against modifications and unauthorized access.
- The activities of system administrators and operators must be recorded in a log that is protected and analyzed regularly.
- The internal clocks of all information management equipment must be synchronized to a single source.
12.5 Control of operational software
- To ensure the integrity of operational systems
- Procedures must be put in place to control the installation of software on operational systems.
12.6 Technical vulnerability management
- To prevent exploitation of technical vulnerabilities:
- A watch on technical vulnerabilities must be put in place; associated risks must be evaluated and necessary measures applied.
- Rules regarding user-installed software must be defined and put in place.
12.7 Information systems audit considerations
- To minimize the impacts of audits on information assets.
- Audits and verification activities on information assets must be planned and approved to reduce impacts on operations.
Section 13 - Communications security
π Ensure the organization set up measures to protect communication and communication channels such as networks.
13.1 Network security management
- To ensure the protection of information in transit on network devices.
- Networks must be managed and controlled to protect information and systems
- Security mechanisms, quality of service levels, and network management requirements must be defined in agreements with external or internal network service providers.
- Distinct groups of users or information systems must be on separate networks.
13.2 Information transfer
- To maintain the security of information in transit within the organization or with an external entity.
- A policy and procedures for information transfer must be defined and implemented for all communication mechanisms.
- Agreements must define secure information transfers between the organization and external entities.
- Electronic messages must be adequately protected.
- Confidentiality requirements and non-disclosure agreements must be identified, documented, and reviewed in accordance with information access policies.
Section 14 - System acquisition, development and maintenance
π Ensure the organization integrates information security when acquiring, developing, and maintaining systems.
14.1 Security requirements of information systems
- To ensure that security concerns are addressed throughout the life cycle of information systems.
- Information security requirements must be included in specifications for new information systems and improvement projects.
- Applications using public networks must be protected against fraudulent use, contractual disputes, unauthorized access, and modification.
- Information transmitted by application services must be protected against incomplete, intercepted, duplicated, modified, or accessed without authorization.
14.2 Security in development and support processes
- To ensure that information security requirements are integrated into the life cycle of information systems.
- Rules for application development must be defined and applied to all development within the organization.
- Changes to information systems must be controlled using formal follow-up procedures.
- When changes are made to critical application infrastructures, they must be tested to ensure that there are no impacts.
- Commercial software should not be modified, except for essential and controlled exceptions.
- Secure design principles must be defined, documented, published, maintained, and applied to all development projects.
- Development environments must be well defined and protected throughout the development cycle.
- The organization must supervise and monitor development done by subcontractors.
- Security functions must be tested during development.
- Criteria for accepting developed systems must be defined and used to accept delivery.
14.3 Test data
- To ensure that test data sets are protected.
- Test data must be prepared properly, protected, and controlled.
Section 15 - Supplier relationships
π Ensure the organization took measures to ensure information security is addressed in all stages of the supplier relationship.
15.1 Information security in supplier relationships
- To protect the assets of the organization available to suppliers.
- Requirements and controls to reduce risks on information security available to suppliers must be understood with them, documented, and applied.
- Information security clauses must be included in contracts with suppliers who access the organization's informational assets.
- Security requirements must be propagated in the IT and communication supply chains.
15.2 Supplier service delivery management
- To maintain the agreed-upon level of security.
- Services provided by suppliers must be monitored, evaluated, and audited regularly.
- Information security clauses must be maintained or revised when there are changes in contracts with suppliers.
Section 16 - Information security incident management
π Ensure the organization handles incidents in a consistent way.
16.1 Management of information security incidents and improvements
- To ensure consistent and effective management of information security incidents.
- Responsibilities and procedures must be established to ensure a rapid, effective, and orderly response to security incidents.
- Suspected security events must be communicated to the relevant parties as soon as possible.
- Observed or suspected security weaknesses must be communicated to all relevant parties.
- Communicated events must be evaluated to confirm if they are incidents.
- Security incidents must be handled according to established procedures.
- Understanding security incidents must be used to improve controls to reduce risks.
- Procedures for collecting evidential information must be defined and applied.
Section 17 - Information security aspects of business continuity management
π Ensure the organization integrates information security in every business process.
17.1 Information security continuity
- Information security continuity must be included in the business continuity plan.
- The organization must determine the information security needs during a crisis.
- Implementation of Information Security Continuity The organization must define, document, implement and maintain the necessary processes and procedures to ensure information security during a crisis.
- Verification of Information Security Continuity The organization must verify and adjust the information security continuity plan as needed.
17.2 Redundancies
- To ensure the availability of processing centers.
- Processing centers must have the necessary redundancies to meet availability requirements.
Section 18 - Compliance
π Ensure the organization complies with laws and regulations.
18.1 Compliance with legal and contractual requirements
- To avoid non-compliance with legal and contractual requirements related to information security.
- All applicable legal and contractual requirements and the organization's decided strategy must be documented and maintained for all information assets.
- Procedures to manage intellectual property properly must be put in place by the organization.
- Records must be protected against loss, destruction, alteration, and unauthorized access in accordance with legal and organizational requirements.
- Confidentiality and protection of personally identifiable information must be ensured according to legal requirements.
- Encryption techniques must be used in compliance with legal requirements and constraints.
18.2 Information security reviews
- To ensure that information security is implemented in accordance with policies and procedures.
- Information security policies, procedures, and controls must be periodically assessed by an independent person.
- Business unit managers must regularly ensure that their department is compliant with information security requirements described in the organization's policies, procedures, and standards.
- The compliance of information systems must be regularly assessed.