top of page
Search

ISO 27001


4. CONTEXT OF THE ORGANIZATION

Determining the factors that affect your company will guide you in establishing your system.

4.1 Understanding the Organization's Context

The factors that the management system affects and is affected by should be determined as a context.

The issues that are affected can be defined as external context, and the issues that it affects can be defined as internal context.

Note: Internal and external issues are randomly sampled with a general approach, you need to customize and elaborate specific to your company's scope.

4.2 Understanding the Needs and Expectations of Interested Parties

The relevant parties that affect the operation of the company should be identified and the environmental needs and expectations of these parties should be determined.

The internal and external issues specified in Article 4.1 are of a guiding nature in determining the relevant parties.

For example;

4.3 Scope

Determining the boundaries of your company's ISMS

Subjects of activity

Activity venues

Security and technological infrastructure should be described


In addition, if there is an item that you have excluded from the above elements or the standard, you must describe it here with the reasons.


Example: XYZ Company scope

Subjects of activity: website and mobile application design services

The activity areas are the head office located in Istanbul, Tuzla …., the branch office in Ankara Gölbaşı and the website XYZ design @....

4.4 Management System and Processes

Your company must establish an ISMS management system within the framework of the ISO 27001 Standard, determine the processes it needs, implement the processes, ensure their continuity and continuously improve them.


The organization should plan actions to prevent/reduce risks and develop opportunities in process management.


5. LEADERSHIP

5.1 Leadership and Commitment

By the top management;

  • ISMS policy should be created with a strategic plan.

  • Necessary processes that comply with ISMS requirements must be determined and secured.

  • Encouraging the use of a process approach and risk-based thinking,

  • The existence and accessibility of the necessary resources for ISMS should be ensured.

  • Creating staff awareness for effective operation of ISMS

  • Continuous improvement should be encouraged

5.2 Policy

By the Top Management,

  • In line with the purpose of the organization,

  • Contains information security objectives or provides a framework for determining information security objectives,

  • Contains a commitment to meet applicable requirements regarding information security and a commitment to continuous improvement of the Information Security Management System.

Information Security Policy should be created


  • Information Security Policy;

  • Must be available as written information,

  • It should be announced within the organization and (can be posted on the notice board, sent to employees via e-mail, etc.)

  • Must be accessible to appropriate interested parties. (Can be shared on the website)

5.3 Duties, Powers and Responsibilities

Top management should assign responsibility and authority for:

a) To ensure that the information security management system complies with the requirements of this standard.

b) Reporting to senior management on the performance of the information security management system.

6. PLANNING

6.1 Risk and Opportunity Identification Activities

6.1.1 General

In your company

a) Ensuring that the intended outputs of the information security management system can be provided,

b) Preventing or reducing undesirable effects and

c) Achieving continuous improvement,


Risks and opportunities should be determined for,

Activities to address risks and opportunities should be identified and their effectiveness evaluated.

All controls required for the implementation of the selected information security risk processing options should be determined.

When determining control methods, the control criteria given in ANNEX-A must be taken into account.

If necessary, new risk processing methods can be determined or outsourced.


Risk assessment and acceptance criteria should be determined.

  • Risk owners should be identified

  • Risk levels should be determined by evaluating possible problems resulting from the realization of risks.

  • Risk assessment should be carried out


6.1.2 Information security risk assessment

In your company

Risks related to loss of confidentiality, integrity and accessibility of information within the scope of ISMS should be identified.

The organization must maintain written information regarding the information security risk assessment process.



6.2 Goals and Planning to Achieve Them

Information security targets should be determined for your company according to the following criteria:

  • Must be consistent with the information security policy,

  • Must be measurable (if applicable),

  • Take into account applicable information security requirements and the results of risk assessment and risk processing,

The set goals should be communicated to employees and updated accordingly.

Written information regarding information security objectives should be maintained.

While determining information security objectives,

  • What to do,

  • What resources will be required,

  • Who will be responsible?

  • When will it be completed and

  • How to evaluate the results

It should be clearly defined


7. SUPPORT

7.1 Resources

7.1.1

Your company must identify and provide the resources necessary to establish, implement, maintain and continually improve the ISMS.

7.2 Competence / Qualification

The qualifications of the personnel affecting the ISMS performance in your company should be determined, and it should be ensured that the qualifications of these personnel are secured through training or experience, and when necessary, the necessary training, documentation and programs should be provided to the personnel to gain new qualifications.

7.3 Awareness

All personnel working within your company and affecting the ISMS should be made aware of ISMS.

7.4 Communication

It is necessary to provide clear answers to the following items by determining the internal and external communication methods in your company. This includes sharing information among staff, communication with customers, suppliers and other interested parties.

The company's communication methods and means of communication should be determined and announced to the relevant personnel.

The availability of communication resources such as telephone numbers and e-mail addresses must be ensured.

7.5 Documented Information

Information that needs to be recorded in writing due to ISO 27001 requirements or your company's own Information Security Management System needs should be determined.


The size and content of written information may vary depending on factors such as the size of the company, its field of activity, product and service type, process structure and personnel competence.


NOTE: When determining the documentation system of each company, a system specific to that company should be established by taking into consideration its relevant parties, fields of activity, product and service area, process structure, and personnel potential.

A system that works perfectly in one company may be too detailed, complex or inadequate for another company.

Written information required by ISO 27001;

• ISMS Scope (4.3)

• Information security policy (5.2)

• Information security risk assessment process (6.1.2)

• Information security risk processing process (6.1.3)

• Information security objectives (6.2)

• Competence (7.2)

• List of external documents (7.5.3)

• Operational planning and control (8.1)

• Information security risk assessment results (8.2)

• Information security risk processing results (8.3)

• Monitoring and measurement results (9.1)

• Internal audit programs and audit results (9.2)

• Management review results (9.3)

•The nature of the nonconformities and the results of the corrective actions and follow-up actions (10.1)


Create and Update

The following should be taken into consideration when creating and updating documents in your company:


  1. Identifying and describing (for example, a title, date, author or reference number),

b) Format (e.g., language, software version, graphics) and medium (e.g., paper, electronic), and

c) Review and approval of suitability and accuracy.


Control of Written Information

Information,

a) It must be accessible and suitable for use wherever and whenever required.

b) Protected against risks such as loss of confidentiality, improper use or loss of integrity.

To control written information, your company should consider the following activities, as appropriate:

c) Distribution, access, retrieval and use,

d) Storage and protection, including preservation of legibility,

e) Control of changes (e.g. version control) and

f) Preservation and destruction.


8. OPERATION

8.1 Operational Planning and Control

To meet the information security requirements in your company, to carry out the activities determined for risks and opportunities, and to achieve its goals;



  • Must plan, implement and control the necessary processes.

  • He/she must control planned changes and review the consequences of unintended changes and, if necessary, take action to reduce adverse effects.

  • Ensure that outsourced processes are identified and controlled.

  • In order to prove that processes are carried out as planned in your company, written information must be recorded.

8.2 Information Security Risk Assessment


Taking into account the risk assessment and risk acceptance criteria determined by your company

  • At planned intervals

  • When significant changes are proposed or occur

Must perform risk assessment

Your company must maintain written information about the results of the information security risk assessment.

8.3 Information Security Risk Processing

Your company must implement an information security risk handling plan.


Your company must maintain written information on the results of information security risk processing.

9. PERFORMANCE EVALUATION

9.1 Monitoring, Measurement, Analysis and Evaluation

In your company, you should evaluate the information security performance and the effectiveness of the information security management system and determine the following.

a) What needs to be monitored and measured, including information security processes and controls,

b) Appropriate monitoring, measurement, analysis and evaluation methods to ensure valid results.

c) When monitoring and measurement will be done,

d) Who will do the monitoring and measuring?

e) When will monitoring and measurement results be analyzed and evaluated?

f) Who will analyze and evaluate these results.


Effectiveness of ISMS Processes performance

• Management review results

• Internal audit practices

• Improvement studies

• Corrective action practices

• ISMS awareness

• ISMS Trainings

• Security incident management, cost, lessons learned

• Password quality, patch management, access rights

• Reactions to attacks

• Physical access controls

•Etc.

9.2 Internal Audit

In your company, the information security management system

a) Complies with ISO 27001 and the company's ISMS standards.

b) It is effectively implemented and sustained,

To control, internal audits should be carried out at planned intervals.

The following factors are necessary regarding internal auditing in your company;

c) Planning, creating, implementing and maintaining the internal audit program, which also describes the frequency, methods and responsibilities. (Critical processes should be prioritized in the program)

d) Definition of audit criteria and scope for each audit,

e) Selection of auditors and conduct of audits in a way that ensures impartiality and objectivity,

f) Ensuring that audit results are reported to the appropriate management level.

g) Preservation of written evidence of the audit program(s) and audit results.

9.3 Management Review

Top management should review the ISMS at planned intervals to ensure its continuing suitability, accuracy and effectiveness.

The management review should address the following:

a) Status of the tasks from previous YGGs,

b) Changes in external and internal issues concerning ISMS,

c) Feedback on ISMS performance, including developments in:

1) Nonconformities and corrective actions,

2) Monitoring and measurement results,

3) Inspection results and

4) Fulfillment of information security objectives

d) Feedback from relevant parties,

Risk assessment results and status of risk treatment plan

Opportunities for continuous improvement.



The management review outputs should include decisions on opportunities for continuous improvement and any needs for changes required in the information security management system.

10. IMPROVEMENT

10.1 Non-Conformity and Corrective Action

In case of detection of non-conformity;

  1. Check and fix if possible

  2. To prevent the nonconformity from recurring or occurring elsewhere.

  • Look over

  • Determine root cause

  • Determine the occurrence or likelihood of occurrence of similar nonconformity

3. Implement corrective action

4. Review the effectiveness of corrective actions

5. If necessary, make improvements to the non-conformity in the ISMS.


Your company must retain written information as evidence of:

  • Reason for nonconformities and corrective actions implemented

  • Results of corrective action taken.

10.2 CONTINUOUS IMPROVEMENT

The organization must continuously improve the suitability, adequacy and effectiveness of its information security management system.

The organization should consider the results of the analysis and assessment and the outputs of the management review to determine whether there are needs or opportunities to be addressed as part of continual improvement.

Nonconformities should be monitored and corrective actions should be planned, risks should be identified and activities should be planned to eliminate/reduce them, opportunities should be identified and activities should be planned to develop them.

Process performances should be continuously monitored and performance evaluations should be made to check whether the desired performances are achieved in the processes. If the desired performance is not determined from the processes, remedial activities should be planned for the processes.

APPENDIX A


A.5 INFORMATION SECURITY POLICIES


A.6 INFORMATION SECURITY ORGANIZATION



MOBILE DEVICES AND REMOTE WORKING

Use of devices such as phones, tablets, computers, etc.;

The use of mobile devices containing company data by employees should be controlled, risks should be identified, and an action plan should be implemented to reduce or eliminate risks. Mobile device use should be secured by policy.


The policy should also cover the following items:

a)Registration of mobile devices

b) Physical protection requirements

c) Software installation restrictions

d) Requirements for mobile device software versions and application of patches,

e) Restriction of connection to information services,

f) Access controls,

g) Cryptographic techniques,

h) Malware protection,

i) Remote disabling, deleting or locking,

j) Backup,

k) Use of web services and web applications.


Working remotely;

If the personnel work remotely for a permanent or certain period of time, information security risks that may arise such as connecting to the company system from a foreign network, losing company information, having it stolen, compromising the integrity of the information, etc. should be investigated and precautions should be taken against these risks. After the necessary opportunities are provided to the personnel, a policy should be prepared and remote working should be secured.


Main risks;

Leaving the device on in the working environment

Passwordless device usage

Sharing passwords or devices with strangers

Write the password on a notepad and leave it lying around.

Commonly used passwords

Repetitive password use

Insufficiently secure passwords (Gozde.123456yedi)

A.7 HUMAN RESOURCES SECURITY

AWARENESS AND IMPLEMENTATION OF ISMS

Management should encourage employees and contractors to implement the company's ISMS requirements.

In order to ensure awareness of ISMS within the company and to implement it effectively, the training and documentation required by the staff should be provided, and a disciplinary process should be published for the staff to prevent any breach of information security.


LEAVING A JOB AND CHANGE OF DUTY

In case of employee or contractor leaving the job or change of duty, the information security responsibilities of the employee must be determined and notified to the employee.

The obligation to keep secrets during the recruitment phase can be secured by informing the personnel at the contract stage.


In addition, in order to protect concepts such as accuracy and integrity of information, staff may be requested to make a complete work transfer.

A.8 ASSET MANAGEMENT



MEDIA PROCESSING


To prevent unauthorized disclosure, alteration, and destruction of information;

Portable media management should be according to the classification scheme determined by the company

Information that is not needed should be securely destroyed in accordance with official procedures.

Physical media transmission containing information must be protected against unauthorized access, misuse and corruption.

A.9 ACCESS CONTROL

Create and publish a written access control policy

Assign personal confidential identification information and provide information about usage rules

( Password management systems must be interactive and have adequate security levels. )

Allow personnel to access only the network and files they are authorized to

Determine methods for controlling and restricting privileged access rights

Check users' access rights at regular intervals

Cut off access to all information for personnel or related parties whose ties with the company have been terminated.

To manage access rights, process(es) that support the above items, cover all users and information, and manage user registration/deletion and secure login issues should be prepared and implemented.

Additionally, access to program source code should be restricted and the use of applications that can override system and application controls should be restricted and tightly controlled.

A.10 CRYPTOGRAPHY

CRYPTOGRAPHY

It is also shown as all the techniques used to convert readable information into an unreadable form by unwanted parties.

Caesar Cipher Method

Example: info =elojl


CRYPTOGRAPHIC CONTROLS

A policy on the use of cryptographic controls to protect information should be prepared and implemented.

A policy explaining the use, protection and lifetime of cryptographic keys should be prepared to ensure compliance with the policy.

A.11 PHYSICALLY AND ENVIRONMENTALLY SAFE

SAFE AREAS

To protect sensitive and critical information resources;

Safe area boundaries must be determined and protected.

Only authorized personnel should be granted access and necessary access controls should be carried out.

Offices and facilities should be designed in accordance with physical security rules.

Information resources should be protected against negative external effects such as natural disasters, accidents, and malicious attacks.

Access points such as delivery and loading areas where unauthorized persons can enter the facility should be controlled and, if possible, separated from information processing facilities to prevent unauthorized access.

Procedures for working in safe areas should be designed and implemented.


EQUIPMENT

Must be protected against risks arising from environmental threats and unauthorized access.

It should be protected against errors that may cause interruptions such as power outages etc.

Power and telecommunication cables must be protected against eavesdropping, interference or damage.

System continuity should be ensured by performing necessary maintenance.

Information or software should never be taken outside the company without authorization.

For assets outside the company, external risks related to the region should be determined and necessary precautions should be taken.

Before destroying or reusing equipment containing storage media, it must be ensured that all sensitive data and licensed software are removed or securely overwritten.


In environments where there is no surveillance, it must be ensured that users use the equipment appropriately. (Responsibilities can be announced with a policy or users can be guaranteed by signing)

Clean desk and clean screen practices should be adopted.

A.12 OPERATIONAL SECURITY



A.13 COMMUNICATIONS SECURITY

NETWORK SECURITY MANAGEMENT

Networks must be managed and controlled to protect information in systems and applications.

The security requirements of all network services should be determined and included in network services agreements.

Information services, users and information systems groups should be separated.

INFORMATION TRANSFER

Controls must be carried out in accordance with transfer policies and procedures for information transfer.

Information shared with external parties must be secured by preparing the necessary agreements.

Information shared via e-mail must be protected in accordance with policy.

Needs to be determined against privacy violations and secured with a confidentiality agreement. The agreement should be reviewed regularly .


A.14 SYSTEM PROCUREMENT DEVELOPMENT AND MAINTENANCE

SECURITY REQUIREMENTS OF INFORMATION SYSTEMS

Requirements regarding information security should be determined and included in the ISMS.


Information in application services passing over public networks must be protected from fraudulent activity, contractual disputes, and unauthorized disclosure and alteration.


Information in application service operations must be protected to prevent incomplete transmission, misdirection, unauthorized message modification, unauthorized disclosure, unauthorized message duplication, or message re-creation.


PROTECTION OF TEST DATA


Test data must be carefully selected, protected and controlled.


SECURITY IN DEVELOPMENT AND SUPPORT SYSTEMS

Software and systems development rules must be determined and implemented.

System changes should be controlled through the use of formal change control procedures.

When operating platforms are changed, critical applications should be reviewed and tested to prevent adverse impact to corporate operations or security.

Changes to software packages should be restricted and controlled to only necessary changes.

System engineering principles should be determined, put into writing and applied to all information system studies.

Secure development environments must be established and maintained for system development.

Supervise and monitor externally provided system development activity

Testing of security functionality should be performed during development.

Acceptance test programs and related criteria should be determined for new information systems, upgrades and new versions.

A.15 SUPPLIER RELATIONS

INFORMATION SECURITY IN SUPPLIER RELATIONS

A policy should be prepared and implemented to manage supplier relationships.


Information security requirements should be agreed upon with suppliers who have access to the information or who provide the infrastructure for the information.


Monitor, review and audit suppliers' services at regular intervals.


Changes in supplier services should be reflected in the ISMS by evaluating their risks and impact on processes.

A.16 INFORMATION SECURITY VIOLATION INCIDENT METHOD

Responsibilities should be determined and procedures should be prepared to respond to violations quickly, effectively and regularly.

Violations should be reported as quickly as possible.

All users should be required to report any suspicious events they encounter in systems or services.

Information security incidents should be evaluated and a decision should be made as to whether they will be classified as information security breaches.

Violations must be responded to in accordance with procedures.

Experience gained from analyzing and resolving information security breach incidents should be used to prevent potential breach incidents.

Define and implement procedures for the description and management of information to collect evidence.

A.17 INFORMATION SECURITY ISSUES OF BUSINESS CONTINUITY MANAGEMENT

In adverse situations such as crises and disasters, the ISMS must determine the requirements for continuity. The processes, procedures and controls that describe these requirements must be determined, documented, implemented and verified with regular controls.

A.18 COMPLIANCE

The laws and contractual issues that must be implemented regarding the ISMS must be put in writing and kept up to date by constantly monitoring.


Appropriate procedures should be prepared to ensure compliance with legal requirements and contractual terms regarding intellectual property rights and the use of patented software.


Records must be protected against loss, destruction, forgery, unauthorized access and unauthorized publication in accordance with all requirements affecting the ISMS.


In case of the existence of personal identification information, necessary measures should be taken for the confidentiality and protection of the information, taking into account the relevant laws and rules.


Cryptographic controls must be used in compliance with all relevant contracts, laws and regulations.










 
 
 

Recent Posts

See All
ISO 9001 / ISO 27001

4. CONTEXT OF THE ORGANIZATION Determining the factors that affect your company will guide you in establishing your system. 4.1...

 
 
 

Comments


bottom of page