ISO 27001/27002 stated that the electronic information passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. In implementing this, there are a number of interlinked issues, many of which should be addressed in formal agreements between parties:
1. Authentication, to ensure that there is some confidence that customers or traders are who they say they are.
2. Authorization, to ensure that trading partners know that prices set, or contracts agreed, have been agreed by someone authorized to do so, and that trading partners know what each other’s authorization procedures are.
3. Dealing, in online contract and tendering processes, with non-repudiation, with confidentiality, integrity, proof of despatch and receipt of documents.
The standard requires the organization to control removable computer media, such as tapes, disks, cassettes and printed reports, so as to prevent damage, theft or unauthorized access. ISO27002 recommends that documented procedures should be included in the ISMS as follows:
1. It should be required that the previous contents of any reusable media that are to be removed from the organization should be erased. The erasure must operate across the totality of the media, not simply across what appears to be the existing content, as otherwise there is a danger that information may leak to the outside world.
2. Authorization should be required for all media that are to be removed from the building, and an audit trail should be retained. Some media, such as back-up tapes,
1. After completion of a draft statement of applicability (SoA). Any costs incurred prior to this should be minimal, but until the SoA defines what needs to be done, it will not be possible to budget effectively for the implementation.
2. After implementation of the initial suite of procedures that apply the identified controls.
3. After completion of the first cycle of system audits and reviews in accordance with control A.15.2 of the standard and prior to the initial visit by the certification body.
1. The information security policy, the scope of the ISMS, the risk assessment, the control objectives and the statement of applicability. These might, with a description of the PDCA approach, form the core of an ISMS manual.
2. Evidence of the actions undertaken by the organization and its management to specify the scope of the ISMS (the minutes of board and steering committee meetings, as well as any specialist reports).
3. A description of the management framework (steering committee, etc). This could usefully be related to an organizational structure chart.
1. Formulation of the risk treatment plan and its documentation, including planned processes and any required supporting documentation;
2. Implementation of the risk treatment plan and planned controls;
3. Appropriate training for affected staff, as well as awareness programmes;
4. Managing operations and resources in line with the ISMS;