We need to develop two types of procedures. The management systems dedicated to the operation of the management system and the safety ones dedicated to the application of the controls present in Annex A of ISO 27001. We begin to develop the management systems
With the following indications you can develop the information security management system in its most operational part, that is the one dedicated to the processes and therefore to the procedures that govern them.
If with the analysis of the context and the assessment of the risks for information security, the company has understood which information to protect and from which risks, with the planning the company decides how to protect the information by defining the Security Plan of the information, as required by the requirements of point 6 of ISO 27001
The controls of Annex A of the standard, identified in the Information Security Plan, must be integrated into the activities of the company. That is, they must be \ “practically applied \” in the concrete performance of work activities:
- By company personnel who process information (process managers, operators, etc.)
- By company personnel identified to protect information (system administrator, IT manager, information system manager, etc.)
The management procedures
To develop the information security management system efficiently, it is advisable to first develop the management procedures that govern the operation of the company according to the requirements of ISO 27001.
Among these, we suggest developing the procedures dedicated to the following aspects:
- Context monitoring
- Organization of company personnel
- Risk and opportunity management
- Goal elaboration and management
- Asset management
- Personnel and skills management
- Communication management
- Management of documented information
- Monitoring, measurement and analysis of safety-related results
- Organization and management of internal audits
- Management review
- Management of non-conformities
- System improvement
Within the work phases governed by these procedures, as far as possible, the information security controls must be integrated as required by the Information Security Plan.
For example, in the procedure relating to the management of security assets, the controls of Annex A dedicated to the management of the assets of which we report the list must be integrated:
- 8.1.1 Inventory of assets
- 8.1.2 Asset liability
- 8.1.3 Acceptable Use of Assets
- 8.1.4 Return of assets
the controls of Annex A relating to human resources, such as those of point 7, be integrated:
- 7.1.1 Screening
- 7.1.2 Terms and conditions of use
- 7.2.1 Management Responsibilities
- 7.2.2 Awareness, education, training
- 7.2.3 Disciplinary process
- 7.3.1 Termination or variation of responsibilities
The safety procedures
To implement some information security controls, listed in Annex A of ISO 27001, it is advisable to create dedicated procedures (security procedures) rather than integrate them into management procedures.
- Teleworking
- Access control
- Cryptography
- Physical and environmental security
- Operational safety
- The security of communications
- The management of the information system
- Disaster recovery (the management of security incidents)
- Business continuity
- Compliance with laws, regulations, decree
These are security controls whose complexity requires the specific development of targeted procedures.
