For the physical and environmental protection of information it considers the risks of intrusion and natural disasters, For the safety in operational activities it considers technical vulnerabilities. Let’s see how to develop the procedures following the Annex A controls
The physical and environmental security of information in the company
The procedure relating to physical and environmental safety must be developed in accordance with the provisions of control 11 of Annex A of ISO 27001: 2017 and must necessarily deal with each point listed in the procedure index that we have adopted in the following example :
Define the security perimeter
The company must protect information from physical dangers that may arise from the outside. In this regard, it must define a physical security perimeter, to protect the information and assets with which it is managed and which are indicated in the Asset Inventory.
The controls set up for information security, which constitute the “corporate security perimeter”, must be distinguished by the company into two types:
Physical Security Checks:
who preside over access to the organization by staff, suppliers and other interested parties. Physical security includes those measures that tend to control risks from ill-intentioned people, people whose acts can be targeted:
- Unauthorized access to information
- To their physical removal (by removing the supports)
- To their destruction
Environmental safety checks:
which oversee the protection of assets from threats related to climate, temperature and climatic events. These threats can involve the partial or total destruction of the assets and information contained within them
Information security that depends on physical and environmental aspects can be jeopardized, for example, by the following threats:
- Fire
- Explosion
- Blackout
- Flooding
- Overheating
And in these threats we also add those that, even if dependent on people and not on physical or climatic events, jeopardize the \ “physical security \” of assets, such as:
Physical intrusion of malicious people with removal or destruction of equipment and systems
Malicious acts committed by anyone even if not directly related to the organization (vandalism, protests, insurrections, extortion, retaliation)
Take preventative measures to lower the risk
To make offices, premises and structures safe, according to control 11.1.3 of Annex A of ISO 27001: 2017, you must implement prevention measures that ensure that you reach a specific level of safety that you have already set objectives for security developed in Planning.
In correspondence with each hazard that you have identified already documented during the risk assessment, you must provide details of:
- What are the dynamics and consequences of the danger
- What are the risks to the information
- What controls to implement to manage the risk
To give an example relating to the safety of offices, premises and structures in general, we have considered the danger of fire and have developed the related protection controls.
How to develop information security in operational activities pursuant to control 12 of Annex A of ISO 27001: 2017
The documented operating procedures of the control 12.1.1
The operational activities of the company and the information security controls associated with them must necessarily be governed by the procedures concerning \ “production \”, in the broad sense of the term.
In practice, we are telling you that the information security management system, to be compliant with ISO 27001, must document all the production process (or service delivery), identifying everything that happens from the “collection of customer requirements.” \ “until \” checking the production outputs \ “that are not compliant.
The procedures governing these activities are the basis of systems of quality management systems compliant with ISO 9001: 2015. We report them below having codified them according to the points of ISO 9001.
- PROC-812 – Requirements
- PROC-813 – Design
- PROC-814 – Outsourcing
- PROC-815 – Production
- PROC-816 – Preservation
- PROC-817 – Control of non-conforming outputs
The procedures indicated above are those that govern the entire process of supplying the product / service to customers. The security controls for the information in these procedures must ensure the confidentiality, integrity and availability of critical information regarding the customer and the organization’s production activities.
All personnel employed in operational activities must be made aware of the content of the procedures and trained in their consistent use.
The operation, however, must also be kept under control by the following safety procedures thanks to which the safety controls present in Annex A of ISO 27001: 2017 are applied.
They are, by way of example:
- PSI-06 – Teleworking and information security
- PSI-09 – Access control
- PSI-10 – Encryption
- PSI-11 – Physical and environmental security of information
- PSI-12 – Operational safety
- PSI-13 – Communications security
- PSI-14 – Acquisition, development and maintenance of systems
- PSI-16 – Information Security Incident Management
- PSI-17 – Information security business continuity management
- PSI-18 – Compliance
These safety procedures just listed are also coded according to the control number listed in Annex A of ISO 27001: 2017.
Develop other operational security controls
The development of each security control listed in the procedure index must allow process managers and security managers to effectively manage and protect information in the circumstances indicated by the procedure.
Make sure that the procedures illustrate a clear operational framework for each control, not just stating the control but explaining it in its practical and practical aspects.
If we refer, for example, to control 12.5.1
Installation of the software on production systems, of Annex A, maybe we explain that:
The installation and updating of production software, applications and libraries is carried out only by the information system manager who is trained and trained and installs the software with adequate authorization from top management.
The information system and the applications it includes for information management are “produced” within the organization by the IT development team which coincides with the staff of the marketing office and that of the design office. The system development and operation supervisor is the information system manager.
