What does the Information Security Policy describe?
which InfoSec-controls have been selected and taken
how the InfoSec-objectives will be reached
what the implementation-planning of the information security management system is
which Information Security-procedures are selected
In the context of contact with special interest groups, any information sharing agreements should identify requirements for the protection of topic-specific
confidential( topic-specific, public, confidential ) information.
Responsibilities for information security in projects should be defined and allocated to:
the project manager
specified roles defined in the used project management method of the organization
the InfoSec officer
the owner of the involved asset
the manager of the business domain in which the project is carried out
Organizations allowing teleworking activities, the physical security of the building and the local environment of the teleworking site should be considered
Prior to employment, screening
trial period( screening, awareness training, trial period ) as well as terms & conditions of employment are included as controls in ISO 27002 to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
It is allowed that employees and contractors are provided with an anonymous reporting channel to report violations of information security policies or procedures (“whistle blowing”)
The identified owner of an asset is always an individual
Who is accountable to classify information assets?
the asset owner
the Information Security team
Physical labels and data encryption
digital folders( data encryption, metadata, digital folders ) are two common forms of labelling which are mentioned in ISO 27002.
What should be used to protect data on removable media if data confidentiality or integrity are important considerations?
backup on another removable medium