Organizations must establish formal security policies to ensure consistent protection of information.
Read and acknowledge policies, follow outlined procedures, and report any gaps to supervisors.
Sending unencrypted emails with customer data when policy requires encryption constitutes a breach.
Organizations must clearly define who is responsible for specific aspects of information security.
Ensures security tasks are performed properly with no overlooked responsibilities.
Know your protection role, participate in training, and consult managers when uncertain.
Writing and modifying application code
Validating functionality and security
Moving code to production environment
No single person should control all parts of a critical process. This reduces risk of fraud or errors. Employees must respect process boundaries and understand authorized task performers.
Demonstrating security commitment
Ensuring compliance with standards
Promoting security awareness
Managers must actively support and promote information security practices. Top-down commitment drives organization-wide security culture. Employees should observe how managers enforce security and speak up if leadership isn't upholding standards.
Create connections with relevant authorities
Regular updates and compliance checks
Proper escalation during security events
Organizations must establish and maintain contact with regulators and authorities for compliance and incident response. This helps with timely communication during incidents and staying updated with legal requirements.
Participate in sector-specific security communities to share knowledge and stay informed about emerging threats.
Engage with technology-focused groups to learn about vulnerabilities and best practices for specific systems.
Contribute to and benefit from collective intelligence about current threats and defensive strategies.
Gather data on potential threats
Evaluate relevance and risk
Apply defensive measures
Continuously refresh intelligence
Identify security requirements early
Incorporate security architecture
Implement secure coding practices
Validate security controls
Secure implementation
Organizations must maintain an updated list of all information and assets. You can't protect what you don't know exists. Employees should tag and report new assets and never use unapproved devices for work.
Business-related tasks, authorized software, approved communication channels
Personal use, unauthorized software installation, sharing credentials
Follow usage policies, report violations, protect company resources
All company hardware must be returned in working condition with no unauthorized modifications.
Physical and digital documents containing company information must be returned or securely deleted.
ID cards, security tokens, and access devices must be promptly surrendered upon termination.
Highest sensitivity, restricted access
For company use only
Safe for external sharing
Information must be labeled based on sensitivity. Protecting data according to its value reduces risk and ensures compliance. Employees must know the classification system and store and share information accordingly.
Classified information should be visibly labeled to ensure proper handling. Employees must check labels before sharing files and apply correct labels during document creation.
Determine the classification level of information before transfer to identify appropriate security measures.
Choose encrypted email, secure file transfer, or approved collaboration tools based on sensitivity.
Confirm the identity and authorization of recipients before sending sensitive information.
Users should have access only to the specific resources they need to perform their job functions, nothing more.
- Reduces attack surface
- Limits potential damage
- Simplifies auditing
Every employee plays a critical role in maintaining effective access control:
- Use only authorized accounts
- Never share credentials
- Report unnecessary access
Establishing unique user identities
Assigning appropriate access rights
Updating as roles change
Removing access when no longer needed
Use complex combinations of characters, numbers, and symbols that are difficult to guess but easy to remember.
Implement additional verification methods beyond passwords, such as biometrics or one-time codes.
Never write down credentials or share them with others, even within the same department.
Grant minimum necessary access for new role
Adjust access when responsibilities shift
Periodically verify access remains appropriate
Promptly revoke all access upon departure
Percentage of breaches involving third-party access
Average time to detect third-party breaches
Higher remediation costs for third-party incidents
Suppliers must follow security requirements when handling organizational data. Third parties are a major source of breaches. Employees must ensure supplier activities involving data are authorized.
Security obligations must be clearly defined in contracts, including data handling requirements, breach notification procedures, audit rights, and compliance with relevant regulations.
They create legal enforceability and clarity of expectations, ensuring suppliers understand their security responsibilities and the consequences of non-compliance.
Employees should only work with approved vendors and never bypass procurement processes that ensure proper security vetting and contractual protections.
Evaluate security practices before engagement
Establish security requirements in agreements
Regularly verify compliance with standards
Assess security impact of supplier changes
Ongoing monitoring of suppliers' security practices is essential, especially when services change. Risks can evolve with time and new service features. Employees should report unusual changes in supplier tools or systems.
Cloud services must undergo thorough security evaluation before adoption:
- Data sensitivity analysis
- Provider security controls
- Compliance verification
- Exit strategy planning
Staff must follow strict protocols when using cloud services:
- Use only approved platforms
- Never upload sensitive data to personal accounts
- Apply strong authentication
- Report suspicious activities
Develop comprehensive incident response plans, train team members, and establish communication channels.
Implement monitoring systems to identify potential security events and anomalies quickly.
Follow established procedures to contain incidents, investigate root causes, and restore normal operations.
Identify potential security events
Evaluate severity and impact
Categorize as incident or false alarm
Route to appropriate response team
Limit the spread and impact
Determine cause and scope
Fix vulnerabilities
Restore normal operations
Conduct thorough analysis of what happened, how it was detected, and the effectiveness of the response.
Identify underlying vulnerabilities or process failures that allowed the incident to occur.
Update policies, procedures, and controls to prevent similar incidents in the future.
Record the state of systems and physical environment before any changes are made.
Make bit-by-bit copies of digital evidence using specialized tools to preserve integrity.
Document who handled evidence, when, and for what purpose throughout the investigation.
Keep evidence in tamper-evident containers with restricted access to prevent contamination.
Security procedures must remain in place even during crisis situations to prevent opportunistic attacks.
When primary security measures are unavailable, approved alternative controls must be implemented.
Authentication and authorization must be maintained even in temporary or emergency facilities.
Duplicate critical infrastructure
Regular, tested recovery points
Multiple communication paths
IT systems must support business continuity, including failovers and backups. This keeps critical services running during disruptions. Employees should know where to access alternate systems and not tamper with disaster recovery equipment.
Organizations must stay compliant with all applicable laws and contracts. Non-compliance can result in fines, lawsuits, or shutdowns. Employees should follow procedures based on applicable laws and consult legal for new vendor arrangements.
- Software licenses
- Patents and trademarks
- Copyrighted materials
- Trade secrets
- Use only licensed software
- Respect copyright restrictions
- Properly attribute sources
- Report violations
Records must be kept in protected environments with appropriate access controls and environmental safeguards.
Each record type must be kept for its legally required duration before secure disposal or archiving.
Only authorized personnel should be able to view, modify, or delete records based on business need.
Respecting data subject control
Protecting data from unauthorized access
Collecting only necessary information
Personally Identifiable Information (PII) must be handled securely and lawfully. Failure to protect PII affects individuals' rights and can cause reputational damage. Employees shouldn't access PII unless authorized and should encrypt or anonymize data wherever possible.
Third-party evaluations provide unbiased assessment of security control effectiveness and compliance status.
Simulated attacks by independent security professionals identify vulnerabilities before real attackers can exploit them.
Formal evaluations against standards like ISO 27001 verify that security management systems meet requirements.
All employees must know policies
Without formal approval
Continuous policy application
Employees must follow the organization's defined rules and controls. This ensures everyone operates within safe boundaries. Employees should read and apply ISMS policies and ask if unclear about rules.
Create clear, step-by-step instructions for all critical security and operational processes.
Ensure procedures are accessible to authorized personnel who need them to perform their duties.
Regularly review and update procedures to reflect changes in systems, regulations, or best practices.
Implementing ISO 27001 controls requires systematic planning, resource allocation, and continuous improvement. Track progress against targets to ensure comprehensive security coverage across all control categories.
Security is everyone's responsibility. Stay alert for suspicious activities and report them promptly.
Keep up with security policies and participate in all required training to understand your responsibilities.
Demonstrate good security practices in your daily work and encourage colleagues to do the same.
When in doubt about security requirements, seek clarification rather than making assumptions.
By clicking submit button, I confirm that I have read, understood, and will follow the information security and privacy responsibilities outlined in this guide, and will promptly report any security concerns.
NUK 9 Information Security Auditors LLP [NUK 9 Auditors]
E702, Arjun, NL Complex, Anand Nagar, Dahisar East
Mumbai, Maharashtra - 400068. India
This material, including all content, graphics, systems, and tools referenced or used herein, is the intellectual property of NUK 9 Auditors. Unauthorized copying, distribution, modification, or use of this material or related systems is strictly prohibited and may result in disciplinary or legal action.
Use of content is permitted only for internal team, it's contracted services and authorized purposes in accordance with company policies.
Your comprehensive guide to understanding and implementing ISO 27001 A.5 Organizational Controls for information security compliance.