Resources
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.
Competence, part a)
The organization shall: determine the necessary competence of person(s) doing work under its control that affects its information security performance.
Competence, part b)
The organization shall: ensure that these persons are competent on the basis of appropriate education, training, or experience.
Competence, part c)
The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. NOTE: Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons.
Competence, part d)
The organization shall: retain appropriate documented information as evidence of competence.
- HRS-01 - Human Resources Security Management
- HRS-03.2 - Competency Requirements for Security-Related Positions
Awareness, part a)
Persons doing work under the organization’s control shall be aware of: the information security policy.
- HRS-01 - Human Resources Security Management
- HRS-03.1 - User Awareness
- HRS-04.2 - Formal Indoctrination
- HRS-05 - Terms of Employment
- HRS-05.1 - Rules of Behavior
- HRS-05.2 - Social Media & Social Networking Restrictions
- HRS-05.3 - Use of Communications Technology
- HRS-05.4 - Use of Critical Technologies
- HRS-05.5 - Use of Mobile Devices
Awareness, part b)
Persons doing work under the organization’s control shall be aware of: their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance.
- HRS-01 - Human Resources Security Management
- HRS-03 - Roles & Responsibilities
- HRS-03.1 - User Awareness
- HRS-04.2 - Formal Indoctrination
- HRS-05 - Terms of Employment
- HRS-05.1 - Rules of Behavior
- HRS-05.2 - Social Media & Social Networking Restrictions
- HRS-05.3 - Use of Communications Technology
- HRS-05.4 - Use of Critical Technologies
- HRS-05.5 - Use of Mobile Devices
Awareness, part c)
Persons doing work under the organization’s control shall be aware of: the implications of not conforming with the information security management system requirements.
- HRS-01 - Human Resources Security Management
- HRS-03.1 - User Awareness
- HRS-04.2 - Formal Indoctrination
- HRS-05 - Terms of Employment
- HRS-05.1 - Rules of Behavior
- HRS-05.2 - Social Media & Social Networking Restrictions
- HRS-05.3 - Use of Communications Technology
- HRS-05.4 - Use of Critical Technologies
- HRS-05.5 - Use of Mobile Devices
- HRS-05.7 - Policy Familiarization & Acknowledgement
Communication, part a)
The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate.
- GOV-01.2 - Status Reporting To Governing Body
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- THR-03 - Threat Intelligence Feeds
Communication, part b)
The organization shall determine the need for internal and external communications relevant to the information security management system including: when to communicate.
- GOV-01.2 - Status Reporting To Governing Body
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- THR-03 - Threat Intelligence Feeds
Communication, part c)
The organization shall determine the need for internal and external communications relevant to the information security management system including: with whom to communicate.
- GOV-01.2 - Status Reporting To Governing Body
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- THR-03 - Threat Intelligence Feeds
Communication, part d)
The organization shall determine the need for internal and external communications relevant to the information security management system including: how to communicate.
- GOV-01.2 - Status Reporting To Governing Body
- SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
- SAT-02 - Cybersecurity & Data Privacy Awareness Training
- THR-03 - Threat Intelligence Feeds
Documented information - General, part a)
The organization’s information security management system shall include: documented information required by this document. NOTE The extent of documented information for an information security management system can differ from one organization to another due to: 1) the size of organization and its type of activities, processes, products and services; 2) the complexity of processes and their interactions; and 3) the competence of persons.
Documented information - General, part b)
The organization’s information security management system shall include: documented information determined by the organization as being necessary for the effectiveness of the information security management system. NOTE The extent of documented information for an information security management system can differ from one organization to another due to: 1) the size of organization and its type of activities, processes, products and services; 2) the complexity of processes and their interactions; and 3) the competence of persons.
Documented information - Creating and updating, part a)
When creating and updating documented information the organization shall ensure appropriate: identification and description (e.g. a title, date, author, or reference number).
- GOV-02 - Publishing Cybersecurity & Data Protection Documentation
- GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
Documented information - Creating and updating, part b)
When creating and updating documented information the organization shall ensure appropriate:format (e.g. language, software version, graphics) and media (e.g. paper, electronic).
- GOV-02 - Publishing Cybersecurity & Data Protection Documentation
- GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
Documented information - Creating and updating, part c)
When creating and updating documented information the organization shall ensure appropriate:review and approval for suitability and adequacy.
- GOV-02 - Publishing Cybersecurity & Data Protection Documentation
- GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
Documented information - Control, part a)
Documented information required by the information security management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed.
Documented information - Control, part b)
Documented information required by the information security management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
Documented information - Control, part c)
For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
Documented information - Control, part d)
For the control of documented information, the organization shall address the following activities, as applicable: storage and preservation, including the preservation of legibility.
Documented information - Control, part e)
For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control).
Documented information - Control, part f)
For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled.