fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.6.5 Responsibilities after Termination or Change of Employment would include:

  1. Termination Policy: A documented policy that outlines the responsibilities of employees with respect to information security upon termination or change of employment.

  2. Policy Communication: Evidence that the termination policy has been communicated to all employees and that they are aware of their information security responsibilities upon termination or change of employment.

  3. Exit Procedures: Documentation of the procedures followed when an employee leaves the organization, ensuring that their access to information systems, data, and physical premises is promptly revoked or modified according to their new role.

  4. Access Revocation: Records of access revocation or modification for terminated or transferred employees, including termination of user accounts, removal from access groups, and deactivation of physical access cards.

  5. Data and Equipment Handling: Proof that employees are aware of how to handle company data and equipment when leaving the organization, including data backup, return of company-owned devices, and removal of personal data from the devices.

  6. Non-Disclosure Agreement (NDA): Documentation of any non-disclosure agreements signed by employees, emphasizing their obligation to protect confidential information even after termination or change of employment.

  7. Employee Training: Records of any training provided to employees regarding their information security responsibilities upon termination or change of employment.

  8. Exit Interviews: Documentation of exit interviews conducted with employees leaving the organization, focusing on information security responsibilities and ensuring that they understand the importance of protecting sensitive information even after leaving the company.

  9. Recordkeeping: Proof that the organization maintains proper records of employee access rights, system permissions, and equipment assignments to facilitate the exit process.

  10. HR and IT Collaboration: Evidence of collaboration between Human Resources (HR) and Information Technology (IT) departments to ensure a smooth and secure transition of responsibilities when an employee leaves the organization.

  11. Compliance with Legal Requirements: Assurance that the termination process aligns with relevant laws and regulations regarding the protection of sensitive data and information confidentiality.

  12. Monitoring and Audit Trail: Evidence of monitoring and audit trails to detect and prevent unauthorized access or data breaches by terminated employees.

By examining these pieces of evidence, an auditor can assess whether the organization has established and followed appropriate procedures to safeguard information assets and ensure that former employees no longer have access to sensitive information after termination or change of employment. The goal is to minimize the risk of data breaches and unauthorized access to confidential data by individuals who are no longer associated with the organization.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.6.6 Confidentiality or Non-Disclosure Agreements would include:

  1. Agreement Documents: Documentation of confidentiality or non-disclosure agreements (NDAs) signed by employees, contractors, or third-party vendors who have access to sensitive information or proprietary data.

  2. Scope and Coverage: Evidence that the agreements clearly define the scope of confidential information and the obligations of the parties involved in protecting such information.

  3. Agreement Distribution: Records showing that the agreements have been distributed to relevant individuals or entities and that they have acknowledged and agreed to the terms.

  4. Regular Review: Proof that the agreements are periodically reviewed and updated as necessary to reflect changes in the organization's business operations or legal requirements.

  5. Training and Awareness: Documentation of training or awareness programs provided to employees or contractors regarding the importance of confidentiality and their obligations under the agreements.

  6. Access Control: Evidence that access controls are in place to restrict access to confidential information only to those who have signed the appropriate agreements.

  7. Non-Disclosure Obligations: Records of incidents or complaints related to potential breaches of confidentiality, along with investigations and remedial actions taken, if any.

  8. Enforcement Measures: Documentation of measures taken to enforce the terms of the agreements in case of breaches, including disciplinary actions or legal remedies.

  9. Third-Party Compliance: Verification that third-party vendors or contractors who handle sensitive information have signed appropriate NDAs and comply with confidentiality requirements.

  10. Compliance Monitoring: Evidence of ongoing monitoring and audits to ensure compliance with the confidentiality agreements and the protection of confidential information.

  11. Recordkeeping: Proper maintenance of records related to confidentiality agreements, including copies of signed agreements, acknowledgement forms, and any updates or modifications.

  12. Compliance with Legal and Regulatory Requirements: Assurance that the agreements align with applicable laws and regulations related to data protection and privacy.

By reviewing these pieces of evidence, an auditor can assess whether the organization has effectively implemented confidentiality or non-disclosure agreements to safeguard sensitive information and protect the organization's intellectual property, trade secrets, and proprietary data from unauthorized disclosure or misuse. The goal is to ensure that proper measures are in place to maintain confidentiality and prevent unauthorized access to critical information.

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.6.7 Remote Working would include:

  1. Remote Work Policy: Documentation of a formal remote work policy that outlines the organization's guidelines, requirements, and expectations for employees who work remotely.

  2. Access Control: Proof that remote workers have secure access to the organization's systems and data, such as through encrypted VPN connections and multi-factor authentication.

  3. Bring Your Own Device (BYOD) Policy: If applicable, documentation of a BYOD policy that addresses the security measures and restrictions for employees using their personal devices for remote work.

  4. Training and Awareness: Records of training and awareness programs provided to remote workers on best practices for information security, data protection, and handling sensitive information outside the office environment.

  5. Data Protection Measures: Evidence that data protection measures, such as encryption and data loss prevention (DLP) solutions, are implemented to safeguard sensitive information during remote work.

  6. Device Management: Documentation of the organization's device management policy, including procedures for securing and monitoring remote devices to prevent unauthorized access or data breaches.

  7. Secure Communication: Proof that secure communication channels are in place for remote workers to communicate with colleagues and access corporate resources.

  8. Incident Reporting: Records of incident reporting procedures for remote workers to report security incidents, breaches, or suspicious activities promptly.

  9. Security Audits: Evidence of periodic security audits and assessments of remote work arrangements to identify potential vulnerabilities and address security gaps.

  10. Compliance with Legal and Regulatory Requirements: Assurance that remote work practices comply with relevant legal and regulatory requirements related to data privacy and information security.

  11. Data Backup and Recovery: Documentation of data backup and recovery procedures to ensure that remote workers can safely store and retrieve data when needed.

  12. Remote Work Performance Evaluation: Documentation of how the organization evaluates the performance and security of remote work arrangements, including any lessons learned or improvements made.

By reviewing these pieces of evidence, an auditor can assess whether the organization has implemented adequate security measures to protect data and information while enabling remote work. The goal is to ensure that remote work practices align with information security best practices, reduce the risk of data breaches or cyberattacks, and maintain the confidentiality, integrity, and availability of sensitive information, even in a remote work environment.

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search