fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To assess compliance with A.5.6 "Contact with Special Interest Groups," an information security auditor would need to evaluate how an organization manages communication and collaboration with special interest groups that have a vested interest in the organization's information security practices. Here's a breakdown of the evidence and areas an auditor might review:

  1. Identification of Special Interest Groups: Verify whether the organization has identified relevant special interest groups related to information security, such as industry associations, forums, user groups, or security researchers.

  2. Communication Channels: Assess how the organization establishes and maintains communication channels with special interest groups. This may include newsletters, mailing lists, forums, or online platforms.

  3. Collaboration Purposes: Review documented objectives and purposes for collaborating with special interest groups, such as sharing knowledge, best practices, threat intelligence, or addressing common security challenges.

  4. Membership and Participation: Evaluate whether the organization's representatives actively participate in relevant special interest groups, attend meetings, contribute to discussions, and stay informed about emerging security trends.

  5. Information Sharing: Examine how the organization shares information with special interest groups, including sharing insights, experiences, and lessons learned from security incidents or breaches.

  6. Receiving Feedback: Verify whether the organization receives feedback from special interest groups about its security practices, vulnerabilities, or potential improvements.

  7. Incident Sharing: Assess whether the organization shares information about security incidents or breaches with special interest groups when appropriate, while ensuring confidentiality and compliance with legal requirements.

  8. Collaborative Initiatives: Review evidence of any collaborative initiatives, research projects, or joint efforts undertaken by the organization and special interest groups to enhance information security.

  9. Participation in Industry Standards: Evaluate whether the organization participates in the development or review of industry security standards through special interest groups.

  10. Documentation of Collaboration: Examine records, meeting minutes, email communications, or reports that demonstrate the organization's involvement in discussions and activities with special interest groups.

  11. Information Dissemination: Assess the effectiveness of the organization's efforts to disseminate useful information and insights gained from special interest groups to internal teams responsible for information security.

  12. Risk Management: Verify whether the organization uses insights and information gained from special interest groups to enhance its risk management practices and improve security posture.

  13. Awareness Programs: Evaluate whether the organization leverages the expertise of special interest groups to enhance its security awareness and training programs for employees.

  14. Recognition of Contributions: Examine whether the organization recognizes the contributions of special interest groups and individual researchers in improving its information security practices.

  15. Contribution to Community: Verify whether the organization actively contributes to special interest groups by sharing its expertise, lessons learned, and security insights.

By assessing these aspects, an auditor can determine whether the organization effectively engages with special interest groups to improve its information security practices, shares and receives valuable insights, and contributes to the broader security community.

A special interest group may be defined as an association of persons or organizations with an interest in, or working in, a certain field of expertise, where members cooperate / work to solve issues, generate solutions, and acquire knowledge. In our situation, this area of expertise would be information security. You must identify and document any professional associations, forums or interest groups you are part of or can be part of. Specialist forums, professional groups and even the government are examples of a special interest group. You are involved in getting knowledge about best practice, you are up to date with current best practices, that you get early warnings of alerts, advisories and patches being a part of special interest group. It can show that you got specialist information security advice and share and exchange information.

Membership in special interest groups or forums should be considered as a means to:

Improve knowledge about best practices and stay up to date with relevant security information; Ensure the understanding of the information security environment is current; Receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities; Gain access to specialist information security advice; Share and exchange information about new technologies, products, services, threats or vulnerabilities; Provide suitable liaison points when dealing with information security incidents.

To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you: **Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs. **Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with. **News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it? **News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort? **Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you? **Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?  **membership of special interest groups or forums should be a means to improve knowledge about best practices and stay up to date with relevant security information. **ensure the understanding of the information security environment is current.

 

  • receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities.
  • gain access to specialist information security advice.
  • share and exchange information about new technologies, products, services, threats or vulnerabilities.
  • provide suitable liaison points when dealing with information security incidents.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To assess compliance with A.5.5 "Contact with Authorities," an information security auditor would need to evaluate how an organization manages and interacts with relevant authorities, such as law enforcement agencies and regulatory bodies, in the context of information security incidents and requirements. Here's a breakdown of the evidence and areas an auditor might review:

  1. Incident Reporting Procedures: Review the organization's documented procedures for reporting information security incidents to relevant authorities, including the steps to follow, timelines, and responsible personnel.

  2. Legal and Regulatory Requirements: Verify that the organization is aware of and adheres to legal and regulatory requirements related to reporting and communicating information security incidents to authorities.

  3. Law Enforcement Liaison: Examine any documented agreements, contacts, or protocols the organization has established with law enforcement agencies for reporting cybercrime or security incidents.

  4. Notification Timeline: Assess the organization's ability to promptly notify relevant authorities in case of a significant security incident, as required by applicable laws and regulations.

  5. Internal Communication: Review evidence that demonstrates how the organization's internal teams communicate and collaborate when deciding whether and how to involve authorities in an incident.

  6. Authorities' Requests: Evaluate procedures or policies related to responding to authorities' requests for information or assistance in investigating security incidents.

  7. Documentation: Examine records of any communication, interactions, or correspondence between the organization and authorities regarding information security incidents.

  8. Coordination: Assess how the organization coordinates with relevant authorities during incident response efforts to ensure effective collaboration and information sharing.

  9. Legal Counsel Involvement: Verify whether the organization involves legal counsel in discussions and decisions regarding interactions with authorities to ensure compliance with legal requirements.

  10. Preservation of Evidence: Examine how the organization handles the preservation of evidence related to security incidents to support potential legal proceedings.

  11. Incident Reporting Logs: Review logs or documentation of incidents reported to authorities, detailing the nature of the incident, response actions taken, and outcomes.

  12. Follow-Up and Resolution: Assess the organization's process for providing authorities with updates on incident resolution, investigation outcomes, and any additional assistance required.

  13. Public Communication: Verify whether the organization has established procedures for communicating with the public, customers, or stakeholders about information security incidents that may involve authorities.

  14. Training and Awareness: Evaluate whether employees are aware of their responsibilities for contacting authorities and whether they receive training on how to do so effectively.

  15. Mock Exercises: Examine evidence of mock exercises or simulations conducted by the organization to test its ability to interact with authorities during incident response scenarios.

By examining these aspects, an auditor can determine whether the organization has well-defined procedures for contacting relevant authorities in the event of information security incidents, complies with legal and regulatory requirements, and maintains effective communication and coordination with external parties during incident response efforts.

Communication with the appropriate authorities must be kept open at all times. Processes should be put in place to define when and with whom officials should communicate and how identified information security violations will be reported as soon as possible by organisations.

Organisations that have been attacked over the internet may compel authorities to take counter-measures. Maintaining these connections may also be required in information security to assist incident management or business continuity and contingency planning operations. Contacts with regulatory authorities are also beneficial in predicting and planning for any changes in the rules or regulations that the organisation must enforce. You can consider to contact with your data protection regulator that is likely mandated in law, utility companies for power and water, health and safety if relevant, fire departments for business continuity and incident management, perhaps your telecoms provider for routing if lines go down.You are going to have to ensure that:

  • you identify and document what authorities apply to you;
  • in what circumstances you would contact them;
  • how information security incidents should be reported if relevant;
  • understand what expectations these authorities have, if any;
  • include relevant contact steps in your incident management processes;
  • include relevant contact steps in your business continuity and disaster recovery processes

The ISMS coordinator can keep records up to date and identify which and when contact is made by the appropriate relationship owner with specific contact circumstances, and the nature of the information provided. It should clearly identify who is responsible for contacting authorities (e.g., law enforcement, regulatory bodies, supervisory authorities), which authorities should be contacted (e.g., which region/country), and in what cases this needs to happen.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To evaluate compliance with A.5.4 "Management Responsibilities," an information security auditor would need to assess whether an organization's management has fulfilled their responsibilities for information security in line with applicable standards and best practices. Here is a list of evidence and areas that an auditor would typically review:

  1. Information Security Policy: Review the organization's documented information security policy to ensure that it reflects management's commitment to information security, sets clear objectives, and provides a framework for implementation.

  2. Senior Management Endorsement: Verify that senior management, such as the CEO or equivalent, has formally endorsed the information security policy and communicated its importance to the entire organization.

  3. Governance Structure: Assess the organization's governance structure to determine how information security responsibilities are distributed among management levels and departments.

  4. Risk Management: Review evidence of management's involvement in the organization's risk management process, including risk assessments, risk treatment decisions, and risk mitigation strategies.

  5. Resource Allocation: Examine records that demonstrate management's allocation of adequate resources (financial, personnel, technology) to support the implementation of information security measures.

  6. Security Roles and Responsibilities: Review how management has defined, communicated, and assigned information security roles and responsibilities throughout the organization.

  7. Security Awareness and Training: Evaluate management's commitment to security awareness and training programs for employees at all levels, promoting a culture of security.

  8. Incident Response: Verify that management has established an incident response plan that outlines roles, responsibilities, and procedures to address security incidents.

  9. Continuous Improvement: Assess whether management actively participates in and supports ongoing improvement efforts for information security processes, controls, and practices.

  10. Performance Metrics: Review evidence of management's establishment of key performance indicators (KPIs) or metrics to measure the effectiveness of information security initiatives.

  11. Internal Communication: Examine how management communicates information security objectives, policies, and developments within the organization.

  12. External Communication: Review how management communicates the organization's information security posture to external stakeholders, customers, partners, and regulatory authorities.

  13. Compliance with Regulations: Verify that management ensures the organization complies with relevant laws, regulations, and contractual obligations related to information security.

  14. Budget Allocation: Evaluate how management allocates funds for security-related activities, projects, and initiatives, ensuring that security needs are adequately funded.

  15. Management Review: Review documentation of management's periodic reviews of the organization's information security performance, identifying strengths and areas for improvement.

  16. Integration with Business Objectives: Assess whether information security objectives align with the organization's overall business objectives and strategies.

  17. Vendor Management: Verify that management has established processes to assess and manage information security risks associated with third-party vendors and partners.

  18. Audits and Assessments: Examine records of internal and external audits or assessments related to information security and management's response to findings and recommendations.

By examining these aspects, an auditor can determine whether management is actively engaged in promoting and overseeing information security practices, aligning them with the organization's strategic goals and ensuring the effective management of information security risks.

 

 

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search