The ISO/IEC 27001 control standard requires you to have documented procedures (in most cases) to establish a baseline for your security operations. Without this baseline, the security operations will be inconsistent. A procedure lays the foundation necessary for its constant improvement. This product includes Access Control, Vulnerability Management, Data Backup, Contact with Authorities, Media Sensitization, Physical Security Zoning, and Secure Work Area procedures that are required for your ISMS or the security program.
A vulnerability can be anything that weakens the security posture of an information system. That means a 'vulnerability' could be a missing patch, a deviation from a hardening guideline or a CVE entry in a national database. Regardless of the source, this product establishes a baseline for the Vulnerability Management process. Some of the key consideration for the procedure is to determine how often the vulnerability scans must be performed, how quickly the findings should be remediated, etc. Organizations must monitor coverage of vulnerability scanning, average remediation time by severity, etc. to continuously improve upon these established procedures.
No organization is an island. Every organization requires external interactions for its daily operation as well as to meet its legal, regulatory and contractual obligations. Such interfaces must be documented and tested to ensure those interactions are operational.
Contact with Authorities
Clear guidelines must be established to ensure people working in those areas knows them and are complying with them at all times. This may be necessary to protect people and assets alike.
Secure Work Area
Access to information or information systems must be controlled, which is one of the basic security practice, that ensures information is accessed by authorized party. An effective access management policy can be implemented through this procedure. Physical access must be controlled to data-centers which is the first and foremost control in information security domain. This procedure includes a complete set of identity and access management procedures required to meet this control objective.
In any organization, there will be many forms of storage media that are used to store sensitive information. It is important to sanitize these media before they are removed from the control of your organization. These media may be internal to an equipment, external hard disks, USB drives or optical storage. Depending on the technology used for storage (i.e. magnetic, solid state devices, optical, etc.) an effective media sanitization procedure need to be developed.
Information may lost or corrupted during it's course of use, or may be encrypted by malicious code such as ransomware. The only hope of recovery is if there is a backup from which it could be restored. Critical information must be backed up at a predefined interval, and retained for a period that satisfies its business purpose. Information that is backed-up may be stored offsite to deal with situation arising from a complete loss of a data center. Access Control of such backup data is crucial for it's protection. Backup of sensitive data on tapes must be encrypted when storing offsite.
Not every area in an organization handles sensitive information or performs critical operation. This calls for a classification of various physical zones. Sufficient controls need to be implemented to protect these security zones.