Boost Your Organization's Security: Essential ISO 27001 Controls, Risk Mitigation, and Employee Training Strategies
Introduction
Information security is a crucial aspect of any organization, ensuring that sensitive data and assets remain protected from threats. This document provides a structured approach to managing information security within an organization, focusing on key control areas such as internal organization, employment lifecycle management, and awareness training.
By implementing these controls, organizations can mitigate risks, ensure compliance with ISO/IEC 27006:2011, and enhance overall security resilience
Internal Organization
Control Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
Control: All information security responsibilities shall be defined and allocated. ISO/IEC 27006-Annexure D – (2005 reference A.6.1.3) – Organizational control.
Plain English Explanation: ISMS implementation is a shared responsibility. The purpose of this set of controls is to utilize existing organizational resources and adopt a ‘committee’ or ‘team’ approach. Responsibilities for information security risk management, particularly for acceptance of residual risks, should be clearly defined. Although a Management Representative is nominated, responsibility for resourcing and implementing controls often remains with individual managers.
Request A Free Quote
Control Ref: A.6.1.2 – Segregation of Duties
Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. ISO/IEC 27006-Annexure D – (2005 reference A.10.1.3) – Organizational control
A fundamental principle is that the person who approves should not also record. For example, software development and IT operations should be handled by separate teams. In smaller organizations, where full segregation isn’t feasible, supervisory review can compensate. For instance, a DBA assisting the librarian or QA team in transferring test software to production should have their work reviewed by a manager to prevent unauthorized modifications.
Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. ISO/IEC 27006-Annexure D – (2005 reference A.10.1.3) – Organizational control.
A fundamental principle is that the person who approves should not also record. For example, software development and IT operations should be handled by separate teams. In smaller organizations, where full segregation isn’t feasible, supervisory review can compensate. For instance, a DBA assisting the librarian or QA team in transferring test software to production should have their work reviewed by a manager to prevent unauthorized modifications.
Control Ref: A.6.1.3 – Contact with Authorities
Control: Appropriate contacts with relevant authorities shall be maintained. ISO/IEC 27006 – Annexure D – (2005 reference A.6.1.6) – Organizational control.
Plain English Explanation: Organizations must maintain contacts with authorities such as fire stations, Visa/Mastercard, ISPs, emergency services, and regulatory bodies. While minor security incidents are managed internally, major incidents must be reported to law enforcement, regulatory agencies, or supervisory authorities. Organizations under cyber attacks may require immediate intervention from ISPs or law enforcement. Contact details for key officials must be readily available, such as in a Business Continuity Plan.
Control Ref: A.6.1.4 – Contact with Special Interest Groups
Control: Appropriate contacts with special interest groups or professional security forums shall be maintained. ISO/IEC 27006 – Annexure D – (2005 reference A.6.1.7) – Organizational control.
Plain English Explanation: Instead of appointing security specialists for every security product, organizations can leverage professional forums (e.g., LinkedIn groups, ISACA, CERT) to seek guidance, share experiences, and stay updated with the latest industry trends.
Control Ref: A.6.1.5 – Information Security in Project Management
Control: Information security shall be addressed in project management, regardless of the project type. ISO/IEC 27006 – Annexure D – (2005 reference: NONE).
Plain English Explanation: Information security risks must be identified and mitigated during all project phases. Project management should include:
- Defining information security objectives.
- Conducting security risk assessments early in the project.
- Integrating security controls across all project phases.
A.6.2 Mobile Devices and Teleworking
Control Objective: To ensure the security of teleworking and the use of mobile devices.
Control Ref: A.6.2.1 – Mobile Device Policy
Control: A policy and supporting security measures shall be implemented to manage risks introduced by mobile devices. ISO/IEC 27006 – Annexure D – (2005 reference A.11.7.1) – Organizational and Technical Control.
This covers Bring Your Own Device (BYOD) policies. Security factors include:
- Protection against theft.
- Awareness training.
- Separation of private and business use.
- Data backup procedures.
- End-user agreements.
Control Ref: A.6.2.2 – Teleworking
Control: A policy and supporting security measures shall be implemented to protect information accessed, processed, or stored at teleworking sites. ISO/IEC 27006 – Annexure D – (2005 reference A.) – Organizational and Technical Control.
Security measures include:
- Physical security at teleworking sites.
- Secure communication channels.
- Background checks for employees working remotely.
- Secure Wi-Fi and VPN configurations.
- Malware protection and monitoring.
Sample Audit Questions
- Who is responsible for establishing contact with relevant authorities?
- Who contacts regulatory bodies in case of a security incident?
- What measures address conflicting roles in a small organization?
- What security objectives are included in project management?
- How are teleworking-related threats addressed?
- When was the last review conducted for privileged user access to databases?
- Why is a developer given access to the production environment?
- How is the risk of accidental or deliberate misuse of assets minimized?
- How is supplier relationship security managed?
- Show the latest organizational chart.
A.7.1 Prior to Employment
Control Objective: To ensure that employees and contractors understand their responsibilities and are suitable for their roles.
Control Ref: A.7.1.1 – Screening
Control: Background verification checks shall be conducted based on business needs, information classification, and risk perception. ISO/IEC 27006 – Annexure D – (2005 reference A.8.1.2) – Organizational control.
Employment verification may include:
- Passport verification.
- Educational and credit checks.
- Security clearance, where necessary.
- Compliance with relevant laws and ethical standards.
Control Ref: A.7.1.2 – Terms and Conditions of Employment
Control: Employment agreements shall define organizational responsibilities for information security. ISO/IEC 27006 – Annexure D – (2005 reference A.8.1.3) – Organizational control.
Employment agreements should include:
- Confidentiality clauses.
- Legal responsibilities, including copyright and data protection laws.
- Security requirements for information handling.
- Post-employment obligations, such as non-disclosure agreements.
A.7.2 During Employment
Control Ref: A.7.2.1 – Management Responsibilities
Control: Management shall ensure employees apply security measures per organizational policies. ISO/IEC 27006 – Annexure D – (2005 reference A.8.2.1) – Organizational control.
Control Ref: A.7.2.2 Information Security Awareness, Education, and Training
Control: All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
ISO/IEC 27006:2011 – Annexure D (2005 reference A.8.2.2) – Organizational control.
Audit Review Guidance: Ask staff if they are aware of specific things they should be aware of.
Explanation: Possible methods include:
- Campaigns
- Employee handbooks
- Intranets
- Classroom training
- Screen savers
- Wall posters
- Quizzes
(Ref: ISO/IEC 27002:2013) Information security education and training should also cover general aspects such as:
- a) Stating management’s commitment to information security throughout the organization. b) The need to become familiar with and comply with applicable information security rules and obligations, as defined in policies, standards, laws, regulations, contracts, and agreements. c) Personal accountability for one’s own actions and inactions, and general responsibilities towards securing or protecting information belonging to the organization and external parties. d) Basic information security procedures (such as information security incident reporting) and baseline controls (such as password security, malware controls, and clear desks). e) Contact points and resources for additional information and advice on information security matters, including further information security education and training materials.
Control Ref: A.7.2.3 Disciplinary Process
Control: There shall be a formal and communicated disciplinary process in place to take actions against employees who have committed an information security breach.
ISO/IEC 27006:2011 – Annexure D (2005 reference A.8.2.3) – Organizational control.
Plain English Explanation: For a disciplinary process to be initiated, a security breach should have occurred. Other factors to be considered:
- Employee training
- Was it the first breach?
- Relevant legislation
- Business contracts and other factors
A.7.3 Termination and Change of Employment
Control Objective: To ensure that employees, contractors, and third-party users exit an organization or change employment in an orderly manner.
Control Ref: A.7.3.1 Termination or Change of Employment Responsibilities
Control: Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor, and enforced.
ISO/IEC 27006:2011 – Annexure D (2005 reference A.8.3.1) – Organizational control.
Plain English Explanation: e.g., transfer of employees, change of admin passwords, post-resignation obligations such as non-disclosure agreements and non-competing agreements, etc. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the organization and the external party.
Sample Audit Questions
- Who is responsible for verifying the completeness and accuracy of an applicant’s curriculum vitae?
- What screening tests are conducted for critical positions such as database administrators?
- When do employees or contractors sign the terms and conditions of employment?
- Where is security badges (access cards) kept when an employee surrenders them after termination?
- Why is it important to conduct periodic awareness programs?
- How is it ensured that employees stay current with appropriate skills and qualifications?
- Show me the disciplinary process for security breaches.
Conclusion
Effective implementation of information security controls requires a clear framework, defined responsibilities, and ongoing awareness training. Organizations must establish proper policies and disciplinary measures to safeguard their information assets and comply with international standards. By embedding security within operational and project management practices, organizations can create a culture of security that minimizes risks and ensures business continuity.
Get In Touch
Get In Touch
Get In Touch
Need A Free Estimate?
Get a free consultation and Checklist to get certified for ISO , HALAL, CE Mark Certification.
FAQ
Why is information security awareness training important for employees?
Regular training ensures employees understand security risks, compliance requirements, and best practices, reducing the likelihood of breaches and human errors.
What are the key responsibilities of management in information security?
Management must establish policies, allocate responsibilities, oversee implementation, and ensure compliance with security frameworks and regulations.
How can small organizations implement segregation of duties effectively?
In cases where full segregation isn’t feasible, compensating controls like supervisory reviews, logging, and periodic audits can help mitigate risks.