Inverifi logo

ISO 27001

Annex A.6 - Organisation of Information Security

Get compliant with ISO 27001 – Annex A.6 and simplify compliance for your organisation.

Annex A.6 has two sections. There are 5 controls in annex 6.1. This annex is to establish a management framework. To initiate and control the achievement, operation of information security within the organisation. As mobile computing is an increasing part of everyday life, annex 6.2 is for mobile devices and teleworking controls.

A.6.1 – Internal organisation

The aim of this annex is to establish a management framework. This framework is to initiate and control the implementation and operation of information security within the organisation.

A.6.1.1 Information security roles and responsibilities

Organisation must define and divide all information for security responsibilities. To be specific, an organisation should consider roles and responsibilities. For personnel who have governance responsibility, they should consider protecting the information. Also for information systems they operate, manage and support. Which means with clear understanding of staff’s information security responsibilities within the organisation.

A.6.1.2 Segregation of duties

Conflicting duties and areas of responsibility must segregate through. Organisation’s assets of unauthorised or unintentional modification or misuse will reduce.


Organisations must ensure information security is perceived during business operations. During business operations, several steps will be taken. Some of these steps and activities expose the organisation to risk. Unless controlled, the organisation has potential to allow an unscrupulous individual to commit fraud. Enough checks and balances should take in place in the organisation. These acts aim to avoid the possibility of accidental creation, deletion or change of data.

The process of creating segregation of duties consists of the following main steps:

Identifying the critical business processes in which segregation of duties is necessary.

Highlighting the specific activities which cannot carry out by the same person.

Allocating these activities to appropriate job roles

Implementing controls such that segregation is mandatory.

Providing training in new procedures.


Monitoring the success of the arrangements and taking improvement actions where needed.

A.6.1.3 Contact with authorities

Relevant authorities must maintain appropriate contacts. When contacting authorities and specialist groups (the police or the regulation bodies ). The person making the contact needs to consider the circumstances. The person should also consider the nature of the information.

A.6.1.4 Contact with special interest groups

Organisation should maintain appropriate contacts with special interest groups. This includes specialist security forums and professional associations. 


This annex is aiming to increase awareness of security. Thus it’s critical that organisations should embed security in their culture. To do this it’s essential that everyone sees it as something that they should discuss and speak up about.

A.6.1.5 Information security in project management

It is vitally important for an organisation to protect information assets at all times. Project management must address information security regardless of the type of the project. During major business changes, organisations must maintain  information security on an ongoing basis. Also once the project has been delivered, information security should also be maintained.


Considerations must be taken into account as part of each project. Their implementation will be subject to later internal and external audit. The information security considerations of each of stages are:

initiation, planning, design and development, implementation and project closure.

A.6.2 – Mobile devices and teleworking

Annex 6.2 is increasing in importance as more and more people are working at home and to use their own devices. The aim is to ensure the security of teleworking and use of mobile devices.

A.6.2.1 Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Mobile computing is an increasing part of everyday life. As devices become smaller and more powerful. The number of tasks that can be achieved away from the office grows. Mobile devices include: laptop, notebook computers, tablet devices, smartphones and PDAs. Yet the ease and flexibility of use of mobile devices caused the potential security vulnerability.

Bring Your Own Device (BYOD) policy should also play an important role in the control. The organisation needs to be subject to extra controls over and above those typically in place for a consumer device.

 Common issues and security challenges with BYOD may include:

  • Use of the device by other family members
  • Default storage of data in cloud backup facilities
  • Increased exposure to potential loss in social situations e.g. on the beach, in a bar
  • Potential access to websites that do not meet the organisations acceptable use policy
  • Connection to insecure networks e.g. unsecured wireless hotspots
  • Anti-virus protection and how often the device is patched
  • Installation of potentially malicious apps onto the device 

BYOD policies must consider:

  • Physical Protection
  • Access Controls
  • Cryptographic Techniques
  • Backups, Virus Protection
  • Network Connection
  • Overlooking in public places

These issues must be considered when assessing the suitability of any given device to hold specific data belonging to the organisation. Interested in how Inverifi maintains information security for mobile devices? Read more

A.6.2.2 Teleworking

Teleworking, or remote working has been a common working style after the pandemic. It usually involves the employee working from home in a separate area of living accommodation. Whether this is a house, apartment or other type of domestic house.


A teleworking arrangement is a voluntary agreement between the organisation and the employee. A policy and supporting security measures should be put in place. To protect information accessed, processed or stored at teleworking sites.


As the individual will gain greater flexibility in working arrangements,  the organisation is able to keep skilled and experienced staff who suit teleworking. It is also possible to save money on the rental, lease or purchase of office space. 


This annex control sets out the key information security-related elements. These must be considered in agreeing a teleworking arrangement. Although it does not address the human resources aspects of teleworking. Such as health and safety, absence monitoring, job performance and contractual issues.


Organisation should ensure that all the necessary issues are addressed. Also should ensure to protect information assets.