ISO 27001
Annex A.6 - Organisation of Information Security
Get compliant with ISO 27001 – Annex A.6 and simplify compliance for your organisation.

Get compliant with ISO 27001 – Annex A.6 and simplify compliance for your organisation.
Annex A.6 has two sections. There are 5 controls in annex 6.1. This annex is to establish a management framework. To initiate and control the achievement, operation of information security within the organisation. As mobile computing is an increasing part of everyday life, annex 6.2 is for mobile devices and teleworking controls.
The aim of this annex is to establish a management framework. This framework is to initiate and control the implementation and operation of information security within the organisation.
Organisation must define and divide all information for security responsibilities. To be specific, an organisation should consider roles and responsibilities. For personnel who have governance responsibility, they should consider protecting the information. Also for information systems they operate, manage and support. Which means with clear understanding of staff’s information security responsibilities within the organisation.
Conflicting duties and areas of responsibility must segregate through. Organisation’s assets of unauthorised or unintentional modification or misuse will reduce.
Organisations must ensure information security is perceived during business operations. During business operations, several steps will be taken. Some of these steps and activities expose the organisation to risk. Unless controlled, the organisation has potential to allow an unscrupulous individual to commit fraud. Enough checks and balances should take in place in the organisation. These acts aim to avoid the possibility of accidental creation, deletion or change of data.
The process of creating segregation of duties consists of the following main steps:
Identifying the critical business processes in which segregation of duties is necessary.
Highlighting the specific activities which cannot carry out by the same person.
Allocating these activities to appropriate job roles
Implementing controls such that segregation is mandatory.
Providing training in new procedures.
Monitoring the success of the arrangements and taking improvement actions where needed.
Relevant authorities must maintain appropriate contacts. When contacting authorities and specialist groups (the police or the regulation bodies ). The person making the contact needs to consider the circumstances. The person should also consider the nature of the information.
Organisation should maintain appropriate contacts with special interest groups. This includes specialist security forums and professional associations.
This annex is aiming to increase awareness of security. Thus it’s critical that organisations should embed security in their culture. To do this it’s essential that everyone sees it as something that they should discuss and speak up about.
It is vitally important for an organisation to protect information assets at all times. Project management must address information security regardless of the type of the project. During major business changes, organisations must maintain information security on an ongoing basis. Also once the project has been delivered, information security should also be maintained.
Considerations must be taken into account as part of each project. Their implementation will be subject to later internal and external audit. The information security considerations of each of stages are:
initiation, planning, design and development, implementation and project closure.
Annex 6.2 is increasing in importance as more and more people are working at home and to use their own devices. The aim is to ensure the security of teleworking and use of mobile devices.
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
Mobile computing is an increasing part of everyday life. As devices become smaller and more powerful. The number of tasks that can be achieved away from the office grows. Mobile devices include: laptop, notebook computers, tablet devices, smartphones and PDAs. Yet the ease and flexibility of use of mobile devices caused the potential security vulnerability.
Bring Your Own Device (BYOD) policy should also play an important role in the control. The organisation needs to be subject to extra controls over and above those typically in place for a consumer device.
Common issues and security challenges with BYOD may include:
BYOD policies must consider:
These issues must be considered when assessing the suitability of any given device to hold specific data belonging to the organisation. Interested in how Inverifi maintains information security for mobile devices? Read more
Teleworking, or remote working has been a common working style after the pandemic. It usually involves the employee working from home in a separate area of living accommodation. Whether this is a house, apartment or other type of domestic house.
A teleworking arrangement is a voluntary agreement between the organisation and the employee. A policy and supporting security measures should be put in place. To protect information accessed, processed or stored at teleworking sites.
As the individual will gain greater flexibility in working arrangements, the organisation is able to keep skilled and experienced staff who suit teleworking. It is also possible to save money on the rental, lease or purchase of office space.
This annex control sets out the key information security-related elements. These must be considered in agreeing a teleworking arrangement. Although it does not address the human resources aspects of teleworking. Such as health and safety, absence monitoring, job performance and contractual issues.
Organisation should ensure that all the necessary issues are addressed. Also should ensure to protect information assets.
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908