ISMS Manual

ISO 27001:2013
(Doc. No: ISMS-M-1.0)

ISMS Manual Page 1 of 31

Document Control
Details Description

Document Title: ISMS Manual

Document Code: ISMS-M-1.0

Version: 1.0

Date of version:

Document Owner

Document Author(s)

Document Approver

Privacy level:
Internal

Change history
Version Date Created by Description of change

1.0 ISMS Team Initial Release

Note: The present document or drawing is property of XYZ Company, and will not, under any
circumstances, be totally or partially, directly or indirectly, transferred, reproduced, copied, disclosed or
used, without its prior written consent, for any purpose and in any way other than that for which it is
specifically furnished or outside the extent of the agreed upon right of use.

ISMS Manual Page 2 of 31

 Table of contents :-

1. Document control ……………………………………………………………………………………………………2

2. 0.1 Purpose…………………………………………………………………………………………………………….. 3
3. 0.2 About XYZ Company…………………………………………………………………………………………. 3
4. 1.0 Scope………………………………………………………………………………………………………………… 3
5. 2.0 Nominative references……………………………………………………………………………………… 4
6. 3.0 Terms and Definition……………………………………………………………………………………….. 4
7. 4.0 Context of organization…………………………………………………………………………………….. 4
4.1 External and internal context of organization…………………………………………………………………………. 4
4.2 Understanding the needs and expectation of interested parties………………………………………………5
4.3 Determining the Scope of Information security management system………………………………………7
4.4 Information Security Management System………………………………………………………………………………8
8. 5.0 Leadership and commitment………………………………………………………………………………8
5.1 Management Commitment……………………………………………………………………………………………………..8
5.2 Information Security policy…………………………………………………………………………………………………….. 9
5.3 Information Security Policy………………………………………………………………………………………………………9
5.3.1 Organization Roles and responsibility……………………………………………………………………………………………..10
9. 6.0 Planning………………………………………………………………………………………………………………11
6.1 Actions to Address risks and Opportunity………………………………………………………………………………..11
6.2 Information security Risk Assessment………………………………………………………………………………………11
6.3 Risk treatment………………………………………………………………………………………………………………………….12
6.4 Information Security objectives and plans to achieve ………………………………………………………………..12
10. 7.0 Support……………………………………………………………………………………………………………..13
7.1 Resource……………………………………………………………………………………………………………………………………13
7.2 Competency of IS personnel………………………………………………………………………………………………………13
7.3 ISMS Awareness………………………………………………………………………………………………………………………..14
7.4 Communication…………………………………………………………………………………………………………………………14
7.5 Documented Information………………………………………………………………………………………………………….15
7.5.1 General…………………………………………………………………………………………………………………………………………….15
7.5.2 Creating and updating………………………………………………………………………………………………………………………15
7.5.3 control of Documented Information.……….……………………………………………………………………………………….15
11. 8.0 Operation…………………………………………………………………………………………………………..16
8.1 Operation Planning and Control…………………………………………………………………………………………………16

ISMS Manual Page 3 of 31

 8.2 Information Security Risk Assessment.………………………………………………………………………………………16
8.3 Information Security Risk Treatment …………………………………………………………………………………………16
12. 9.0 Performance Evaluation……………………………………………………………………………………..17
9.1 Monitoring, Measurement, Analysis and Evaluation…………………………………………………………………..17
9.2 Internal Audit……………………………………………………………………………………………………………………………..17
9.3 Management Review of the ISMS……………………………………………………………………………………………….18
13. 10. Improvement……………………………………………………………………………………………………..19
10.1 Nonconformity and Corrective Action……………………………………………………………………………………….19
10.2 Continual Improvement…………………………………………………………………………………………………………….19

0.1 Purpose
This document details the framework established for Information Security Management System at XYZ
Company:
The purpose of this document is to –

● Establish an organization wide approach towards Information Security.

● Establish controls to ensure the protection of sensitive information stored or transmitted

electronically and the protection of the organization’s information technology resources.

● Assign responsibility and provide guidelines to protect the organization’s resources and data against

misuse and/or loss.

0.2 About XYZ Company

XYZ Company is the leading hyperscale from India with focus on advanced Cloud GPU infrastructure, listed
on the National Stock Exchange (NSE). The company is popular for providing accelerated cloud computing
solutions, including cutting-edge Cloud GPUs like NVIDIA A100/H100 GPUs and upcoming GH100 on the
Cloud, making it the leading IAAS provider focused on advanced Cloud GPU capabilities in India.

1.0 SCOPE

ISMS Manual Page 4 of 31

 This ISMS Manual specifies requirements for a information security management system where XYZ
Company:

⮚ Needs to demonstrate its ability to consistently provide product and services that meet customer and

applicable statutory and regulatory requirements, and

⮚ Aims to enhance customer satisfaction through the effective application of the system, including

processes for improvement of the system and the assurance of conformity to customer and applicable
statutory and regulatory requirements.
a. Note: All the requirements of this ISO/IEC 27001:2013 are generic and are intended to be
applicable to any organization, regardless of its type or size, or the products and services it
provides;

2.0 Normative References

The following referred documents are indispensable for the application of this Integrated Management
System.

⮚ ISO/IEC 27001:2013, Information technology – Security techniques – Information security management

systems – Requirements

3.0 Terms and Definitions

It is required and to be understood that this document and its contents are mandatory for the
management and control required to ensure effective processes, the delivery of high information security
solutions and services, and customer satisfaction and loyalty.

1.Information Security: Preservation of confidentiality, integrity, and availability of information; ensuring

that information is not disclosed to unauthorized individuals, not altered improperly, and remains
accessible when needed.
2.Risk: Potential for an unwanted incident that could have an adverse effect on an organization's
objectives.
3.Risk Assessment: Systematic process of evaluating risks related to information security, including
identifying, analyzing, and evaluating risks.
4.Risk Treatment: Process of selecting and implementing measures to modify risks.
5.Asset: Anything valuable to an organization that needs to be protected, such as information, systems,
infrastructure, personnel, or intellectual property.

ISMS Manual Page 5 of 31

 6.Control: Measure or action that modifies risk.
7.Security Policy: Overall intentions and direction of an organization related to information security,
formally expressed through policies and procedures.
8.Information Security Management System (ISMS): Framework of policies and procedures that includes
legal, physical, and technical controls involved in an organization's information risk management
processes.
9.Statement of Applicability (SoA): Document that outlines the controls selected by an organization and
the reasons for their selection.
10.Compliance: Adherence to laws, regulations, policies, standards, or contracts relevant to an
organization's business.
11.Information Asset: Any data or information that has value to an organization, such as databases,
documents, intellectual property, or customer information.
12.Risk Owner: Person or entity responsible for managing a specific risk within an organization.
13.Vulnerability: Weakness in a system's design, implementation, or operation that could be exploited to
violate security.
14.Threat: Potential cause of an unwanted incident that could result in harm to an organization's assets or
operations.
15.Incident: An event that results in a breach of information security policy, potentially causing harm to
information assets.
16.Business Continuity Management: Holistic management process that identifies potential threats to an
organization and provides a framework for building resilience and the capability for an effective response.
17.Information Security Incident Management: Process that includes identification, response, and
resolution of incidents related to information security.
18.Access Control: Measures implemented to manage and restrict access to information systems and
data.
19.Information Security Risk Management: Continuous process to assess, mitigate, and monitor risks to
ensure the security of information assets.
20.Third Party: External person, organization, or entity with which an organization interacts or shares
information.
21.Control Objective: Desirable outcome related to information security, usually framed as a general
statement.
22.Information Security Event: Identified occurrence of a system, service, or network state indicating a
possible breach of information security policy or failure of controls.
23.Nonconformity: Failure to meet a specified requirement, including those related to policies, processes,
or controls.

ISMS Manual Page 6 of 31

 24.Monitoring: Systematic observation, checking, surveillance, or supervision of processes to ensure they
are operating as intended.
25.Documented Information: Information required to be controlled and maintained by an organization,
including policies, procedures, manuals, and records.
26.Interested Party: Person or organization concerned with the performance or compliance of an
organization.
27.Information Security Management: Comprehensive framework that includes policies, processes, and
controls to protect information assets.
28.Information Security Objective: Overall intention and direction related to information security
performance and achievements.
29.Information Security Risk: Potential that a given threat will exploit vulnerabilities of an information
asset or group of assets to cause harm to the organization.
30.Treatment Plan: Plan detailing how risks will be treated, including the measures to be taken to reduce
or mitigate identified risks.

4.0 CONTEXT OF THE ORGANIZATION:

4.1 Understanding the organization and its context: -

⮚ Organizational structure - Knowing the roles, accountabilities, and hierarchy in the organization.

⮚ Organizational drivers - The organization's values, mission, and vision, expressed in its internal culture,
policies, objectives, and strategies, can help define its information security policies, objectives, and
strategies.

⮚ The way the organization does things - Knowing how processes work (both isolated and interconnected),
how information flows, and how decisions are made will make it easier to integrate information security
processes and controls with business operations and management activities.

⮚ Available resources - Knowing what equipment, technologies, systems, capital, time, personnel, and
knowledge you already have in your organization can help you guide your acquisitions, as well as the
development not only of solutions, but also the competencies required to keep information secure.

⮚ Contractual relationships - Understanding the relationships with suppliers and customers can allow an
organization to include, in the scope of its ISMS, controls needed to better manage the customers and
suppliers' requirements

ISMS Manual Page 7 of 31

 XYZ Company has reviewed and analyzed key aspects of itself and its stakeholders to determine the
strategic direction of the company. This requires understanding internal and external issues that are of
concern to XYZ Company and its interested parties.

XYZ Company Determines the External & Internal Issues/Factors that are relevant to its purpose and that
affect its ability to achieve the intended outcomes of its ISMS.
Following are the Internal and External issues/factors that could have an impact on Information Security: -

▪ Internal Factors: These are things within the control or influence of the organization. They

include aspects like the organization's structure, its policies, its people, and its culture.

▪ External Factors: These are things outside the organization's direct control. They encompass

elements like laws, market conditions, technological changes, and other outside influences
that can impact the organization but are not managed by it.

Examples of External Factors: -

⮚ The legal, regulatory, financial, technological, economic, natural and competitive environment,

whether international, national, regional or local;

⮚ Key drivers and trends having impact on the business objectives of XYZ Company;

⮚ Relationships with, and perceptions and values of external stakeholders.

Examples of Internal Factors: -

⮚ Governance, Organizational Structure, Roles and Accountabilities;

⮚ Policies, Objectives, and the strategies that are in place to achieve them;

⮚ Capabilities understood in terms of resources and knowledge and competence (e.g., capital, time,

people, processes, systems and technologies);

⮚ Information systems, information flows and decision-making processes (both formal and informal);

⮚ Standards, guidelines and models adopted by XYZ Company;

ISMS Manual Page 8 of 31

 ⮚ The form and extent of contractual relationships;

❖ Examples that can affect Information security : - Equipment Failure, Leakage of sensitive

Information/willful damage, Inaccurate Information update, Unsecure working area, Internal

hacking, Information Theft, Failure of communication device, Disclosure of sensitive
information, Handling of security incident etc.

ISMS Manual Page 9 of 31

 4.2 Understanding the Needs and Expectations of Interested Parties
Due to their effect or potential effect on XYZ Company ability to consistently provide products and
services that meet customer and applicable statutory and regulatory requirements, XYZ Company
determined:

⮚ The interested parties that relevant to the information security management system;

⮚ The requirements of these interested parties that are relevant to the information security

management system.
Interested Parties: -

S.NO Interested Parties Needs And Expectation

1. Business Owners/Top
● To safeguard confidential, Restricted and internal
management – XYZ Company
Information against unauthorized disclosure Misuse.
● Focus on continuous strengthening of information securities
strategies.
● The trade secretes should be kept limited to authorized
personnel only.
● To ensure correct and secure operations of information
processing facilities.
● Business facility protection against natural disasters,
malicious attack or accidents.
● Compliance w.r.t. to all legal requirements as per the
requirement of standard ISO27001.

2. Employees
● Awareness of information security/ISO 27001 for XYZ
Company.
● Resource availability to comply Information security / ISO
27001 XYZ Company policy.
● Awareness of Privacy and protection of PII (personally
Identifiable Information.

3. Customers
● Information security aspects of business continuity
management.
● Management of information security incidents and
improvements.

ISMS Manual Page 10 of 31

4. Suppliers/vendors/Service
● Robust Information security systems to support business
providers
transactions with supported Service Level Agreement.
5. Legal and Regulatory Bodies
● Compliance of applicable Legal and Statutory guidelines
procedure.

6. Banking, Financial Institutions

● To avoid fraudulent nature of transactions and safeguard
& Business Forums
organization business data from cyber breach.

4.2Determining the Scope of the Information Security Management System

The scope is defined under three Parameters: -

S.no Parameter Inclusion

1. People Top Management (CEO, CISO), I.S Managers, Vendors & suppliers,
Employees.

2. Processes Human resources, Operations, Quality support, IT support,

Procurement, Vendor Management, Awareness Trainings etc.

3. Technologies Softwares (Zoho tool), Hardwares (Removeable media, Firewall,

Network Switches, Cables, WIFI, laptops, cameras, biometrics, paper
shredders) etc.

XYZ Company has determined the boundaries and applicability of the information security
management system to establish its scope.

When determining this, XYZ Company considered:

⮚ The external and internal issues referred to in 4.1;

⮚ The requirements of relevant interested parties referred to in 4.2;

⮚ The products and services of XYZ Company.

The Scope associated with XYZ Company activities and registration is:

The scope of the ISMS covers the management, operation and maintenance of the systems and the
associated processes that enable the business of providing IAAS platform for Cloud Computing services.

ISMS Manual Page 11 of 31

 The scope includes staff and assets that support the ISMS activities in accordance with the ISMS
Statement of Applicability Version 1.0 dated -------------.”

Location –

1. Noida Office (Data Centre):

ISMS Manual Page 12 of 31

 4.4. Information Security Management System: -

XYZ Company has established, implemented, maintains, and continually improves information security
management system, including the processes needed and their interactions, in accordance with the
requirements of this International Standard.

XYZ Company has determined the processes needed for the information security management system
and their application throughout XYZ Company, and

⮚ Determined the inputs required and the outputs expected from these processes;

⮚ Determined the sequence and interaction of these processes;

⮚ Determined and applied the criteria and methods (including monitoring, measurements and related

performance indicators) needed to ensure the effective operation and control of these processes;

⮚ Determined the resources needed for these processes and ensure their availability;

⮚ Assigns the responsibilities and authorities for these processes;

⮚ Addresses the risks and opportunities as determined in accordance with the requirements of 6.1;

⮚ Evaluates these processes and implement any changes needed to ensure that these processes

achieve their intended results.

⮚ Improves the processes and the information security management system.

5.0 LEADERSHIP AND COMMITMENT

XYZ Company top management is fully dedicated to protecting the information. They set the example
by prioritizing security, allocating resources, and ensuring everyone understands the importance of
keeping our data safe. Their commitment trickles down, inspiring everyone in the organization to follow
security protocols, fostering a culture where information protection is everyone's responsibility. This
dedication helps build trust with stakeholders and shows that safeguarding our data is a top priority.
Senior Management along with their teams is committed for motivating the organization and
authorizing employees to contribute for the effectiveness of ISMS.

5.1 Management Commitment

ISMS Manual Page 13 of 31

 XYZ Company Management is committed to develop effective ISMS policies and procedure. Roles and
responsibilities for information security is developed and communicated to the organization along with
the need to comply with the IS policy and legal/ regulatory requirements. Management is committed to
providing resources for establishing, documenting, implementing, monitoring, reviewing, maintaining
and continually improve IS.
The commitment of the senior management towards the development, implementation, operation,
monitoring, review, maintenance and improvement of ISMS at XYZ Company is done by:

⮚ Establishing the IS Policy and IS Objectives

⮚ Reviewing the IS Policy and IS Objectives for continuing improvement.

⮚ Ensuring ISMS achieve intended outcome(s)

⮚ Directing supporting personnel contribute to effectiveness of ISMS

⮚ Appointing person to be responsible for ISMS with appropriate authority and competencies to be

accountable for implementation and maintenance of ISMS

⮚ Establishing roles and responsibilities and competency for IS

⮚ Conducting management reviews periodically

⮚ Defining criteria for accepting risks and acceptable levels

⮚ Ensuring the availability of adequate resources

⮚ Demonstrating its commitment to continual improvement

5.2 Information Security Policy

Top Management has established an information security policy that has taken into account

⮚ Purpose of the organization

⮚ Information Security objectives

⮚ Commitment to satisfy applicable requirements related to information security

⮚ Commitment to continual improvement

ISMS Manual Page 14 of 31

 The information security policy is available as documented information and is communicated within the
organization and is also available to relevant interested parties.

5.3 Information Security Policy Statement

“Policy: XYZ Company recognizes that Information Security is the responsibility of each one of us in the
organization. We are committed to creating an information security management system and
continually improve the management system that will enable us to - protect our intellectual properties
and assets including our business processes, fulfill our contractual security obligations and establish a
robust risk assessment / treatment framework by implementing the ‘Information Security Management
System”.

ISMS Manual Page 15 of 31

 We will achieve this by ensuring: -

⮚ Confidentiality of information is maintained by making it accessible only to authorized users, through

proper authentication and access control.

⮚ Integrity of information is maintained by safeguarding the accuracy and completeness of the

Information, and by protecting the processing methods from unauthorized modification.

⮚ Availability of information to authorized users as and when needed, and as required by the business

processes.

⮚ Regulatory, Legislative and requirements regarding Intellectual property rights, Data protection and

privacy of personal information are met.

⮚ The confidentiality of corporate, client and customer information will be assured

⮚ Business continuity plans for mission critical activities will be produced, maintained and tested

⮚ Information security awareness training will be made available to all staff

The Policy will be communicated to all employees, stakeholders and third parties and will be reviewed
once in a year. Employees will abide by the Security policy and will at all times, act in a responsible,
professional and security-aware way. The Policy Statement is approved by CEO and displayed at
strategic places in the organization.

❖ Three pillars of Information Security Management System (CIA TRIAD) : -

ISMS Manual Page 16 of 31

 5.3.1 Organizational Roles, Responsibilities and Authorities
Top management shall ensure that the Operation Readiness for roles relevant to information security
are assigned and communicated within the organization. Documented and kept up-to-date.
XYZ Company has formulated an ISMS Organization Structure to establish, implement, operate and
maintain the ISMS. The organization structure along with roles and responsibilities has been detailed in
the ISMS ‘Roles and Responsibilities’ document.

In addition, the following overall ISMS responsibilities and authorities are assigned as follows:

Responsibility Assigned To

Ensuring that the management system conforms to applicable XYZ Company ISMS Steering Committee
standards

Ensuring that the processes are delivering their intended outputs Applicable process owner

Reporting on the performance of the information security CISO

management system and providing opportunities for
improvement for the information security management system

Ensuring the promotion of customer focus throughout the XYZ Company ISMS Steering Committee
organization

Ensuring that the integrity of the management system is XYZ Company ISMS Steering Committee
maintained when changes are planned and implemented

6. PLANNING
Planning is like building a solid foundation for a secure stronghold. It involves setting clear security objectives,
understanding potential risks, and creating a roadmap to address them effectively. Just as a strong foundation
supports a sturdy structure, planning lays the groundwork for a robust Information Security Management System
(ISMS). It ensures that resources are allocated wisely, roles are defined, and everyone knows their part in
safeguarding sensitive information. By systematically planning, organizations create a framework that not only
defends against threats but also enables continuous improvement in information security practices.

ISMS Manual Page 17 of 31

6.1 Actions to Address risks and Opportunity
When deciding how to plan and control the management system, including its component processes
and activities, XYZ Company consider both the type and level of risk associated with them. Ensure that
your organization is taking a planned approach to addressing risks and realizing opportunities, and that
any actions taken have been recorded. Options to address risks and opportunities can include:

⮚ Avoiding risk;

⮚ Taking risk in order to pursue an opportunity;

⮚ Eliminating the risk source;

⮚ Changing the likelihood or consequences;

⮚ Sharing the risk;

⮚ Retaining risk by informed decision;

The issues/risks identified while establishing, implementing or maintaining the ISMS should be tracked.
In XYZ Company separate Risk Assessment Sheet for ISMS is available to track these risks and other
unforeseen issues to –

⮚ Ensure ISMS achieve its intended outcome

⮚ Prevent or reduce the undesired effects,

⮚ Achieve continual improvement

This action will help to address the ISMS risks and issues and also to implement the actions in
policies/methodology and strengthen the effectiveness of ISMS.

XYZ Company plans:

⮚ Actions to address these risks and opportunities;

⮚ How to:

▪ Integrate and implement the actions into its information security management system processes
(See 4.4)

ISMS Manual Page 18 of 31

 ▪ Evaluate the effectiveness of these actions.

ISMS Manual Page 19 of 31

6.2 Information security Risk Assessment
XYZ Company adopts a unique Risk Management approach for its information assets. This approach is
based on qualitative risk analysis model for assessing and maintaining the risk framework, yet
implements certain formulas that would be seen as quantitative approach. This unique approach
ensures proper identification and measure of the asset’s risks and corresponding mitigation controls
that have been implemented.

The Risk Management Team comprises of individuals from various departments within XYZ Company
encompassing the business and the support groups. Representatives who’re called Security Steering
Committee from the business and support groups work together and identify the assets within their
team and conduct the risk assessment and risk treatment process with due contribution from
Information Technology team as well as Compliance & Information Security Officer/CISO.

6.3 Risk Treatment

Risks will be evaluated against the established risk acceptance criteria and accordingly risk treatment
options would be selected. Further, controls necessary for the treatment of risks are to be determined.
And, risk treatment plan will be developed to prioritize & mitigate the risks identified during risk
assessment.

6.4 Information security objectives and plans to achieve

The organization has established information security objectives at relevant functions and levels.
The organization has retained the documented information on the information security objectives.
The information security objectives planning has included:

⮚ Consistent with the information security policy;

⮚ Measurable;

⮚ Taken into account applicable requirements;

⮚ Monitored;

⮚ Communicated; and

⮚ Updated as appropriate.

To ensure the continued suitability and effectiveness of the Information Security Management System ,
a number of measurable objectives have been established. These objectives shall be monitored and

ISMS Manual Page 20 of 31

 reviewed as part of the ongoing measurement and metrics activities, and the Management Review
process. These objectives include:

Objective
To protect the integrity, availability and
confidentiality of business and customer
information
To protect the organization’s information assets
from theft, abuse, misuse and any form of
damage
To establish responsibility and accountability
for information security in the organization
Measurement
• The number of security incidents relating to the loss of
data or breaches of confidentiality
• Changing risk profile
• The number of security incidents relating to the
loss/theft of equipment.
• Instances of non-compliance with policies and
procedures
• Staff awareness activities
• Internal audit ensuring staff awareness and compliance

To ensure that the organization is able to • Number of incidents relating to service availability
continue its commercial activities in the event • Success of business continuity testing
of significant information security incidents

6.4.1 When planning how to achieve its information security objectives, XYZ Company has determined:

⮚ What will be done;

⮚ What resources will be required;

⮚ Who will be responsible;

⮚ When it will be completed; and

⮚ How the results will be evaluated.

7.0 SUPPORT
7.1 Resource
The management ensures that adequate resources are provided to the processes, projects and
departments in terms of hardware, software, manpower, infrastructure, budget for-

ISMS Manual Page 21 of 31

 ● Implementation and effective maintenance of the ISMS and continually improve its’

effectiveness.

● CISO coordinates with the functions to ensure to define and implementation of the processes.

● CISO to coordinate with the IS team to define the processes, document them and ensure the

implementation of the processes in their respective areas.

ISMS Manual Page 22 of 31

 7.2 Competency of IS personnel
Appropriate competence needed is determined in accordance with the ISMS processes. Adequate and
competent human resources are provided to carry out these processes. Required training is provided to
improve the desired skill and competency. Effectiveness of training is evaluated.
The training & awareness will include implications of not confirming with ISMS requirements and various
other aspects of ISMS.
XYZ Company Will ensure that personnel assigned for IS are sufficiently trained and competent to handle
their roles and responsibilities.
All personnels which work under XYZ Company control are competent, and that evidence continuing
competence is maintained as documented information in accordance Clause 7.5. Maintain documented
information such as a skills matrix; training records, CVs, job descriptions, experience/ qualifications and
competency matrix etc.

7.3 ISMS Awareness

XYZ Company ensures that resources working in XYZ Company Should be aware of Information Security
Policy, their contribution to the effectiveness of ISMS and benefit of improved IS performance,
repercussions of not conforming to IS requirements.
The CISO will be responsible for the following activities pertaining to IS trainings:

⮚ Identification of level of awareness of IS amongst staff.

⮚ Evaluating the effectiveness.

⮚ Identification of the training needs of personnel in various departments in XYZ Company including the

IS Organization and all third-party staff as may be deemed appropriate.

⮚ Frequency for training to be once in a year at least. Classroom training for new joiners to be

conducted during induction (frequency as defined by HR)

⮚ Modes of training (e.g. computer based, classroom or intranet based)

⮚ Identification of personnel who may be required to undergo specialized IS training

⮚ Measuring effectiveness of the training courses by conducting assessments or seeking feedback from

the trainees on levels of satisfaction with the training course.

ISMS Manual Page 23 of 31

 ⮚ Conducting regular reviews as and when required of the training programs to ensure the continued

effectiveness.

⮚ Maintaining records of education and awareness programs.

Besides ensuring an acceptable level of understanding of organization’s IS commitments, Department

Heads will also be responsible for encouraging their staff for ensuring that appropriate representation is
provided for the IS awareness. Managers, supervisors, and team leaders will be responsible for supporting
their staff in the identification of training needs from a IS perspective.

7.4 Communication
Channel for internal communication relevant to ISMS are established within the organization at different
levels, such as:

⮚ Team briefings & meetings

⮚ Electronic mail

⮚ Intranet based

⮚ Employee Induction &Awareness Training

⮚ All employee engagement call

The communication regarding the effectiveness of the information security management system is done
by means of:

⮚ Documentation Reviews

⮚ Internal Audit (IA) Reports

7.5 Documented Information

XYZ Company establishes effective control over the creation, authorization, issue, distribution,
maintenance, integrity and subsequent change (if any) of IS documents in all domain areas. IS Manager
will oversee the process of ISMS, document structure and control, which includes identifying, approving
and issuing and effectiveness of documents.

ISMS Manual Page 24 of 31

 7.5.1 General

The ISMS documentation is established to ensure compliance to the requirements of this International
Standard and effectively carrying out the organization’s business processes considering the available
competence of the personnel. The documentation includes:

⮚ IS Policy and Objectives

⮚ ISMS Manual, Procedures.

⮚ Supporting Records

7.5.2 Creating and updating

XYZ Company Creating, maintaining, and updating the documents. It highlights the need for accurate,
accessible, and controlled documentation to support information security processes and compliance
with ISO 27001 standards.

⮚ Establishing Documentation: Create and maintain documented information necessary for the

effectiveness of the ISMS. This includes policies, procedures, guidelines, records, and other
relevant documentation.

⮚ Accuracy and Suitability: Ensure that the documented information is accurate, complete,

current, and suitable for the intended purpose within the ISMS.

⮚ Controlled Distribution: Establish procedures for the distribution, access, retrieval, and use of

documented information, ensuring that authorized personnel have access while preventing
unauthorized access or alterations.

⮚ Version Control: Implement a version control system to manage changes, revisions, and

updates to documented information, ensuring that the latest versions are available and
obsolete versions are appropriately controlled.

⮚ Documented Information Format: Determine the format and medium (electronic, paper-based,

etc.) for creating, maintaining, and storing documented information, considering accessibility
and ease of use.

ISMS Manual Page 25 of 31

 ⮚ Review and Revision: Regularly review and, if necessary, revise documented information to

ensure its relevance, accuracy, and alignment with changes in the organization or ISMS
requirements.

7.5.3 Control of Documented Information

Document Control Procedure is established to define the controls needed

⮚ Documented Information Control: Establish procedures to control the creation, review,

approval, distribution, access, retrieval, storage, retention, and disposal of documented

information related to the ISMS.

⮚ Accessibility and Availability: Ensure that documented information is available to the

appropriate personnel when needed, and that unauthorized access is prevented to maintain
confidentiality and integrity.

⮚ Identification and Versioning: Clearly identify and label documented information to

distinguish between versions, ensuring that the latest authorized versions are readily accessible
while obsolete versions are appropriately archived or removed.

⮚ Changes and Revisions: Implement a process for reviewing, approving, and controlling

changes or revisions to documented information, ensuring that alterations are properly

documented and authorized.

⮚ Retention and Disposal: Define retention periods and disposal procedures for documented

information, taking into account legal, regulatory, contractual, and business requirements.

⮚ Protection and Security: Implement security measures to protect documented information

from unauthorized access, damage, loss, or tampering, safeguarding the confidentiality,

integrity, and availability of information.

8.0 OPERATION
8.1 Operation Planning and Control
XYZ Company is committed to plan, implement and control the processes to meet information security
requirements and objectives at projects/processes level in line with section 6.1 and section 6.4. To plan and
control ISMS requirements at operational level documentation and practices needs to be implemented in

ISMS Manual Page 26 of 31

 accordance with establishing criteria, implementing control w.r.t criteria and documented information to be
kept up to date to have confidence.

Project/processes should review the documentation at least once in six month and in case of any change needs
to be updated as and when required to make the documents live.

For outsourced processes, XYZ Company make sure to review and control IS requirements and in case of any
difference it is being logged by the team.

8.2 Information security Risk assessment

XYZ Company performs information security risk assessments at least once in a year or when any significant
changes are proposed or occurred.

8.3 Information security risk treatment

XYZ Company has implemented the information security risk treatment plan

ISMS Manual Page 27 of 31

9. PERFORMANCE EVALUATION
9.1 Monitoring, measurement, analysis and evaluation
Planning and execution of the processes of monitoring, measurement, analysis and evaluation to effectively
demonstrate the performance of ISMS and its continued effectiveness is carried out.

Conformity occurs when there is no adverse trend or result and action would be taken in case vice versa. To
evident the result, relevant documented information is being used.

All the ISMS procedures includes a process of regular monitoring of resulting records to establish compliance
and assess their effectiveness to meet the IS requirements.

If the program/process/project functions, while monitoring, are found to be not complying with the
requirements are identified as non-conforming with requirements then the results of the same are analyzed,
evaluated and tracked to closure.

Records of the action taken are maintained.

XYZ Company evaluates the ISMS performance and its effectiveness w.r.t. implementation by

⮚ Internal audits

⮚ Performance Monitoring and objective tracking

⮚ Test scores for awareness trainings

Data are collected and analyzed at least once a year to assess the suitability and effectiveness of ISMS and to
evaluate scope of continual improvement in the effectiveness of the System

9.2 Internal Audit

The Information Security Management System is continuously monitored through scheduled internal audits
conducted by qualified auditors. The audits cover all areas and all activities of the ISMS and determine whether
the activities and their results:

⮚ Conform to the requirements of this International Standard and

⮚ The established ISMS s effectively implemented and maintained.

The audit program is planned with suitable audit frequencies taking into consideration the status and
importance of activities / area or process to be audited and results of previous audits conducted. All areas /

ISMS Manual Page 28 of 31

 activities are audited as per established criteria at least once in a year. Records & results of audits are
maintained including commitment for timely executing corrective actions to close the reported non-
conformances by eliminating the root-cause.

Internal audit is conducted once in a year. XYZ Company has formulated audit procedures in order to:

⮚ Evaluate the compliance of existing organizational practices to ISO 27001

⮚ Evaluate the compliance of existing organizational practices with XYZ Company IS Policy and

Objectives

⮚ Should be based on results of RA and previous audit results.

⮚ Evaluate the compliance of existing organizational IS practices with XYZ Company legal, contractual

and regulatory requirements

⮚ To identify any potential gaps in the existing IS program/ arrangements and to provide

recommendations to address the identified gaps

⮚ Management responsible for respective area should ensure that necessary correction and corrective

are taken on time to without undue delay to eliminate detected NCs and their causes. Also,
verification of the actions been taken by the teams to be and result of the same also get reported.

9.3 Management Review of the ISMS

Management review of ISMS will be conducted once in a year, which will suggest improvements to the ISMS
including IS policies and procedures, Incident Management Plans and RA documentation to ensure continuing
suitability, adequacy and effectiveness and any needs for changes to ISMS.

XYZ Company will conduct risk assessments at least annually to identify and control risks owing to a change in
legal, regulatory and contractual requirement.

Management Review includes following agenda:

⮚ The status of actions from previous management reviews;

⮚ Changes in external and internal issues that are relevant to the information security management

system;

⮚ Feedback on the information security performance, including trends in:

1) Nonconformities and corrective actions

ISMS Manual Page 29 of 31

 2) monitoring and measurement results
3) Audit results
4) Fulfilment of information security objectives

⮚ Feedback from interested parties;

⮚ Results of risk assessment and status of risk treatment plan; and

⮚ Opportunities for continual improvement.

⮚ The outputs of the management review shall include decisions related to continual improvement

opportunities and any needs for changes to the information security management system. The
organization retains documented information as evidence of the results of management reviews.

In case there is requirement of communication of result of management review to interested parties, it is being
communicated via set channel. Also, appropriate actions are being taken wherever required in due course of
time.

10. IMPROVEMENT
10.1 Nonconformity and Corrective action
In XYZ Company, non-conformities are being identified by various sources like exercising, testing, audits,
review. Management will ensure appropriate corrections are taken to correct the nonconformities and deal
with the consequences. Respective functions head will be responsible for implementing the required control
in order that it does not recur by reviewing the NC, determining the root causes and also if similar NC exist and
can occur. IS Manager is also responsible to evaluate and take corrective action to ensure that non-
conformities did not recur or occur elsewhere.
IS manager is also responsible to review the effectiveness of action taken and making changes in ISMS if
required.

10.2 Continual Improvement

The management will continually improve the suitability, adequacy or effectiveness of the ISMS on an ongoing
basis by performing periodic reviews and, taking appropriate and timely decisions for effective
implementation and maintenance of the ISMS
Continual improvement will be ensured through the following methods:

ISMS Manual Page 30 of 31

 ⮚ Feedback/suggestion from interested parties and Process Heads/Program Managers as and when

required

⮚ Any improvement suggestion received

⮚ Internal audit

⮚ Best practices found during internal audit

⮚ Use of measurements

Improvements are being shared in Management Reviews and are also being logged and tracked in Continual
Improvement tracker

ISMS Manual Page 31 of 31