Professional Documents
Culture Documents
E2E - ISMS - MNUL-V-1 Updated
E2E - ISMS - MNUL-V-1 Updated
ISO 27001:2013
(Doc. No: ISMS-M-1.0)
Version: 1.0
Date of version:
Document Owner
Document Author(s)
Document Approver
Privacy level:
Internal
Change history
Version Date Created by Description of change
Note: The present document or drawing is property of XYZ Company, and will not, under any
circumstances, be totally or partially, directly or indirectly, transferred, reproduced, copied, disclosed or
used, without its prior written consent, for any purpose and in any way other than that for which it is
specifically furnished or outside the extent of the agreed upon right of use.
0.1 Purpose
This document details the framework established for Information Security Management System at XYZ
Company:
The purpose of this document is to –
● Assign responsibility and provide guidelines to protect the organization’s resources and data against
1.0 SCOPE
⮚ Needs to demonstrate its ability to consistently provide product and services that meet customer and
⮚ Aims to enhance customer satisfaction through the effective application of the system, including
processes for improvement of the system and the assurance of conformity to customer and applicable
statutory and regulatory requirements.
a. Note: All the requirements of this ISO/IEC 27001:2013 are generic and are intended to be
applicable to any organization, regardless of its type or size, or the products and services it
provides;
systems – Requirements
⮚ Organizational structure - Knowing the roles, accountabilities, and hierarchy in the organization.
⮚ Organizational drivers - The organization's values, mission, and vision, expressed in its internal culture,
policies, objectives, and strategies, can help define its information security policies, objectives, and
strategies.
⮚ The way the organization does things - Knowing how processes work (both isolated and interconnected),
how information flows, and how decisions are made will make it easier to integrate information security
processes and controls with business operations and management activities.
⮚ Available resources - Knowing what equipment, technologies, systems, capital, time, personnel, and
knowledge you already have in your organization can help you guide your acquisitions, as well as the
development not only of solutions, but also the competencies required to keep information secure.
⮚ Contractual relationships - Understanding the relationships with suppliers and customers can allow an
organization to include, in the scope of its ISMS, controls needed to better manage the customers and
suppliers' requirements
XYZ Company Determines the External & Internal Issues/Factors that are relevant to its purpose and that
affect its ability to achieve the intended outcomes of its ISMS.
Following are the Internal and External issues/factors that could have an impact on Information Security: -
▪ Internal Factors: These are things within the control or influence of the organization. They
include aspects like the organization's structure, its policies, its people, and its culture.
▪ External Factors: These are things outside the organization's direct control. They encompass
elements like laws, market conditions, technological changes, and other outside influences
that can impact the organization but are not managed by it.
⮚ The legal, regulatory, financial, technological, economic, natural and competitive environment,
⮚ Key drivers and trends having impact on the business objectives of XYZ Company;
⮚ Policies, Objectives, and the strategies that are in place to achieve them;
⮚ Capabilities understood in terms of resources and knowledge and competence (e.g., capital, time,
⮚ Information systems, information flows and decision-making processes (both formal and informal);
❖ Examples that can affect Information security : - Equipment Failure, Leakage of sensitive
⮚ The interested parties that relevant to the information security management system;
⮚ The requirements of these interested parties that are relevant to the information security
management system.
Interested Parties: -
1. Business Owners/Top
● To safeguard confidential, Restricted and internal
management – XYZ Company
Information against unauthorized disclosure Misuse.
● Focus on continuous strengthening of information securities
strategies.
● The trade secretes should be kept limited to authorized
personnel only.
● To ensure correct and secure operations of information
processing facilities.
● Business facility protection against natural disasters,
malicious attack or accidents.
● Compliance w.r.t. to all legal requirements as per the
requirement of standard ISO27001.
2. Employees
● Awareness of information security/ISO 27001 for XYZ
Company.
● Resource availability to comply Information security / ISO
27001 XYZ Company policy.
● Awareness of Privacy and protection of PII (personally
Identifiable Information.
3. Customers
● Information security aspects of business continuity
management.
● Management of information security incidents and
improvements.
1. People Top Management (CEO, CISO), I.S Managers, Vendors & suppliers,
Employees.
XYZ Company has determined the boundaries and applicability of the information security
management system to establish its scope.
The Scope associated with XYZ Company activities and registration is:
The scope of the ISMS covers the management, operation and maintenance of the systems and the
associated processes that enable the business of providing IAAS platform for Cloud Computing services.
Location –
XYZ Company has established, implemented, maintains, and continually improves information security
management system, including the processes needed and their interactions, in accordance with the
requirements of this International Standard.
XYZ Company has determined the processes needed for the information security management system
and their application throughout XYZ Company, and
⮚ Determined the inputs required and the outputs expected from these processes;
⮚ Determined and applied the criteria and methods (including monitoring, measurements and related
performance indicators) needed to ensure the effective operation and control of these processes;
⮚ Determined the resources needed for these processes and ensure their availability;
⮚ Addresses the risks and opportunities as determined in accordance with the requirements of 6.1;
⮚ Evaluates these processes and implement any changes needed to ensure that these processes
⮚ Appointing person to be responsible for ISMS with appropriate authority and competencies to be
⮚ Availability of information to authorized users as and when needed, and as required by the business
processes.
⮚ Regulatory, Legislative and requirements regarding Intellectual property rights, Data protection and
⮚ Business continuity plans for mission critical activities will be produced, maintained and tested
The Policy will be communicated to all employees, stakeholders and third parties and will be reviewed
once in a year. Employees will abide by the Security policy and will at all times, act in a responsible,
professional and security-aware way. The Policy Statement is approved by CEO and displayed at
strategic places in the organization.
In addition, the following overall ISMS responsibilities and authorities are assigned as follows:
Responsibility Assigned To
Ensuring that the management system conforms to applicable XYZ Company ISMS Steering Committee
standards
Ensuring that the processes are delivering their intended outputs Applicable process owner
Ensuring the promotion of customer focus throughout the XYZ Company ISMS Steering Committee
organization
Ensuring that the integrity of the management system is XYZ Company ISMS Steering Committee
maintained when changes are planned and implemented
6. PLANNING
Planning is like building a solid foundation for a secure stronghold. It involves setting clear security objectives,
understanding potential risks, and creating a roadmap to address them effectively. Just as a strong foundation
supports a sturdy structure, planning lays the groundwork for a robust Information Security Management System
(ISMS). It ensures that resources are allocated wisely, roles are defined, and everyone knows their part in
safeguarding sensitive information. By systematically planning, organizations create a framework that not only
defends against threats but also enables continuous improvement in information security practices.
⮚ Avoiding risk;
The issues/risks identified while establishing, implementing or maintaining the ISMS should be tracked.
In XYZ Company separate Risk Assessment Sheet for ISMS is available to track these risks and other
unforeseen issues to –
This action will help to address the ISMS risks and issues and also to implement the actions in
policies/methodology and strengthen the effectiveness of ISMS.
⮚ How to:
▪ Integrate and implement the actions into its information security management system processes
(See 4.4)
The Risk Management Team comprises of individuals from various departments within XYZ Company
encompassing the business and the support groups. Representatives who’re called Security Steering
Committee from the business and support groups work together and identify the assets within their
team and conduct the risk assessment and risk treatment process with due contribution from
Information Technology team as well as Compliance & Information Security Officer/CISO.
The organization has established information security objectives at relevant functions and levels.
The organization has retained the documented information on the information security objectives.
The information security objectives planning has included:
⮚ Measurable;
⮚ Monitored;
⮚ Communicated; and
⮚ Updated as appropriate.
To ensure the continued suitability and effectiveness of the Information Security Management System ,
a number of measurable objectives have been established. These objectives shall be monitored and
Objective Measurement
To protect the integrity, availability and • The number of security incidents relating to the loss of
confidentiality of business and customer data or breaches of confidentiality
information • Changing risk profile
To protect the organization’s information assets • The number of security incidents relating to the
from theft, abuse, misuse and any form of loss/theft of equipment.
damage • Instances of non-compliance with policies and
procedures
To establish responsibility and accountability • Staff awareness activities
for information security in the organization • Internal audit ensuring staff awareness and compliance
To ensure that the organization is able to • Number of incidents relating to service availability
continue its commercial activities in the event • Success of business continuity testing
of significant information security incidents
6.4.1 When planning how to achieve its information security objectives, XYZ Company has determined:
7.0 SUPPORT
7.1 Resource
The management ensures that adequate resources are provided to the processes, projects and
departments in terms of hardware, software, manpower, infrastructure, budget for-
effectiveness.
● CISO coordinates with the functions to ensure to define and implementation of the processes.
● CISO to coordinate with the IS team to define the processes, document them and ensure the
XYZ Company ensures that resources working in XYZ Company Should be aware of Information Security
Policy, their contribution to the effectiveness of ISMS and benefit of improved IS performance,
repercussions of not conforming to IS requirements.
The CISO will be responsible for the following activities pertaining to IS trainings:
⮚ Identification of the training needs of personnel in various departments in XYZ Company including the
⮚ Frequency for training to be once in a year at least. Classroom training for new joiners to be
⮚ Measuring effectiveness of the training courses by conducting assessments or seeking feedback from
effectiveness.
7.4 Communication
Channel for internal communication relevant to ISMS are established within the organization at different
levels, such as:
⮚ Electronic mail
⮚ Intranet based
The communication regarding the effectiveness of the information security management system is done
by means of:
⮚ Documentation Reviews
XYZ Company establishes effective control over the creation, authorization, issue, distribution,
maintenance, integrity and subsequent change (if any) of IS documents in all domain areas. IS Manager
will oversee the process of ISMS, document structure and control, which includes identifying, approving
and issuing and effectiveness of documents.
The ISMS documentation is established to ensure compliance to the requirements of this International
Standard and effectively carrying out the organization’s business processes considering the available
competence of the personnel. The documentation includes:
⮚ Supporting Records
XYZ Company Creating, maintaining, and updating the documents. It highlights the need for accurate,
accessible, and controlled documentation to support information security processes and compliance
with ISO 27001 standards.
⮚ Establishing Documentation: Create and maintain documented information necessary for the
effectiveness of the ISMS. This includes policies, procedures, guidelines, records, and other
relevant documentation.
⮚ Accuracy and Suitability: Ensure that the documented information is accurate, complete,
current, and suitable for the intended purpose within the ISMS.
⮚ Controlled Distribution: Establish procedures for the distribution, access, retrieval, and use of
documented information, ensuring that authorized personnel have access while preventing
unauthorized access or alterations.
⮚ Version Control: Implement a version control system to manage changes, revisions, and
updates to documented information, ensuring that the latest versions are available and
obsolete versions are appropriately controlled.
⮚ Documented Information Format: Determine the format and medium (electronic, paper-based,
etc.) for creating, maintaining, and storing documented information, considering accessibility
and ease of use.
ensure its relevance, accuracy, and alignment with changes in the organization or ISMS
requirements.
appropriate personnel when needed, and that unauthorized access is prevented to maintain
confidentiality and integrity.
distinguish between versions, ensuring that the latest authorized versions are readily accessible
while obsolete versions are appropriately archived or removed.
⮚ Changes and Revisions: Implement a process for reviewing, approving, and controlling
⮚ Retention and Disposal: Define retention periods and disposal procedures for documented
information, taking into account legal, regulatory, contractual, and business requirements.
8.0 OPERATION
8.1 Operation Planning and Control
XYZ Company is committed to plan, implement and control the processes to meet information security
requirements and objectives at projects/processes level in line with section 6.1 and section 6.4. To plan and
control ISMS requirements at operational level documentation and practices needs to be implemented in
Project/processes should review the documentation at least once in six month and in case of any change needs
to be updated as and when required to make the documents live.
For outsourced processes, XYZ Company make sure to review and control IS requirements and in case of any
difference it is being logged by the team.
Conformity occurs when there is no adverse trend or result and action would be taken in case vice versa. To
evident the result, relevant documented information is being used.
All the ISMS procedures includes a process of regular monitoring of resulting records to establish compliance
and assess their effectiveness to meet the IS requirements.
If the program/process/project functions, while monitoring, are found to be not complying with the
requirements are identified as non-conforming with requirements then the results of the same are analyzed,
evaluated and tracked to closure.
XYZ Company evaluates the ISMS performance and its effectiveness w.r.t. implementation by
⮚ Internal audits
Data are collected and analyzed at least once a year to assess the suitability and effectiveness of ISMS and to
evaluate scope of continual improvement in the effectiveness of the System
The audit program is planned with suitable audit frequencies taking into consideration the status and
importance of activities / area or process to be audited and results of previous audits conducted. All areas /
Internal audit is conducted once in a year. XYZ Company has formulated audit procedures in order to:
⮚ Evaluate the compliance of existing organizational practices with XYZ Company IS Policy and
Objectives
⮚ Evaluate the compliance of existing organizational IS practices with XYZ Company legal, contractual
⮚ To identify any potential gaps in the existing IS program/ arrangements and to provide
⮚ Management responsible for respective area should ensure that necessary correction and corrective
are taken on time to without undue delay to eliminate detected NCs and their causes. Also,
verification of the actions been taken by the teams to be and result of the same also get reported.
XYZ Company will conduct risk assessments at least annually to identify and control risks owing to a change in
legal, regulatory and contractual requirement.
⮚ Changes in external and internal issues that are relevant to the information security management
system;
⮚ The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system. The
organization retains documented information as evidence of the results of management reviews.
In case there is requirement of communication of result of management review to interested parties, it is being
communicated via set channel. Also, appropriate actions are being taken wherever required in due course of
time.
10. IMPROVEMENT
10.1 Nonconformity and Corrective action
In XYZ Company, non-conformities are being identified by various sources like exercising, testing, audits,
review. Management will ensure appropriate corrections are taken to correct the nonconformities and deal
with the consequences. Respective functions head will be responsible for implementing the required control
in order that it does not recur by reviewing the NC, determining the root causes and also if similar NC exist and
can occur. IS Manager is also responsible to evaluate and take corrective action to ensure that non-
conformities did not recur or occur elsewhere.
IS manager is also responsible to review the effectiveness of action taken and making changes in ISMS if
required.
required
⮚ Internal audit
⮚ Use of measurements
Improvements are being shared in Management Reviews and are also being logged and tracked in Continual
Improvement tracker