A-6-1 Internal organisation

Objective: To manage information security within the organisation.

A.6.1.1 Management commitment to information security

Control

Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

A.6.1.2 Information security coordination

Control

Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.

A.6.1.3 Allocation of information security responsibilities

Control

All information security responsibilities shall be clearly defined.

A.6.1.4 Authorization process for information processing facilities

Control

A management authorization process for new information processing facilities shall be defined and implemented.

A.6.1.5 Confidentiality agreements

Control

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.

A.6.1.6 Contact with authorities

Control

Appropriate contacts with relevant authorities shall be maintained.

A.6.1.7 Contact with special interest groups

Control

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.8 Independent review of information security

Control

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.