core points of information security management systems

D_wathi used Ask the Experts™
Dear Experts
I am looking for few core points for ISMS objectives for IS027001 can you please on each of the section that it contains please. thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
The standard has quite a list of objectives and not advisable to "pick and choose" unless you are clear on the intent. ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field.

Importantly, ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The next level to operationalise the risk assessment systematically should be guided by the information security controls from ISO/IEC 27002. I listed the objectives below for clarity into what is really means and not to trivialise them.  

A.5.1 Information security policy
Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.

A.6.1 Internal organization
Objective: To manage information security within the organization.

A.7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.

A.8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the
risk of theft, fraud or misuse of facilities.

A.8.2 During employment
Objective: To ensure that all employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and are
equipped to support organizational security policy in the course of their normal work, and
to reduce the risk of human error.

A.8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an
organization or change employment in an orderly manner.

A.9.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the
organization’s premises and information.

A.9.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s activities.

A.10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.

A.10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and
service delivery in line with third party service delivery agreements.

A.10.3 System planning and acceptance
Objective: To minimize the risk of systems failures

A.10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.

A.10.5 Back-up
Objective: To maintain the integrity and availability of information and information
processing facilities.

A.10.6 Network security management
Objective: To ensure the protection of information in networks and the protection of the
supporting infrastructure.

A.10.7 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of
assets, and interruption to business activities.

A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an
organization and with any external entity.

A.10.9 Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use.

A.10.10 Monitoring
Objective: To detect unauthorized information processing activities.

A.11.1 Business requirement for access control
Objective: To control access to information.

A.11.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to
information systems.

A.11.3 User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information
and information processing facilities.

A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.

A.11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.

A.11.6 Application and information access control
Objective: To prevent unauthorized access to information held in application systems.

A.11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking

A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.

A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in

A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by
cryptographic means.

A.12.4 Security of system files
Objective: To ensure the security of system files.

A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.

A.12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical

A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with
information systems are communicated in a manner allowing timely corrective action to
be taken.

A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of
information security incidents.

A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical
business processes from the effects of major failures of information systems or disasters
and to ensure their timely resumption.

A.15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations,
and of any security requirements.

A.15.2 Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and

A.15.3 Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the
information systems audit process.



thank you very much, this is too much useful. finally I have one more request Can you please help me with list common security incidents , require this to prepare document for ISO 27001.
btanExec Consultant
Distinguished Expert 2018
Here are the common ones though it very much depends on what system and network connection you have.

For internet facing system that has vulnerability in web applications etc
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
- SQL injection attack
- Cross-site scripting (XSS) attack.

For endpoint machine attack
- Malware infection such as use of unknown thumb drive
- Ransomware locking up all files and demanding payment

For network attack on insecure channel which data in transit is not protected
- Man-in-the-middle (MitM) attack.
- Eavesdropping attack.

For email attack on non-vigilant user that just click and open without being cautious  
- Phishing and spear phishing attacks.

For web attack on non-vigilant user as internet surfing went into poor reputable site
- Drive-by attack due to visit of compromised websites or due to click on link on website or from phished email

For Insider threat or data breach
- Password attack against weak password
- Unauthorised access using privileged accounts which does not have 2FA or MFA.
- Administrative rights being abused leading to leakage of sensitive files or personal data
- Destructive action by administrator such as deletion of trial or installing unauthorised software

Above are not exhaustive are mostly reported due to poor hygiene or area to constantly review on effectiveness of controls and compliance to process regime in place.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial