ARROW  ASSESSMENT SERVICES

There are two main components:

1. Management System Requirements: These are outlined in ISO 27001:2022 and are harmonized with Annex SL. This alignment enhances the integration between ISO 27001:2022 and other standards such as ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018, resulting in improved compatibility and consistency across management systems.

2. Control Requirements: Specified in ISO 27001:2022 Annex A, these encompass all 93 technical and non-technical controls that must be taken into account during the implementation process. Each control is essential for ensuring comprehensive security measures are established and maintained.

Standard implementations typically yield 3 distinct manuals:

1. Management System Policy and Procedure Manual: This encompasses overarching management controls.

2. Employee Control Manual: This covers non-technical controls related to employee behavior and procedures.

3. Information Security Control Manual: This includes technical controls aimed at securing information and systems.

The ISO 27001 Standard consists of 7 main sections:

1. Context of the organization

2. Leadership and worker participation

3. Planning

4. Support

5. Operation

6. Performance evaluation

7. Improvement

The standard is in depth and consists of 93 controls that are categorized into 4 sections within the Annex

Examples include:

A5: Organizational controls (37 controls)

Examples:

• Policies for Information Security: Documents outlining the organization's approach to information security, including acceptable use policies, data protection policies, and incident response procedures.

• Roles and Responsibilities: Clear delineation of roles and responsibilities related to information security management, including the responsibilities of employees, managers, and security personnel.

• Classification of Information: Guidelines for categorizing information based on its sensitivity or importance, such as public, internal, confidential, or restricted.

• Labelling of Information: Procedures for labeling or marking sensitive information to ensure appropriate handling and protection, including labeling requirements for physical and digital documents.

• Access Control: Measures for controlling access to information and information systems, including user authentication, authorization mechanisms, and access control lists.

• Access Rights: Policies and procedures for granting, revoking, and managing access rights to information and systems based on the principle of least privilege.

• Threat Intelligence: Processes for gathering, analyzing, and leveraging threat intelligence to identify and mitigate potential security threats and vulnerabilities.

A6: People controls (8 controls) 

People controls encompass various measures aimed at managing human factors in information security. Here are examples of people controls:

1. Screening: Procedures for screening job applicants, contractors, and third-party personnel before granting them access to sensitive information or systems. This may involve background checks, reference verification, and vetting processes.

2. Terms of Employment: Guidelines and agreements outlining employees' responsibilities regarding information security, including confidentiality agreements, non-disclosure agreements, and acceptable use policies.

3. Information Security Awareness: Programs and initiatives designed to educate employees about information security best practices, policies, and procedures. This may include training sessions, awareness campaigns, and regular communication on security-related topics.

4. Remote Working: Policies and procedures governing remote work arrangements, including guidelines for secure access to company networks and systems, use of personal devices, and protection of sensitive information outside the office environment.

5. Access Control: Measures for controlling employees' access to information and systems based on their roles and responsibilities. This includes user authentication, access permissions, and monitoring access activities to prevent unauthorized access.

6. Employee Monitoring: Policies and procedures for monitoring employees' activities related to information security, such as monitoring network traffic, email communications, and system usage to detect and mitigate security threats.

7. Reporting and Incident Response: Protocols for reporting security incidents, breaches, or suspicious activities to the appropriate authorities or response teams. This includes procedures for incident detection, analysis, containment, and recovery.

8. Termination Procedures: Processes for securely offboarding employees, contractors, or third-party personnel when they leave the organization. This includes revoking access rights, collecting company assets, and ensuring the return or deletion of sensitive information.

A7: Physical controls (14 controls) 

1. Physical Security Parameters: Implementing physical barriers such as fences, gates, walls, and security guards to protect the perimeter of the facility.

2. Physical Entry Controls: Installing access control systems such as key cards, biometric scanners, or keypad entry systems to regulate entry into secure areas.

3. Working in Secure Areas: Establishing designated secure areas within the facility where access is restricted to authorized personnel only.

4. Clear Desk Clear Screen Policy: Enforcing policies that require employees to clear their desks and screens of sensitive information when not in use to prevent unauthorized access or visual eavesdropping.

5. Equipment Maintenance: Implementing regular maintenance schedules for physical security equipment such as locks, surveillance cameras, alarms, and access control systems to ensure their effectiveness.

6. Security Lighting: Installing adequate lighting around the perimeter of the facility and in parking areas to deter unauthorized access and enhance surveillance capabilities.

7. Intrusion Detection Systems: Deploying sensors, alarms, and motion detectors to detect and alert security personnel to unauthorized access attempts or suspicious activities.

8. Surveillance Cameras: Installing surveillance cameras strategically throughout the facility to monitor and record activities in key areas.

9. Secure Storage: Providing secure storage facilities such as safes, cabinets, and lockers for storing sensitive information, valuable assets, and personal belongings.

10. Visitor Management: Implementing procedures for verifying the identity of visitors, issuing visitor badges, and escorting visitors while they are on the premises.

11. Emergency Response Plans: Developing and implementing plans for responding to physical security incidents, such as intrusions, thefts, or natural disasters.

12. Environmental Controls: Implementing measures to control environmental factors such as temperature, humidity, and moisture levels to protect sensitive equipment and materials from damage.

13. Access Control Logs: Maintaining logs of access control activities, including entries, exits, and attempted access, to track and audit physical access to secure areas.

14. Security Signage: Displaying signs and warnings to inform employees and visitors of security policies, procedures, and restricted areas within the facility.

A8: Technology controls (34 controls) 

Examples of physical controls

1. User Endpoint Devices: Implementing security measures on user endpoint devices such as laptops, desktops, smartphones, and tablets to protect against unauthorized access and data breaches. This may include encryption, antivirus software, firewalls, and device management solutions.

2. Privileged Access Rights: Restricting privileged access rights to sensitive systems and data to authorized personnel only. This involves implementing role-based access controls (RBAC), least privilege principles, and regular reviews of access permissions.

3. Protection Against Malware: Deploying antivirus software, anti-malware solutions, and intrusion detection systems (IDS) to protect against malware infections and other malicious activities. This includes regular updates and patches to software and operating systems to address known vulnerabilities.