As a modern, forward-looking business, norbloc recognizes the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders.
In order to provide such a level of continuous operation, norbloc has implemented an Information Security Management System (ISMS) in line with the International Standard for Information Security, ISO/IEC 27001. This standard defines the requirements for an ISMS based on internationally recognised best practice.
The operation of the ISMS has many benefits for the business, including:
norbloc has decided to maintain full certification to ISO/IEC 27001 so that the effective adoption of information security best practice may be validated by an independent third party, a Registered Certification Body (RCB). In addition, the guidance contained in the codes of practice ISO/IEC 27017 and ISO/IEC 27018 has been adopted as these have particular relevance for Cloud Service Providers (CSPs).
This policy applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Norbloc systems.
A clear definition of the requirements for information security within Norbloc will be agreed and maintained with the internal business and cloud service customers so that all ISMS activity is focused on the fulfilment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of the norbloc Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.
2. Framework for Setting Objectives
A regular cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.
Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard will be adopted where appropriate by norbloc. These will be reviewed regularly in light of the outcome of risk assessments and in line with information security risk treatment plans. For details of which Annex A controls have been implemented and which have been excluded please see the Statement of Applicability.
The adoption of these codes of practice will provide additional assurance to our customers and help further with our compliance with international data protection legislation.
3. Continual Improvement of the ISMS
Norbloc policy regarding continual improvement is to:
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.
4. Information Security Policy Areas
Norbloc defines policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this overarching information security policy.
Each of these policies is defined and agreed by one or more people with competence in the relevant area and, once formally approved, is communicated to an appropriate audience, both within and external to the organization.
The table below shows the individual policies within the documentation set and summarises each policy’s content and the target audience of interested parties.
Internet Acceptable Use Policy
Business use of the Internet, personal use of the Internet, Internet account management, security and monitoring and prohibited uses of the Internet service.
Users of the Internet service
Cloud Computing Policy
Due diligence, signup, setup, management and removal of cloud computing services.
Employees involved in the procurement and management of cloud services
Mobile Device Policy
Care and security of mobile devices such as laptops, tablets and smartphones, whether provided by the organisation or the individual for business use.
Users of company-provided and BYOD (Bring Your Own Device) mobile devices
Information security considerations in establishing and running a teleworking site and arrangement e.g. physical security, insurance and equipment
Management and employees involved in setting up and maintaining a teleworking site
Access Control Policy
User registration and deregistration, provision of access rights, external access, access reviews, password policy, user responsibilities and system and application access control.
Employees involved in setting up and managing access control
Risk assessment, technique selection, deployment, testing and review of cryptography, and key management
Employees involved in setting up and managing the use of cryptographic technology and techniques
Firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews and malware incident management.
Employees responsible for protecting the organisation’s infrastructure from malware
Backup cycles, cloud backups, off-site storage, documentation, recovery testing and protection of storage media
Employees responsible for designing and implementing backup regimes
Logging and Monitoring Policy
Settings for event collection. protection and review
Employees responsible for protecting the organisation’s infrastructure from attacks
Purchasing software, software registration, installation and removal, in-house software development and use of software in the cloud.
Technical Vulnerability Management Policy
Vulnerability definition, sources of information, patches and updates, vulnerability assessment, hardening and awareness training.
Employees responsible for protecting the organisation’s infrastructure from malware
Network Security Policy
Network security design, including network segregation, perimeter security, wireless networks and remote access; network security management, including roles and responsibilities, logging and monitoring and changes.
Employees responsible for designing, implementing and managing networks
Electronic Messaging Policy
Sending and receiving electronic messages, monitoring of electronic messaging facilities and use of email.
Users of electronic messaging facilities
Secure Development Policy
Business requirements specification, system design, development and testing and outsourced software development.
Employees responsible for designing, managing and writing code for bespoke software developments
Information Security Policy for Supplier Relationships
Due diligence, supplier agreements, monitoring and review of services, changes, disputes and end of contract.
Employees involved in setting up and managing supplier relationships
Availability Management Policy
Availability requirements and design, monitoring and reporting, non-availability, testing availability plans and managing changes.
Employees responsible for designing systems and managing service delivery
IP and Copyright Compliance Policy
Protection of intellectual property, the law, penalties and software licence compliance.
Records Retention and Protection Policy
Retention period for specific record types, use of cryptography, media selection, record retrieval, destruction and review.
Employees responsible for creation and management of records
Privacy and Personal Data Protection Policy
Applicable data protection legislation, definitions and requirements.
Employees responsible for designing and managing systems using personal data
HR Security Policy
Recruitment, employment contracts, policy compliance, disciplinary process, termination
Acceptable Use Policy
Employee commitment to organisational information security policies
Asset Management Policy
This document sets out the rules for how assets must be managed from an information security perspective.
Table 1: Set of policy documents
5. Application of Information Security Policy
The policy statements made in this document and the set of supporting policies listed in Table 1 have been reviewed and approved by the top management of norbloc and must be complied with.
For any assistance or questions regarding the Information Security Policy, please contact via email firstname.lastname@example.org.