2.1 Constituents
The Organisation’s ISMS documentation consists of:
2.1.1 The scope statement (Section 1 above), information security policy (Section 5 below), and Statement of Applicability, all of which are included in this manual. This manual is, together with any separately published policies, the Organisation’s Tier 1 ISMS documentation. The control objectives described in this manual are achieved by controls that include policies (which provide board approved guidelines on specific control areas) and procedures. These policies are either included in, or referenced from, this manual; [ISO27001 4.3.1a, b, g and i]
2.1.2 The separate, version controlled risk assessment report and risk treatment plan, whose preparation follows the methodology described in Section 4 of this manual; [ISO27001 4.3.1c, d and f]
2.1.3 Records of how the Organisation applied (and continues to apply) the PLAN-DO-CHECK-ACT process, which is described in Section 3 of this manual, in the planning, implementation and maintenance of its ISMS; [ISO27001 4.3.3]
2.1.4 Those procedures, which describe how the policies are implemented, and which are identified in this manual but are separate from it, are Tier 2 documents; [ISO27001 4.3.1e]
2.1.5 Work Instructions and Operations Work Instructions, which set out specific requirements for the performance or execution of specific tasks, including for the measurement of the effectiveness of the controls, in the Organisation generally and in the [IT operations department] specifically, and which are identified in procedures, and similar documents, such as User Agreements and job descriptions, are Tier 3 documentation;
2.1.6 Records of the Organisation’s control of its information security processes, including details of audits, information security incidents and management reviews gathered during the CHECK phase, described in 3.3 below, are the fourth tier of the Organisation’s ISMS documentation. [ISO27001 4.3.1h]
2.2 Authorisation Levels
2.2.1 The organization has clearly defined authorization levels that cannot be delegated.
2.2.2 The board of directors has ultimate authority over the information security policy and ISMS and approves and authorizes all changes to the information security policy, the Statement of Applicability, the information security manual and any separate policy statements (tier 1 documents).
2.2.3 The Director General of IT (see sub section 6.1.3.2 ) has lead executive authority for information security and works with the Information Security Manager to approve, authorize and issue all tier 2 documents.
2.2.4 The Information Security Manager and the Director General of IT approve and authorize tier 3 documents owned by individuals or entities in their areas of responsibility. Any information security documents personally owned by any member of the Trust Centre Team have to be approved and authorized by the Director General of IT.
2.2.5 Owners of information assets (see sub section 7.1.2 of the Manual) are responsible for the security classification of their asset(s), the day-to-day protection of their asset(s) and for the day-to-day operation of related security processes. The responsibility for carrying out these processes or associated task(s) can be delegated to anyone within the Owner’s area of responsibility, provided that:
a) The individual has the necessary skill, competence and resources to carry out the processes or task(s) and
b) The Owner retains accountability for ensuring that the process or task is carried out correctly.
2.2.6 Access rights are specified in sub section 11.1 below. Access rights are personal, are set out in individual User Agreements (see sub sections 11.2 and 11.3 ) and cannot be delegated.
2.2.7 The authorization procedure for new information processing facilities is set out in DOC 6.4. wherever this type of reference occurs, can you specifically write [ISO27001 DOC 6.4] so the CIO knows where to find this.
2.3 The Organisation’s ISMS documentation is protected and controlled. There is a documented procedure (DOC ISMS 1) which takes 2.2 above into account and defines the management actions for document control. [ISO27001 4.3.2]
2.4 The Organisation has a documented procedure which defines the controls for identification, storage, protection, retrieval, retention time and disposal of records. [ISO27001 4.3.3] Documents are available to those who need and are authorised to access them in line with these retention requirements.
Adlin Hisyamuddin Shaikh Salman Mohammed Al-Khalifa
Information Security Manager Director General of IT
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Change history
Issue 1 08 November, 2007 Initial issue