Docstoc

ISO27001 - SPF Control Mapping

Document Sample
ISO27001 - SPF Control Mapping Powered By Docstoc
					Warning
This document is in draft form and is released as a "Public Beta" to solicit feedback from security
practitioners and managers.
There may be errors and ommissions within this document that are awaiting correction.
Any use of this document must be done with the acknowledgement that these errors may exist and
that the data this contains will not be viewed as final or definititive.
Security Controls                                                                       info@halkynconsulting.co.uk




                    ISO 27001 Controls Mapped to SPF
                        Mandatory Requirements

Outline
This document provides an outline mapping between the controls outlined in Annexe A to ISO
27001 and the Mandatory Requirements of the UK Government Security Policy Framework.
It is suggested that this be used to review existing, documented, security controls to assess cross-
standard compliance.
Where there are no existing controls this document can be used to determine the level of detail
required to cover both ISO27001 controls and meet UK Government regulations.


NOTICE
This document does not, and can not, replace the advice given by a security professional with
detailed knowledge of your circumstance and is only provided to assist with determining
compliance requirements.
The relationship between SPF Mandatory Requirements and ISO27001 controls is presented here
as a guideline only and may be modified by either the scope of applicability given under ISO27001
and the completeness of controls developed to comply with the SPF.

Document Control

Version    0.8               Reference Documents ISO:IEC 27001:2005 Information technology — Security
                                                 techniques — Information security management systems —
                                                 Requirements
Status     Draft                                 HMG Security Policy Framework Version 7 (October 2011)
Author     T Wake            Modified            25-Jan-12




Halkyn Consulting is an independent security consultancy with experience in delivering a wide
range of security solutions to clients across the globe. We are experienced in assisting in the
development of cost-effective, timely security controls with organisations of all sizes from
large multinationals and government agencies to small businesses and not-for-profit
organisations.
As a fully independent consultancy, we are free to offer our clients the best possible advice
from a range of vendors and will always strive to deliver the highest value possible.
If you want to find out more about how we can help you achieve your security goals, then visit
us at http://www.halkynconsulting.co.uk/ or email info@halkynconsulting.co.uk.




Page 2 of 22                                                                             www.halkynconsulting.co.uk
 Halkyn Consulting
                                                               SPF - ISO 27001 Control Mapping                                                            info@halkynconsulting.co.uk




Control Count                           133


  ISO27001 Ref           Section/ Title                                   ISO27001 Control                                         SPF v7 Reference                 Remarks
                     5.1 Information security policy
      5.1.1          Information security An information security policy document shall be approved by management and          Mandatory Requirement 4
                     policy document       published and communicated to all employees and relevant external parties
                                                                                                                               Mandatory Requirement 6
      5.1.2          Review of the        The information security policy shall be reviewed at planned intervals or if         Mandatory Requirement 4
                     information security significant changes occur to ensure its continuing suitability, adequacy, and
                     policy               effectiveness                                                                        Mandatory Requirement 6

                     6.1 Internal organization
      6.1.1          Management             Management shall actively support security within the organization through clear   Mandatory Requirement 1
                     commitment to          direction, demonstrated commitment, explicit assignment, and acknowledgment
                     information security of information security responsibilities.                                            Mandatory Requirement 2

                                                                                                                               Mandatory Requirement 3

      6.1.2          Information security Information security activities shall be co-ordinated by representatives from        Mandatory Requirement 1
                     co-ordination        different parts of the organization with relevant roles and job functions.

      6.1.3          Allocation of        All information security responsibilities shall be clearly defined                   Mandatory Requirement 1
                     information security
                     responsibilities                                                                                          Mandatory Requirement 6

      6.1.4          Authorization            A management authorization process for new information processing facilities     Mandatory Requirement 8
                     process for              shall be defined and implemented.
                     information
      6.1.5          processing facilities
                     Confidentiality          Requirements for confidentiality or non-disclosure agreements reflecting the     Mandatory Requirement 9
                     agreements               organization's needs for the protection of information shall be identified and
                                              regularly reviewed.                                                              Mandatory Requirement 10

                                                                                                                               Mandatory Requirement 11

      6.1.6          Contact with             Appropriate contacts with relevant authorities shall be maintained.              Mandatory Requirement 12
                     authorities
                                                                                                                               Mandatory Requirement 13




 Page 3 of 22                                                                                                                                             www.halkynconsulting.co.uk
Halkyn Consulting
                                                             SPF - ISO 27001 Control Mapping                                                                   info@halkynconsulting.co.uk




ISO27001 Ref             Section/ Title                                     ISO27001 Control                                            SPF v7 Reference                 Remarks
    6.1.7           Contact with special   Appropriate contacts with special interest groups or other specialist security
                    interest groups        forums and professional associations shall be maintained.
    6.1.8           Independent review     The organization's approach to managing information security and its                     Mandatory Requirement 8
                    of information         implementation (i.e. control objectives, controls, policies, processes, and
                    security               procedures for information security) shall be reviewed independently at planned
                                           intervals, or when significant changes to the security implementation occur.
                    6.2 External parties
    6.2.1           Identification of risks The risks to the organization's information and information processing facilities       Mandatory Requirement 11
                    related to external from business processes involving external parties shall be identified and
                    parties                 appropriate controls implemented before granting access.
    6.2.2           Addressing security    All identified security requirements shall be addressed before giving customers          Mandatory Requirement 6
                    when dealing with      access to the organization's information or assets.
                    customers                                                                                                       Mandatory Requirement 10


    6.2.3           Addressing security    Agreements with third parties involving accessing, processing, communicating or          Mandatory Requirement 11
                    in third party         managing the organization's information or information processing facilities, or
                    agreements             adding products or services to information processing facilities shall cover all
                                           relevant security requirements.

                    7.1 Responsibility for assets
    7.1.1           Inventory of assets    All assets shall be clearly identified and an inventory of all important assets          Mandatory Requirement 7
                                           drawn up and maintained.

    7.1.2           Ownership of assets All information and assets associated with information processing facilities shall          Mandatory Requirement 2
                                        be 'owned' by a designated part of the organization
    7.1.3           Acceptable use of     Rules for the acceptable use of information and assets associated with                    Mandatory Requirement 3
                    assets                information processing facilities shall be identified, documented, and
                                          implemented.
                    7.2 Information classification
    7.2.1           Classification         Information shall be classified in terms of its value, legal requirements, sensitivity   Mandatory Requirement 7
                    guidelines             and criticality to the organization.




Page 4 of 22                                                                                                                                                   www.halkynconsulting.co.uk
Halkyn Consulting
                                                           SPF - ISO 27001 Control Mapping                                                                info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                  ISO27001 Control                                          SPF v7 Reference                  Remarks
    7.2.2           Information labeling An appropriate set of procedures for information labeling and handling shall be       Mandatory Requirement 7
                    and handling         developed and implemented in accordance with the classification scheme
                                         adopted by the organization.
                    8.1 Prior to employment
    8.1.1           Roles and            Security roles and responsibilities of employees, contractors and third party users   Mandatory Requirement 1
                    responsibilities     shall be defined and documented in accordance with the organization's
                                         information security policy.

    8.1.2           Screening             Background verification checks on all candidates for employment, contractors,        Mandatory Requirement 13
                                          and third party users shall be carried out in accordance with relevant laws,
                                          regulations and ethics, and proportional to the business requirements, the           Mandatory Requirement 14
                                          classification of the information to be accessed, and the perceived risks.

    8.1.3           Terms and          As part of their contractual obligation, employees, contractors and third party         Mandatory Requirement 11
                    conditions of      users shall agree and sign the terms and conditions of their employment
                    employment         contract, which shall state their and the organization's responsibilities for
                                       information security.
                    8.2 During employment
    8.2.1           Management           Management shall require employees, contractors and third party users to apply        Mandatory Requirement 2
                    responsibilities     security in accordance with established policies and procedures of the
                                         organization.
    8.2.2           Information security All employees of the organization and, where relevant, contractors and third          Mandatory Requirement 3
                    awareness,           party users shall receive appropriate awareness training and regular updates in
                    education and        organizational policies and procedures, as relevant for their job function.
                    training
    8.2.3           Disciplinary process There shall be a formal disciplinary process for employees who have committed a       Mandatory Requirement 12
                                         security breach.
                    8.3 Termination or change of employment
    8.3.1           Termination           Responsibilities for performing employment termination or change of
                    responsibilities      employment shall be clearly defined and assigned.
    8.3.2           Return of assets      All employees, contractors and third party users shall return all of the
                                          organization's assets in their possession upon termination of their employment,
                                          contract or agreement.




Page 5 of 22                                                                                                                                              www.halkynconsulting.co.uk
Halkyn Consulting
                                                            SPF - ISO 27001 Control Mapping                                                                 info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                     ISO27001 Control                                          SPF v7 Reference                 Remarks
    8.3.3           Removal of access      The access rights of all employees, contractors and third party users to
                    rights                 information and information processing facilities shall be removed upon
                                           termination of their employment, contract or agreement, or adjusted upon
                                           change
                    9.1 Secure areas
    9.1.1           Physical security      Security perimeters (barriers such as walls, card controlled entry gates or           Mandatory Requirement 18
                    perimeter              manned reception desks) shall be used to protect areas that contain information
                                           and information processing facilities.

    9.1.2           Physical entry         Secure areas shall be protected by appropriate entry controls to ensure that only     Mandatory Requirement 18
                    controls               authorized personnel are allowed access.
    9.1.3           Securing offices,      Physical security for offices, rooms, and facilities shall be designed and applied.   Mandatory Requirement 17
                    rooms and facilities
    9.1.4           Protecting against     Physical protection against damage from fire, flood, earthquake, explosion, civil     Mandatory Requirement 18
                    external and           unrest, and other forms of natural or man-made disaster shall be designed and
                    environmental          applied.
                    threats
    9.1.5           Working in secure      Physical protection and guidelines for working in secure areas shall be designed      Mandatory Requirement 18
                    areas                  and applied.

    9.1.6           Public access,       Access points such as delivery and loading areas and other points where                 Mandatory Requirement 18
                    delivery and loading unauthorized persons may enter the premises shall be controlled and, if possible,
                    areas                isolated from information processing facilities to avoid unauthorized access.

                    9.2 Equipment security
    9.2.1           Equipment siting and Equipment shall be sited or protected to reduce the risks from environmental            Mandatory Requirement 17
                    protection           threats and hazards, and opportunities for unauthorized access.
    9.2.2           Supporting utilities Equipment shall be protected from power failures and other disruptions caused                                        May be included in
                                         by failures in supporting utilities.                                                                                 RMADS
    9.2.3           Cabling security     Power and telecommunications cabling carrying data or supporting information                                         May be included in
                                         services shall be protected from interception or damage.                                                             RMADS
    9.2.4           Equipment            Equipment shall be correctly maintained to ensure its continued availability and                                     May be included in
                    maintenance          integrity.                                                                                                           RMADS
    9.2.5           Security of            Security shall be applied to off-site equipment taking into account the different     Mandatory Requirement 9
                    equipment off-         risks of working outside the organization's premises.
                    premises




Page 6 of 22                                                                                                                                                www.halkynconsulting.co.uk
Halkyn Consulting
                                                             SPF - ISO 27001 Control Mapping                                                                info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                      ISO27001 Control                                        SPF v7 Reference                  Remarks
    9.2.6           Secure disposal or re- All items of equipment containing storage media shall be checked to ensure that       Mandatory Requirement 9
                    use of equipment       any sensitive data and licensed software has been removed or securely
                                           overwritten prior to disposal.
    9.2.7           Removal of property Equipment, information or software shall not be taken off-site without prior             Mandatory Requirement 9
                                           authorization.

                    10.1 Operational procedures and responsibilities
    10.1.1          Documented        Operating procedures shall be documented, maintained, and made available to                Mandatory Requirement 10
                    operating         all users who need them.
                    procedures
    10.1.2          Change management Changes to information processing facilities and systems shall be controlled.              Mandatory Requirement 8      Part of RMADS

    10.1.3          Segregation of duties Duties and areas of responsibility shall be segregated to reduce opportunities for     Mandatory Requirement 8      Part of RMADS
                                           unauthorized or unintentional modification or misuse of the organization's
                                           assets.
    10.1.4          Separation of          Development, test and operational facilities shall be separated to reduce the risks   Mandatory Requirement 8      Part of RMADS
                    development, test      of unauthorised access or changes to the operational system.
                    and operational
                    facilities
                    10.2 Third party service delivery management
    10.2.1          Service delivery        It shall be ensured that the security controls, service definitions and delivery     Mandatory Requirement 11
                                            levels included in the third party service delivery agreement are implemented,
                                            operated, and maintained by the third party.

    10.2.2          Monitoring and          The services, reports and records provided by the third party shall be regularly     Mandatory Requirement 11
                    review of third party   monitored and reviewed, and audits shall be carried out regularly.
                    services
    10.2.3          Managing changes to  Changes to the provision of services, including maintaining and improving               Mandatory Requirement 11
                    third party services existing information security policies, procedures and controls, shall be managed,
                                         taking account of the criticality of business systems and processes involved and
                                         re-assessment of risks.
                    10.3 System planning and acceptance
    10.3.1          Capacity             The use of resources shall be monitored, tuned, and projections made of future          Mandatory Requirement 8      Part of RMADS
                    management           capacity requirements to ensure the required system performance.




Page 7 of 22                                                                                                                                                www.halkynconsulting.co.uk
Halkyn Consulting
                                                           SPF - ISO 27001 Control Mapping                                                             info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                     ISO27001 Control                                     SPF v7 Reference                  Remarks
   10.3.2           System acceptance     Acceptance criteria for new information systems, upgrades, and new versions        Mandatory Requirement 8     Part of RMADS
                                          shall be established and suitable tests of the system(s) carried out during
                                          development and prior to acceptance.

                    10.4 Protection against malicious and mobile code
    10.4.1            Controls against    Detection, prevention, and recovery controls to protect against malicious code                                 Possibly covered by MR 9
                      malicious code      and appropriate user awareness procedures shall be implemented.                                                if in scope. GPG 7 refers.
    10.4.2            Controls against    Where the use of mobile code is authorized, the configuration shall ensure that                                Possibly covered by MR 9
                       mobile code        the authorized mobile code operates according to a clearly defined security                                    if in scope. GPG 7 refers.
                                          policy, and unauthorized mobile code shall be prevented from executing.
                    10.5 Back-up
    10.5.1          Information back-up Back-up copies of information and software shall be taken and tested regularly in    Mandatory Requirement 4
                                         accordance with the agreed backup policy.
                    10.6 Network security management
    10.6.1          Network controls     Networks shall be adequately managed and controlled, in order to be protected       Mandatory Requirement 8     Part of RMADS.
                                         from threats, and to maintain security for the systems and applications using the
                                         network, including information in transit.
    10.6.2          Security of network Security features, service levels, and management requirements of all network        Mandatory Requirement 9
                    services             services shall be identified and included in any network services agreement,
                                         whether these services are provided in-house or outsourced.

                    10.7 Media handling
    10.7.1          Management of        There shall be procedures in place for the management of removable media.           Mandatory Requirement 8
                    removable computer
                    media
    10.7.2          Disposal of media    Media shall be disposed of securely and safely when no longer required, using       Mandatory Requirement 9
                                         formal procedures.
    10.7.3          Information handling Procedures for the handling and storage of information shall be established to      Mandatory Requirement 8
                    procedures           protect this information from unauthorized disclosure or misuse.
    10.7.4          Security of system    System documentation shall be protected against unauthorized access.               Mandatory Requirement 7
                    documentation
                    10.8 Exchanges of information
    10.8.1          Information           Formal exchange policies, procedures, and controls shall be in place to protect    Mandatory Requirement 9
                    exchange policies     the exchange of information through the use of all types of communication
                    and procedures        facilities.




Page 8 of 22                                                                                                                                           www.halkynconsulting.co.uk
Halkyn Consulting
                                                           SPF - ISO 27001 Control Mapping                                                               info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                   ISO27001 Control                                        SPF v7 Reference                  Remarks
   10.8.2           Exchange             Agreements shall be established for the exchange of information and software         Mandatory Requirement 9
                    agreements           between the organization and external parties.
    10.8.3          Physical media in    Media containing information should be protected against unauthorized access,        Mandatory Requirement 7
                    transit              misuse or corruption during transportation beyond an organization’s physical
                                         boundaries
    10.8.4          Electronic messaging Information involved in electronic messaging shall be appropriately protected.       Mandatory Requirement 7
    10.8.5          Business information Policies and procedures shall be developed and implemented to protect                Mandatory Requirement 9
                    systems              information associated with the interconnection of business information
                                         systems.
                    10.9 Electronic commerce services
    10.9.1          Electronic commerce Information involved in electronic commerce passing over public networks shall
                                         be protected from fraudulent activity, contract dispute, and unauthorized
                                         disclosure and modification.
    10.9.2          On-line transactions Information involved in on-line transactions shall be protected to prevent
                                         incomplete transmission, mis-routing, unauthorized message alteration,
                                         unauthorized disclosure, unauthorized message duplication or replay.
    10.9.3          Publicly available   The integrity of information being made available on a publicly available system
                    systems              shall be protected to prevent unauthorized modification.
                    10.1 Monitoring
   10.10.1          Audit logging        Audit logs recording user activities, exceptions, and information security events    Mandatory Requirement 9      Also GPG 13
                                         shall be produced and kept for an agreed period to assist in future investigations
                                         and access control monitoring.
   10.10.2          Monitoring system Procedures for monitoring use of information processing facilities shall be             Mandatory Requirement 9      Also GPG 13
                    use                  established and the results of the monitoring activities reviewed regularly.
   10.10.3          Protection of log    Logging facilities and log information shall be protected against tampering and      Mandatory Requirement 9      Also GPG 13
                    information          unauthorized access.
   10.10.4          Administrator and    System administrator and system operator activities shall be logged.                 Mandatory Requirement 9      Also GPG 13
                    operator logs
   10.10.5          Fault logging        Faults shall be logged, analyzed, and appropriate action taken.                      Mandatory Requirement 9      Also GPG 13
   10.10.6          Clock                 The clocks of all relevant information processing systems within an organization    Mandatory Requirement 9      Also GPG 13
                    synchronization       or security domain shall be synchronized with an agreed accurate time source.
                    11.1 Business requirement for access control
    11.1.1          Access control policy An access control policy shall be established, documented, and reviewed based       Mandatory Requirement 10
                                          on business and security requirements for access.




Page 9 of 22                                                                                                                                             www.halkynconsulting.co.uk
Halkyn Consulting
                                                             SPF - ISO 27001 Control Mapping                                                              info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                       ISO27001 Control                                      SPF v7 Reference                 Remarks
                    11.2 User access management
    11.2.1          User registration       There shall be a formal user registration and de-registration procedure in place   Mandatory Requirement 9
                                            for granting and revoking access to all information systems and services.
                                                                                                                               Mandatory Requirement 10

    11.2.2          Privilege               The allocation and use of privileges shall be restricted and controlled.           Mandatory Requirement 9
                    management
                                                                                                                               Mandatory Requirement 10
    11.2.3          User password           The allocation of passwords shall be controlled through a formal management        Mandatory Requirement 9
                    management              process.
                                                                                                                               Mandatory Requirement 10
    11.2.4          Review of user          Management shall review users' access rights at regular intervals using a formal   Mandatory Requirement 9
                    access rights           process.
                                                                                                                               Mandatory Requirement 10

                    11.3 User responsibilities
    11.3.1          Password use          Users shall be required to follow good security practices in the selection and use   Mandatory Requirement 10
                                          of passwords.
    11.3.2          Unattended user       Users shall ensure that unattended equipment has appropriate protection.             Mandatory Requirement 10
                    equipment             Applicable Standards
    11.3.3          Clear desk and clear A clear desk policy for papers and removable storage media and a clear screen         Mandatory Requirement 7
                    screen policy         policy for information processing facilities shall be adopted.
                                                                                                                               Mandatory Requirement 10

                    11.4 Network access control

    11.4.1          Policy on use of        Users shall only be provided with access to the services that they have been       Mandatory Requirement 7
                    network services        specifically authorized to use.
                                                                                                                               Mandatory Requirement 9

    11.4.2          User authentication     Appropriate authentication methods shall be used to control access by remote       Mandatory Requirement 9
                    for external            users.
                    connections
    11.4.3          Equipment               Automatic equipment identification shall be considered as a means to               Mandatory Requirement 9
                    identification in the   authenticate connections from specific locations and equipment.
                    network




Page 10 of 22                                                                                                                                             www.halkynconsulting.co.uk
Halkyn Consulting
                                                            SPF - ISO 27001 Control Mapping                                                                 info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                     ISO27001 Control                                          SPF v7 Reference                 Remarks
   11.4.4           Remote diagnostic     Physical and logical access to diagnostic and configuration ports shall be              Mandatory Requirement 9
                    and configuration     controlled.
                    port protection
    11.4.5          Segregation in       Groups of information services, users, and information systems shall be                  Mandatory Requirement 9
                    networks             segregated on networks.
    11.4.6          Network connection   For shared networks, especially those extending across the organisations                 Mandatory Requirement 9
                    control              boundaries, the capability of users to connect to the network shall be restricted,
                                         in line with the access control policy and requirements of the business
                                         applications (see 11.1).
    11.4.7          Network routing      Routing controls shall be implemented for networks to ensure that computer               Mandatory Requirement 9
                    control              connections and information flows do not breach the access control policy of the
                                         business applications.
                    11.5 Operating system access control
    11.5.1          Secure log-on        Access to operating systems shall be controlled by a secure log-on procedure.            Mandatory Requirement 9
                    procedure


    11.5.2          User identification   All users shall have a unique identifier (user ID) for their personal use only, and a   Mandatory Requirement 9
                    and authentication    suitable authentication technique shall be chosen to substantiate the claimed
                                          identity of a user.
    11.5.3          Password              Systems for managing passwords shall be interactive and shall ensure quality            Mandatory Requirement 9
                    management system     passwords.
    11.5.4          Use of system         The use of utility programs that might be capable of overriding system and              Mandatory Requirement 9
                    utilities             application controls shall be restricted and tightly controlled.
    11.5.5          Session time-out      Inactive sessions shall shut down after a defined period of inactivity. Applicable      Mandatory Requirement 9
                                          Standards
    11.5.6          Limitation of         Restrictions on connection times shall be used to provide additional security for       Mandatory Requirement 9
                    connection time       high-risk applications.
                    11.6 Application and information access control
    11.6.1          Information access Access to information and application system functions by users and support                Mandatory Requirement 9
                    restriction           personnel shall be restricted in accordance with the defined access control policy.

    11.6.2          Sensitive system      Sensitive systems shall have a dedicated (isolated) computing environment.              Mandatory Requirement 7
                    isolation




Page 11 of 22                                                                                                                                               www.halkynconsulting.co.uk
Halkyn Consulting
                                                            SPF - ISO 27001 Control Mapping                                                              info@halkynconsulting.co.uk




   11.6.2           Sensitive system      Sensitive systems shall have a dedicated (isolated) computing environment.
ISO27001 Ref        isolation
                        Section/ Title                                    ISO27001 Control                                       SPF v7 Reference                  Remarks
                                                                                                                              Mandatory Requirement 9

                    11.7 Mobile computing and teleworking
    11.7.1          Mobile computing    A formal policy shall be in place, and appropriate security measures shall be         Mandatory Requirement 9
                    and communications adopted to protect against the risks of using mobile computing and
                                        communication facilities.
    11.7.2          Teleworking         A policy, operational plans and procedures shall be developed and implemented         Mandatory Requirement 9
                                        for teleworking activities.

                    12.1 Security requirements of information systems

    12.1.1          Security              Statements of business requirements for new information systems, or                 Mandatory Requirement 16
                    requirements          enhancements to existing information systems shall specify the requirements for
                    analysis and          security controls.
                    specification
                    12.2 Correct processing in applications
    12.2.1          Input data validation Data input to applications shall be validated to ensure that this data is correct
                                          and appropriate.
    12.2.2          Control on internal Validation checks shall be incorporated into applications to detect any corruption
                    processing            of information through processing errors or deliberate acts.
    12.2.3          Message integrity     Requirements for ensuring authenticity and protecting message integrity in
                                          applications shall be identified, and appropriate controls identified and
                                          implemented.
    12.2.4          Output data           Data output from an application shall be validated to ensure that the processing
                    validation            of stored information is correct and appropriate to the circumstances.
                    12.3 Cryptographic controls
    12.3.1          Policy on the use of Departments must produce                                                             Mandatory Requirement 9      HMG IA Standard 4
                    cryptographic         and implement a policy on the deployment and management of
                    controls              cryptographic controls in accordance with IS4.

    12.3.2          Key management        Key management shall be in place to support the organisations use of                Mandatory Requirement 9      HMG IA Standard 4
                                          cryptographic techniques.

                    12.4 Security of system files
    12.4.1          Control of            There shall be procedures in place to control the installation of software on       Mandatory Requirement 9
                    operational software operational systems.




Page 12 of 22                                                                                                                                            www.halkynconsulting.co.uk
Halkyn Consulting
                                                           SPF - ISO 27001 Control Mapping                                                              info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                    ISO27001 Control                                      SPF v7 Reference                  Remarks
   12.4.2           Protection of system Test data shall be selected carefully, and protected and controlled. Applicable     Mandatory Requirement 9
   12.4.3           Access control to     Access to program source code shall be restricted.                                 Mandatory Requirement 9
                    program source code
                    12.5 Security in development and support processes
    12.5.1          Change control        The implementation of changes shall be controlled by the use of formal change      Mandatory Requirement 8      Documented in RMADS
                    procedures            control procedures.
    12.5.2          Technical review of   When operating systems are changed, business critical applications shall be        Mandatory Requirement 8
                    applications after    reviewed and tested to ensure there is no adverse impact on organizational
                    operating system      operations or security.
                    changes
    12.5.3          Restrictions on       Modifications to software packages shall be discouraged, limited to necessary      Mandatory Requirement 8
                    changes to software   changes, and all changes shall be strictly controlled.
                    packages
    12.5.4          Information leakage Opportunities for information leakage shall be prevented.                            Mandatory Requirement 7

    12.5.5          Outsourced software Outsourced software development shall be supervised and monitored by the             Mandatory Requirement 9
                    development           organization.
                    12.6 Technical vulnerability management
    12.6.1          Control of technical Timely information about technical vulnerabilities of information systems being     Mandatory Requirement 8
                    vulnerabilities       used shall be obtained, the organization's exposure to such vulnerabilities
                                          evaluated, and appropriate measures taken to address the associated risk.
                    13.1 Reporting information security events and weaknesses
    13.1.1          Reporting             Information security events shall be reported through appropriate management       Mandatory Requirement 12
                    information security channels as quickly as possible.
                    events
    13.1.2          Reporting security    All employees, contractors and third party users of information systems and        Mandatory Requirement 12
                    weaknesses            services shall be required to note and report any observed or suspected security
                                          weaknesses in systems or services.
                    13.2 Management of information security incidents and improvements
    13.2.1          Responsibilities and Management responsibilities and procedures shall be established to ensure a         Mandatory Requirement 12
                    procedures            quick, effective, and orderly response to information security incidents.
    13.2.2          Learning from        There shall be mechanisms in place to enable the types, volumes, and costs of       Mandatory Requirement 12
                    information security information security incidents to be quantified and monitored.
                    incidents




Page 13 of 22                                                                                                                                           www.halkynconsulting.co.uk
Halkyn Consulting
                                                            SPF - ISO 27001 Control Mapping                                                                  info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                      ISO27001 Control                                          SPF v7 Reference                 Remarks
   13.2.3           Collection of         Where a follow-up action against a person or organization after an information          Mandatory Requirement 12
                    evidence              security incident involves legal action (either civil or criminal), evidence shall be
                                          collected, retained, and presented to conform to the rules for evidence laid down
                                          in the relevant jurisdiction(s).
                    14.1 Information security aspects of business continuity management
    14.1.1          Including              A managed process shall be developed and maintained for business continuity            Mandatory Requirement 4
                    information security throughout the organization that addresses the information security
                    in the business        requirements needed for the organisations business continuity.
                    continuity
                    management
    14.1.2          process continuity Events that can cause interruptions to business processes shall be identified,
                    Business                                                                                                      Mandatory Requirement 4
                    and risk assessment along with the probability and impact of such interruptions and their
                                           consequences for information security.
    14.1.3          Developing and         Plans shall be developed and implemented to maintain or restore operations and         Mandatory Requirement 4
                    implementing           ensure availability of information at the required level and in the required time
                    continuity plans       scales following interruption to, or failure of, critical business processes.
                    including
                    information security
    14.1.4          Business continuity A single framework of business continuity plans shall be maintained to ensure all         Mandatory Requirement 4
                    planning framework plans are consistent, to consistently address information security requirements,
                                           and to identify priorities for testing and maintenance.
    14.1.5          Testing, maintaining Business continuity plans shall be tested and updated regularly to ensure that           Mandatory Requirement 4
                    and re-assessing       they are up to date and effective.
                    business continuity
                    plans
                    15.1 Compliance with legal requirements
    15.1.1          Identification of      All relevant statutory, regulatory and contractual requirements and the                Mandatory Requirement 6      Also HMG IA Standard 5
                    applicable legislation organisations approach to meet these requirements shall be explicitly defined,
                                           documented, and kept up to date for each information system and the
                                           organization.
    15.1.2          Intellectual property Appropriate procedures shall be implemented to ensure compliance with                   Mandatory Requirement 6      Also HMG IA Standard 5
                    rights (IPR)           legislative, regulatory, and contractual requirements on the use of material in
                                           respect of which there may be intellectual property rights and on the use of
                                           proprietary software products.




Page 14 of 22                                                                                                                                                www.halkynconsulting.co.uk
Halkyn Consulting
                                                           SPF - ISO 27001 Control Mapping                                                              info@halkynconsulting.co.uk




ISO27001 Ref            Section/ Title                                    ISO27001 Control                                       SPF v7 Reference                Remarks
   15.1.3           Protection of         Important records shall be protected from loss, destruction and falsification, in   Mandatory Requirement 6     Also HMG IA Standard 5
                    organizational        accordance with statutory, regulatory, contractual, and business requirements.
                    records

    15.1.4          Data protection and Data protection and privacy shall be ensured as required in relevant legislation,     Mandatory Requirement 6     Also HMG IA Standard 5
                    privacy of personal regulations, and, if applicable, contractual clauses.
                    information
    15.1.5          Prevention of misuse Users shall be deterred from using information processing facilities for             Mandatory Requirement 6     Also HMG IA Standard 5
                    of information        unauthorized purposes.
                    processing facilities
    15.1.6          Regulation of         Cryptographic controls shall be used in compliance with all relevant agreements,    Mandatory Requirement 6     Also HMG IA Standard 5
                    cryptographic         laws, and regulations.
                    controls
                    15.2 Compliance with security policies and standards and technical compliance
    15.2.1          Compliance with       Managers shall ensure that all security procedures within their area of             Mandatory Requirement 5
                    security policy and responsibility are carried out correctly to achieve compliance with security
                    standards             policies and standards.

    15.2.2          Technical            Information systems shall be regularly checked for compliance with security          Mandatory Requirement 5
                    compliance checking implementation standards.
                    15.3 Information systems audit considerations
    15.3.1          Information systems Audit requirements and activities involving checks on operational systems shall       Mandatory Requirement 5
                    audit controls       be carefully planned and agreed to minimize the risk of disruptions to business
                                         processes.
    15.3.2          Protection of        Access to information systems audit tools shall be protected to prevent any          Mandatory Requirement 5
                    information systems possible misuse or compromise.
                    audit tools




Page 15 of 22                                                                                                                                           www.halkynconsulting.co.uk
Halkyn Consulting Ltd
                                                                 SPF - ISO 27001 Control Mapping                                                            info@halkynconsulting.co.uk




                                                                                                                                        ISO 27001 Control
 SPF Reference                                              Mandatory Requirements                                                              Area            Remarks
     MR 1      Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with A.6.1.1
               clear lines of responsibility and accountability at all levels of the organisation. This must include a Board-level lead A.6.1.2
               with authority to influence investment decisions and agree the organisation's overall approach to security.              A.6.1.3
                                                                                                                                        A.8.1.1
      MR 2        Departments and Agencies must:                                                                                        A.6.1.1
                  * Adopt a holistic risk management approach covering all areas of protective security across their organisation.
                                                                                                                                        A.7.1.2
                  * Develop their own security policies, tailoring the standards and guidelines set out in this framework to the
                  particular business needs, threat profile and risk appetite of their organisation and its delivery partners.          A.8.2.1

      MR 3        Departments and Agencies must ensure that all staff are aware of Departmental security policies and understand        A.6.1.1
                  their personal responsibilities for safeguarding assets and the potential consequences of breaching security rules.   A.7.1.3
                                                                                                                                        A.8.2.2
      MR 4        Departments and Agencies must have robust and well tested policies, procedures and management arrangements A.5.1.1
                  in place to respond to, investigate and recover from security incidents or other disruptions to core business.     A.5.1.2
                                                                                                                                     A.10.5.1
                                                                                                                                     A.14.1.1
                                                                                                                                     A.14.1.2
                                                                                                                                     A.14.1.3
                                                                                                                                     A.14.1.4
                                                                                                                                     A.14.1.5
      MR 5        Departments and Agencies must have an effective system of assurance in place to satisfy their Accounting Officer / A.15.2.1
                  Head of Department and Management Board that the organisation's security arrangements are fit for purpose,         A.15.2.2
                  that information risks are appropriately managed, and that any significant control weaknesses are explicitly       A.15.3.1
                  acknowledged and regularly reviewed.                                                                               A.15.3.2
      MR 6        Departments and Agencies must have an information security policy setting out how they and any delivery               A.5.1.1
                  partners and suppliers will protect any information assets they hold, store or process (including electronic and      A.5.1.2
                  paper formats and online services) to prevent unauthorised access, disclosure or loss. The policies and procedures    A.6.1.3
                  must be regularly reviewed to ensure currency.                                                                        A.6.2.2
                                                                                                                                        A.15.1.1
                                                                                                                                        A.15.1.2
                                                                                                                                        A.15.1.3
                                                                                                                                        A.15.1.4
                                                                                                                                        A.15.1.5
                                                                                                                                        A.15.1.6
      MR 7        Departments and Agencies must ensure that information assets are valued, handled, shared and protected in line        A.7.1.1
                  with the standards and procedures set out in the Government Protective Marking System (including any special
                  handling arrangements) and the associated technical guidance supporting this framework.


Page 16 of 22                                                                                                                                               www.halkynconsulting.co.uk
Halkyn Consulting Ltd
                                                                SPF - ISO 27001 Control Mapping                                                             info@halkynconsulting.co.uk




                                                                                                                                        ISO 27001 Control
 SPF Reference Departments and Agencies must ensure that information assets are valued, handled, shared and protected in line
     MR 7                                                   Mandatory Requirements                                                              Area            Remarks
     MR 1      with the standards and procedures set out in appropriate security organisation (suitably staffed and trained) with A.7.2.1
               Departments and Agencies must establish an the Government Protective Marking System (including any special
               handling arrangements) and the associated technical guidance supporting this framework.
               clear lines of responsibility and accountability at all levels of the organisation. This must include a Board-level lead A.7.2.2
               with authority to influence investment decisions and agree the organisation's overall approach to security.              A.10.7.4
                                                                                                                                        A.10.8.3
                                                                                                                                        A.10.8.4
                                                                                                                                        A.11.3.3
                                                                                                                                        A.11.4.1
                                                                                                                                        A.11.6.2
                                                                                                                                        A.12.5.4
     MR 8      All ICT systems that handle, store and process protectively marked information or business critical data, or that are A.6.1.4
               interconnected to cross-government networks or services (e.g. the Government Secure Intranet, GSI), must                 A.6.1.8
               undergo a formal risk assessment to identify and understand relevant technical risks; and must undergo a                 A.10.1.2
               proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the A.10.1.3
               data, system and/or service are properly managed.                                                                        A.10.1.4
                                                                                                                                        A.10.3.1
                                                                                                                                        A.10.3.2
                                                                                                                                        A.10.6.1
                                                                                                                                        A.10.7.1
                                                                                                                                        A.10.7.3
                                                                                                                                        A.12.5.1
                                                                                                                                        A.12.5.2
                                                                                                                                        A.12.5.3
                                                                                                                                        A.12.6.1
     MR 9      Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems,               A.6.1.5
               proportionate to the value, importance and sensitivity of the information held and the requirements of any               A.9.2.5
               interconnected systems.                                                                                                  A.9.2.6
                                                                                                                                    A.9.2.7
                                                                                                                                    A.10.6.2
                                                                                                                                    A.10.7.2
                                                                                                                                    A.10.8.1
                                                                                                                                    A.10.8.2
                                                                                                                                    A.10.8.5
                                                                                                                                    A.10.10.1
                                                                                                                                    A.10.10.2
                                                                                                                                    A.10.10.3
                                                                                                                                    A.10.10.4




Page 17 of 22                                                                                                                                               www.halkynconsulting.co.uk
Halkyn Consulting Ltd
                                                                SPF - ISO 27001 Control Mapping                                                             info@halkynconsulting.co.uk




                                                                                                                                        ISO 27001 Control
 SPF Reference                                              Mandatory Requirements                                                              Area            Remarks
     MR 1      Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with A.10.10.5
               clear lines of responsibility and accountability at all levels of the organisation. This must include a Board-level lead A.10.10.6
               with authority to influence investment decisions and agree the organisation's overall approach to security.              A.11.2.1
                                                                                                                                        A.11.2.2
                                                                                                                                        A.11.2.3
                                                                                                                                        A.11.2.4
                                                                                                                                        A.11.4.2
                                                                                                                                        A.11.4.3
                                                                                                                                        A.11.4.4
                                                                                                                                        A.11.4.5
                                                                                                                                        A.11.4.6
                                                                                                                                        A.11.4.7
                                                                                                                                        A.11.5.1
                                                                                                                                        A.11.5.2
                                                                                                                                        A.11.5.3
                                                                                                                                        A.11.5.4
                                                                                                                                        A.11.5.5
                                                                                                                                        A.11.5.6
                                                                                                                                        A.11.6.1
                                                                                                                                        A.11.7.1
                                                                                                                                        A.11.7.2
                                                                                                                                        A.12.3.1
                                                                                                                                        A.12.3.2
                                                                                                                                        A.12.4.1
                                                                                                                                        A.12.4.2
                                                                                                                                        A.12.4.3
                                                                                                                                        A.12.5.5
     MR 10     Departments and Agencies must implement appropriate procedural controls for all ICT (or paper-based) systems A.6.1.5
               or services to prevent unauthorised access and modification, or misuse by authorised users.                              A.6.2.2
                                                                                                                                        A.10.1.1
                                                                                                                                        A.11.1.1
                                                                                                                                        A.11.2.1
                                                                                                                                        A.11.2.2
                                                                                                                                        A.11.2.3
                                                                                                                                        A.11.2.4




Page 18 of 22                                                                                                                                               www.halkynconsulting.co.uk
      MR 10        Departments and Agencies must implement appropriate procedural controls for all ICT (or paper-based) systems
                   or services to prevent unauthorised access and modification, or misuse by authorised users.
Halkyn Consulting Ltd
                                                                  SPF - ISO 27001 Control Mapping                                                             info@halkynconsulting.co.uk




                                                                                                                                          ISO 27001 Control
 SPF Reference                                              Mandatory Requirements                                                              Area              Remarks
     MR 1      Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with           A.11.3.1
               clear lines of responsibility and accountability at all levels of the organisation. This must include a Board-level lead   A.11.3.2
               with authority to influence investment decisions and agree the organisation's overall approach to security.                A.11.3.2
     MR 11     Departments and Agencies must ensure that the security arrangements among their wider family of delivery                   A.6.1.5
               partners and third party suppliers are appropriate to the information concerned and the level of risk to the parent        A.6.2.1
               organisation. This must include appropriate governance and management arrangements to manage risk, monitor                 A.6.2.3
               compliance and respond effectively to any incidents. Any site where third party suppliers manage assets at                 A.8.1.3
               CONFIDENTIAL or above must be accredited to List X standards.                                                              A.10.2.1
                                                                                                                                          A.10.2.2
                                                                                                                                          A.10.2.3
      MR 12        Departments and Agencies must have clear policies and processes for reporting, managing and resolving                  A.6.1.6
                   Information Security Breaches and ICT security incidents.                                                              A.8.2.3
                                                                                                                                          A.13.1.1
                                                                                                                                          A.13.1.2
                                                                                                                                          A.13.2.1
                                                                                                                                          A.13.2.2
                                                                                                                                          A.13.2.3
      MR 13        Departments must ensure that personnel security risks are effectively managed by applying rigorous recruitment         A.6.1.6
                   controls, and a proportionate and robust personnel security regime that determines what other checks (e.g.             A.8.1.2
                   national security vetting) and ongoing personnel security controls should be applied.

      MR 14        Departments and Agencies must have in place an appropriate level of ongoing personnel security management,             A.8.1.2
                   including formal reviews of national security vetting clearances, and arrangements for vetted staff to report
                   changes in circumstances that might be relevant to their suitability to hold a security clearance.
      MR 15        Departments must make provision for an internal appeals process for existing employees wishing to challenge
                   National Security Vetting decisions and inform Cabinet Office Government Security Secretariat should an individual
                   initiate a legal challenge against a National Security Vetting decision.
      MR 16        Departments and Agencies must undertake regular security risk assessments for all sites in their estate and put in     A.12.1.1
                   place appropriate physical security controls to prevent, detect and respond to security incidents.
      MR 17        Departments and Agencies must implement appropriate internal security controls to ensure that critical, sensitive      A.9.1.3
                   or protectively marked assets are protected against both surreptitious and forced attack, and are only available to    A.9.2.1
                   those with a genuine "need to know". Physical security measures must be proportionate to level of threat,
                   integrated with other protective security controls, and applied on the basis of the "defence in depth" principle.
      MR 18        Departments and Agencies must put in place appropriate physical security controls to prevent unauthorised access 9.1.1
                   to their estate, reduce the vulnerability of establishments to terrorism or other physical attacks, and facilitate a 9.1.2
                   quick and effective response to security incidents. Selected controls must be proportionate to the level of threat,
                   appropriate to the needs of the business and based on the "defence in depth" principle.



Page 19 of 22                                                                                                                                                 www.halkynconsulting.co.uk
Halkyn Consulting Ltd
                                                                SPF - ISO 27001 Control Mapping                                                            info@halkynconsulting.co.uk




     MR 18     Departments and Agencies must put in place appropriate physical security controls to prevent unauthorised access        ISO 27001 Control
 SPF Reference to their estate, reduce the vulnerability of establishments to terrorism or other physical attacks, and facilitate a
                                                             Mandatory Requirements                                                          Area              Remarks
     MR 1      quick and effective response to security incidents. Selected controls must be proportionate to the level of threat,
               Departments and Agencies must establish an appropriate security organisation (suitably staffed and trained) with        9.1.4
               appropriate responsibility the business and at all on the "defence in depth" principle.
               clear lines ofto the needs ofand accountabilitybased levels of the organisation. This must include a Board-level lead   9.1.5
               with authority to influence investment decisions and agree the organisation's overall approach to security.             9.1.6
     MR 19     Departments and Agencies must ensure that all establishments in their estate put in place effective and well tested
               arrangements to respond to physical security incidents, including appropriate contingency plans and the ability to
               immediately implement additional security controls following a rise in the Government Response Level.
     MR 20     Departments and Agencies must be resilient in the face of physical security incidents, including terrorist attacks,
               applying identified security measures, and implementing incident management contingency arrangements and
               plans with immediate effect following a change to the Government Response Level.




Page 20 of 22                                                                                                                                              www.halkynconsulting.co.uk
SPF Mandatory Requirements                            Halkyn Consulting Ltd                                              info@halkynconsulting.co.uk




                     HMG SPF v7 (October 2011) Mandatory Requirements

                                    Policy 1 - Governance and Security Approaches
                1      Departments and Agencies must establish an appropriate security organisation (suitably
                       staffed and trained) with clear lines of responsibility and accountability at all levels of the
                       organisation. This must include a Board-level lead with authority to influence investment
                       decisions and agree the organisation's overall approach to security.


                2      Departments and Agencies must:
                       * Adopt a holistic risk management approach covering all areas of protective security across
                       their organisation.
                       * Develop their own security policies, tailoring the standards and guidelines set out in this
                       framework to the particular business needs, threat profile and risk appetite of their
                       organisation and its delivery partners.
                3      Departments and Agencies must ensure that all staff are aware of Departmental security
                       policies and understand their personal responsibilities for safeguarding assets and the
                       potential consequences of breaching security rules.
                4      Departments and Agencies must have robust and well tested policies, procedures and
                       management arrangements in place to respond to, investigate and recover from security
                       incidents or other disruptions to core business.
                5      Departments and Agencies must have an effective system of assurance in place to satisfy their
                       Accounting Officer / Head of Department and Management Board that the organisation's
                       security arrangements are fit for purpose, that information risks are appropriately managed,
                       and that any significant control weaknesses are explicitly acknowledged and regularly
                       reviewed.




                                                 Policy 2 - Security of Information
                6      Departments and Agencies must have an information security policy setting out how they and
                       any delivery partners and suppliers will protect any information assets they hold, store or
                       process (including electronic and paper formats and online services) to prevent unauthorised
                       access, disclosure or loss. The policies and procedures must be regularly reviewed to ensure
                       currency.
                7      Departments and Agencies must ensure that information assets are valued, handled, shared
                       and protected in line with the standards and procedures set out in the Government Protective
                       Marking System (including any special handling arrangements) and the associated technical
                       guidance supporting this framework.
                8      All ICT systems that handle, store and process protectively marked information or business
                       critical data, or that are interconnected to cross-government networks or services (e.g. the
                       Government Secure Intranet, GSI), must undergo a formal risk assessment to identify and
                       understand relevant technical risks; and must undergo a proportionate accreditation process
                       to ensure that the risks to the confidentiality, integrity and availability of the data, system
                       and/or service are properly managed.
                9      Departments and Agencies must put in place an appropriate range of technical controls for all
                       ICT systems, proportionate to the value, importance and sensitivity of the information held
                       and the requirements of any interconnected systems.
                10     Departments and Agencies must implement appropriate procedural controls for all ICT (or
                       paper-based) systems or services to prevent unauthorised access and modification, or misuse
                       by authorised users.
                11     Departments and Agencies must ensure that the security arrangements among their wider
                       family of delivery partners and third party suppliers are appropriate to the information
                       concerned and the level of risk to the parent organisation. This must include appropriate
                       governance and management arrangements to manage risk, monitor compliance and respond
                       effectively to any incidents. Any site where third party suppliers manage assets at
                       CONFIDENTIAL or above must be accredited to List X standards.


                12     Departments and Agencies must have clear policies and processes for reporting, managing and
                       resolving Information Security Breaches and ICT security incidents.




Page 21 of 22                                                                                                            www.halkynconsulting.co.uk
SPF Mandatory Requirements                         Halkyn Consulting Ltd                                               info@halkynconsulting.co.uk




                                               Policy 3 - Personnel Security
                13   Departments must ensure that personnel security risks are effectively managed by applying
                     rigorous recruitment controls, and a proportionate and robust personnel security regime that
                     determines what other checks (e.g. national security vetting) and ongoing personnel security
                     controls should be applied.
                14   Departments and Agencies must have in place an appropriate level of ongoing personnel
                     security management, including formal reviews of national security vetting clearances, and
                     arrangements for vetted staff to report changes in circumstances that might be relevant to
                     their suitability to hold a security clearance.
                15   Departments must make provision for an internal appeals process for existing employees
                     wishing to challenge National Security Vetting decisions and inform Cabinet Office
                     Government Security Secretariat should an individual initiate a legal challenge against a
                     National Security Vetting decision.


                               Policy 4 - Physical Security and Counter Terrorism
                16   Departments and Agencies must undertake regular security risk assessments for all sites in
                     their estate and put in place appropriate physical security controls to prevent, detect and
                     respond to security incidents.
                17   Departments and Agencies must implement appropriate internal security controls to ensure
                     that critical, sensitive or protectively marked assets are protected against both surreptitious
                     and forced attack, and are only available to those with a genuine "need to know". Physical
                     security measures must be proportionate to level of threat, integrated with other protective
                     security controls, and applied on the basis of the "defence in depth" principle.


                18   Departments and Agencies must put in place appropriate physical security controls to prevent
                     unauthorised access to their estate, reduce the vulnerability of establishments to terrorism or
                     other physical attacks, and facilitate a quick and effective response to security incidents.
                     Selected controls must be proportionate to the level of threat, appropriate to the needs of the
                     business and based on the "defence in depth" principle.


                19   Departments and Agencies must ensure that all establishments in their estate put in place
                     effective and well tested arrangements to respond to physical security incidents, including
                     appropriate contingency plans and the ability to immediately implement additional security
                     controls following a rise in the Government Response Level.
                20   Departments and Agencies must be resilient in the face of physical security incidents,
                     including terrorist attacks, applying identified security measures, and implementing incident
                     management contingency arrangements and plans with immediate effect following a change
                     to the Government Response Level.




Page 22 of 22                                                                                                          www.halkynconsulting.co.uk

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:92
posted:2/26/2012
language:English
pages:22