ISO/IEC 27001:2005 BASED INFORMATION SECURITY MANAGEMENT SYSTEM INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL

Transcription

1 ISO/IEC 27001:2005 BASED INFORMATION SECURITY MANAGEMENT SYSTEM INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL Date of Release of current version: Oct 25, 2010 Mynd Solutions Pvt. Ltd. 280, Udyog Vihar, Phase IV, Gurgaon Haryana This document contains proprietary information for Mynd Solutions Pvt. Ltd. It must not be copied, transferred, shared in any form by any agency or personnel except for authorised internal distribution by Mynd Solutions, unless expressly authorized by Mynd Solutions in writing. Pages 1 of 22 Approved By ISF

2 Document Control The authorized version of this document is an electronic master stored in the document repository ( aware if you are reading an unstamped hardcopy of this document, it is to be considered uncontrolled. It is advised that the version of the document in the repository be matched with the unstamped hardcopy before using it. Amendments to the document if any shall be submitted to the CISO for review, changes shall be made accordingly only by ISM. Hence it shall be incorporated in all related document repository and entered in the document control log. Document Release History Sr. No Version No. Release Date Prepared By Reviewed By Approved By Reasons for New Release July 21, 2010 ISM CISO ISF 1st version October 6, 2010 ISM CISO ISF October 25, 2010 ISM CISO ISF August 22, 2012 ISM CISO ISF Document Change Log Referdocument change log of version 1.1 Refer document change log below Refer document change log below Sr. No Change Description Reference to Document Change Request Form Authorized Signatory 1 Line addition in Scope statement In accordance with the Statement of Applicability (MS/ISMS/SOA) Version 1.1, Effective date: October 06, NA CISO/ISF 2 Roles and responsibilities defined in Clause no. 5.1 Management Commitment NA CISO/ISF 3 Legal, Regulatory and contractual requirements are added in clause no NA CISO/ISF 4 Strategic risk management context added in the clause no NA CISO/ISF Pages 2 of 22 Approved By ISF

3 5 Risk evaluation criteria added in the clause no NA CISO/ISF 6 Clause no.9 added (Annexure) NA CISO/ISF Table of Contents Section No. Title Page Front Page 1 Document Control 2 Table of Contents Introduction References, Acronyms & Profile of the Organization Scope Information Security Management System Management Responsibility Internal ISMS Audits Management Review of ISMS ISMS Improvement Annexure 22 Pages 3 of 22 Approved By ISF

4 1. Introduction This Information Security Management System Manual reflects the Information Security Management System being practiced at: Mynd Solutions Pvt. Ltd. 280, Udyog Vihar, Phase IV, Gurgaon Haryana This document is for the internal users who need to practice it and for authorized external users who want to know about the Information Security Management System (ISMS) being practiced at Mynd Solutions. This Information Security Management System Manual reflects the intentions and commitment of Mynd Solutions Pvt. ltd. in establishing and implementing an Information Security Management System as per the requirements of ISO/IEC 27001:2005. This manual is an auditable and demonstrable document of Mynd Solutions. It is a confidential document, only authorized persons of Mynd Solutions are allowed to access this document, any changes to the integrity of this document has to be recorded. 1.1 Terms and Definitions Asset: Anything that has value to an organization. Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entity. Control: means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. Information security management system (ISMS): that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. NOTE: The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. Pages 4 of 22 Approved By ISF

5 Information security: preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved Risk assessment: overall process of risk analysis and risk evaluation Risk evaluation: process of comparing the estimated risk against given risk criteria to determine the significance of the risk Risk analysis: systematic use of information to identify sources and to estimate the risk. Risk management: coordinated activities to direct and control an organization with regard to risk Risk treatment: process of selection and implementation of measures to modify risk. Statement of applicability: documented statement describing the control objectives and controls that are relevant and applicable to the organization s ISMS. 2. References, Acronyms & Profile of the organization 2.1 References ISO / IEC 27001:2005 Information Technology Security techniques Information Security Management Systems Requirements 2.2 Acronyms Acronym CISO ISM ISF HRD ISO ISMS MRM SOA NDA Description Chief Information Security Officer Information Security Manager Information Security Forum Human Resources Department International Organization for Standardization Information Security Management System Management Review Meeting Statement of Applicability Non Disclosure Agreement Pages 5 of 22 Approved By ISF

6 2.3 Profile of the Mynd Solutions Pvt. Ltd. Mynd Solutions provides a better way to manage important business processes including Finance & Accounts, payroll & Retirals benefits management, Manpower Outsourcing, Data processing, CRM, Commercial & Record keeping. Having started in 1997 with a small 5 people team today we are a family of 1000 people and have a pan India presence with offices in Delhi, Mumbai, Bangalore, Haryana, Punjab and Himachal Pradesh and also a centrally located backend processing facility at Gurgaon measuring approx sq. ft. Our goal is to be a trusted partner in each and every client's business by bringing value on our clients' terms, serving as an extension of our client's business and delivering service excellence coupled with innovative solutions and shapes our services to reflect the changing dynamics of today's workplace. Mynd Solutions has been awarded as the top emerging company under the category EMERGE GROWTH for the year by NASSCOM 3 Scope The Information Security Management System at Mynd Solutions Pvt. Ltd. covers - Core Processes: HRO (HRIS, Payroll & compliance), Vendor Help Desk, Accounts Payable & Accounts Receivable and Fixed Asset Management. - Support Functions: Information Technology, Administration & Facility Management, Human Resources. - Location: 280, Phase IV, Udyog Vihar, Gurgaon , Haryana. In accordance with the Statement of Applicability (MS/ISMS/SOA) Version 1.1, Effective date: October 06, The scope of ISMS is further elaborated in Table 2. Table 2: Location Personnel The Mynd Solutions corporate office located in India at the following location is covered under the scope for this ISMS: 280, Phase IV, Udyog Vihar, Gurgaon , Haryana All Mynd Solutions employees at the above mentioned location. In addition, third party vendor are also covered under the scope of the ISMS. These users include: Canteen staff Physical security staff Pages 6 of 22 Approved By ISF

7 Housekeeping staff External consultants in the facilities department Contract personnel Third party IT vendor All physical assets which are in use by Mynd Solutions for business operations at the above mentioned location. Physical Assets Physical assets of Mynd Solutions are inclusive but not limited to the following: Servers Workstations Backup devices Security, Network and communication equipment Printers, scanners and Fax machines CDs, DVDs, Floppies and backup tapes Internet, Leased lines and communication links All software assets of Mynd Solutions. Software Information Assets The software assets of Mynd Solutions are inclusive but not limited to the following: Tools/Business applications developed by Mynd Solutions or bought from market for internal use All information assets, both in electronic media and hard copies that are in use in Mynd Solutions are considered in the scope of the ISMS. The electronic information assets of Mynd Solutions are inclusive but not limited to the following: Databases and data files for all business activities Accounting information MIS reports Product and process related artifacts Budget Information Systems configuration files Intellectual property of Mynd Solutions Operational policies and procedures in electronic format The paper assets / hard copies of Mynd Solutions are like the following: Contractual documents Statutory records Access log register Pages 7 of 22 Approved By ISF

8 Policy / Procedure documents in hard copies Services Scope Limitation Services supporting the computing infrastructure and work environment of Mynd Solutions such as internet, power supplies, air conditioning, UPS, EPABX etc. are considered in the scope of ISMS. The scope does not include any other offices / facilities of Mynd Solutions and / or any other group entities of Mynd Solutions. (Reference table no 2.1) Further the scope does not include: Service delivery (core process): IFRS, Data management, Manpower outsourcing and consultancy. Justification for exclusion: These processes are under development. Support process: Finance & Business Development Table 2.1 Locations Gurgaon- Delhi- Delhi - East of Delhi - Mumbai Bangalore Services U.V Okhla Kailash NFC HRO (HRIS, Payroll Management & Compliance) FAM AP & AR VHD IFRS Data Management Manpower Outsourcing Consultancy 4 Information Security Management System 4.1 General Requirements The top management of the organization has identified, documented and established the Processes along with their associated Records. All the processes are managed in accordance with the requirements of ISO/IEC 27001:2005. All out sourced processes that affect security are ensured to have appropriate controls. Such controls of out sourced processes are identified in the risk assessment / management register. Pages 8 of 22 Approved By ISF

9 4.2 Establishing and Managing the ISMS Establish the ISMS To establish ISMS, Mynd Solutions has implemented the following activities: a) The scope of the ISMS has been defined in terms of the characteristics of the business, the organization, its location, assets and technology (Refer clause 3 of this manual) b) Information Security Policy Information Security Policy is covered in Mynd s Information Security Policy. Reference for the Mynd s Information Security Policy is MS/ISMS/ISP Information Security Policy. Legal, Regulatory and Contractual requirements: All the applicable legal, Regulatory and contractual requirements have been identified and are listed below: 1. Shops and Establishments Act 2. Central Sales Tax Act 3. State Sales Tax Act 4. Companies Act 5. Income Tax Act 6. FEMA 7. PF 8. ESI 9. PTAX 10. NOC-Fire 11. IT Act 2000 A legal register is maintained by ISM detailing the compliance frequency and compliance responsibility. Strategic Risk Management: Strategic risk management is continuously considered in business goal setting and results in discernable business value through investments in IT. Risk and value added considerations are continuously updated in the IT strategic planning process. The overall IT strategy includes a consistent definition of risks that the organization is willing to take. Realistic long-range IT plans are developed and constantly being updated to reflect changing technology and business-related developments. Short-range IT plans contain project task milestones and deliverables, which are continuously monitored and updated, as changes occur. Pages 9 of 22 Approved By ISF

10 Risk Evaluation Criteria: These criteria are measures against which the types of impact are evaluated. The impact is rated on a scale of low, medium and high. While calculating the risk the probability of exploitation of a particular vulnerability along with the impact is also considered. Risk is further categorized into three levels - Low, Medium and High. A risk level matrix is used to determine the risk level. ISMS Objectives Ensure the availability of data and processing resources. Ensure integrity of data processing operations and protect them from unauthorized use. Ensure the confidentiality of the customer s and Mynd Solutions processed data, and prevent unauthorized disclosure or use. Ensure integrity of the customer s and Mynd Solutions processes data (organization s information assets), and prevent the unauthorized and detected modification, substitution, insertion, and deletion of that data Provide a comprehensive Business Continuity Plan encompassing the entire organization Identify the value of information assets and to understand their threats & vulnerabilities through appropriate risk assessment. Manage the risks to an acceptable level through design, implementation and maintenance of a formal Information Security Management System. Comply with applicable legal, regulatory and contractual requirements. Commitment to compliance with ISO/IEC 27001:2005 requirements. c) Risk Assessment Approach Mynd Solutions has identified the method of risk assessment which is suited to its ISMS, and the identified business information security, legal and regulatory requirements. The criteria for accepting the risk along with the acceptable levels of risk are also mentioned. Reference: Risk Assessment Methodology d) Risks Identification 1. The information assets and its owners has been Identified within the scope of the ISMS 2. The threats to these assets have been identified and shall be regularly updated. 3. The vulnerabilities have been identified, that might be exploited by the threats. 4. The impacts analysis affecting confidentiality, integrity and availability with regard to the assets have been suitably identified. Reference Records of Asset register & Asset risk Assessment. Pages 10 of 22 Approved By ISF

11 e) Risks Analysis and Evaluation 1) Harm to the business that might result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the assets have been assessed and shall be assessed regularly. 2) The realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities and impacts associated with these assets, and the controls implemented shall be assessed regularly. 3) The levels of risks has been analyzed and categorized. 4) The risk acceptable or which requires treatment using the criteria established has been determined f) Identification and evaluation of the risk treatment options. 1) Appropriate controls have been applied; 2) Risk acceptance wherever they clearly satisfy the organization s policy and the criteria for accepting the risk; 3) Avoiding the risks; 4) Transferring the associated business risks to other parties, e.g. insurers, suppliers g) Select control objectives and controls for the treatment of risks Appropriate control objectives and controls have been selected from Annexure A of ISO/IEC 27001:2005, the selection is justified on the basis of the conclusions of the risk assessment and risk treatment process h) Management approval has been obtained for the proposed residual risks. i) Management authorization has been obtained to implement and operate the ISMS. j) Statement of Applicability The control objectives and controls selected with the reasons for their selection are documented in the Statement of Applicability (SOA). The exclusion of any control objectives and controls listed in Annexure A are also recorded. For Further details, refer MS/ISMS/SOA Statement of Applicability Implement and Operate the ISMS To implement and operate the ISMS, Mynd Solutions has done the following activities: a) A risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks has been formulated. Reference: Risk Treatment Plan MS/ISMS/RTP Version 1.0. Pages 11 of 22 Approved By ISF

12 b) The risk treatment plan, in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities have been implemented. c) Implemented the controls as per 4.2.1g, to achieve the control objectives. d) The methods of measuring the effectiveness of control are defined. Reference: Measurement of Effectiveness of controls sheet. e) The training and awareness program has been conducted to all the employees of Mynd Solutions Pvt. Ltd. f) The entire operation of Mynd Solutions ISMS is managed by CISO. g) The resources required for implementing and operating the ISMS has been identified and provided by the management. h) The procedures and other controls capable of enabling prompt detection of and respond to security incidents has been implemented Monitor and Review the ISMS The monitoring and review of Mynd Solutions ISMS shall be done as follows: a) Execute, monitor procedures and other controls to; promptly detect errors in the results of processing; promptly identify failed and successful security breaches and incidents; enable management, to determine whether the security activities delegated to people or implemented by information technology are performing as expected; help detect security events and thereby prevent security incidents by the use of indicators; and determine the actions taken to resolve a breach of security reflecting business priorities b) Regular reviews of the effectiveness of the ISMS, which includes and not limited to meeting security policy and objectives, review of security controls, results of security audits, incidents, suggestions and feedback from all interested parties etc., shall be taken in to consideration. c) Measure the effectiveness of controls to verify that security requirements have been met. Reference: Measurement of Effectiveness of controls sheet. d) Review the level of residual risk and acceptable risk, taking into account changes to: Pages 12 of 22 Approved By ISF

13 o o o o o o the organization technology business objectives and processes identified threats effectiveness of implemented controls; and external events, such as changes to the legal or regulatory environment and changes in social climate e) Internal ISMS audits every 6 months f) Management review of the ISMS is done every 6 months, to ensure that the scope remains adequate and improvements in the ISMS process are identified. g) Security plans to be updated to take into account the findings of monitoring and reviewing activities. h) The actions and events that could have an impact on the effectiveness or performance of the ISMS shall be recorded Maintain and Improve the ISMS Mynd Solutions maintains and improves the ISMS taking into consideration the following: a) The identified improvements in the ISMS are implemented b) Shall take appropriate corrective actions and preventive actions and also apply the lessons learnt from the security experiences of other organizations and also those of the organization itself. c) Communicate the results, actions for improvement and agree with all interested parties d) To ensure that the improvements achieve their intended objectives 4.3 Documentation Requirements General Mynd Solutions Information Security Management System is documented, implemented and evaluated for its effectiveness at regular intervals. It is compatible to its size and complexity of processes and competence of its people. Information security Management System (ISMS) manual documentation includes: a) Documented Statements of the ISMS Policy and Objectives (Refer Section 4.2.1b). b) Scope of ISMS (Refer Section 4.2.1a) and Pages 13 of 22 Approved By ISF

14 c) Procedures and Controls in support of the ISMS (Refer Master list of documents and records) d) Risk Assessment Methodology, (Reference: Risk Assessment Methodology- MS /ISMS/RAM) e) Risk Assessment Report & an Information Asset Register (Reference: Risk Assessment Report and Asset Register), f) Risk Treatment Plan (Reference MS/ISMS/RTP). g) Documented procedures needed to ensure the effective planning, operations and control of information security processes h) Records as required by ISO/IEC 27001:2005 ( Reference Master list of Documents and Records- MS/ISMS/MLDR). i) Statement of Applicability (Reference MS/ISMS/SOA) Master list of documents and Records (MS/ISMS/MLDR) provides the complete list of documents and records. Where the term documented procedure appears within this ISMS manual, this means that the procedure is established, documented, implemented and maintained Control of Documents A common documented procedure to control all the ISMS documents including the external documents has been established (Reference MS/ISMS/COD). 1. Each ISMS document is identified by its name and approved for adequacy prior to issue. The ISMS documents are maintained in electronic form. 2. ISM maintains the electronic copies for the following: a) Master Copy of Documents; b) Master Copy of Records; c) Obsolete copy of Documents; d) Obsolete copy of Records 3. All the latest documents are kept in the appropriate electronic folder (master copy). The details of documents held are recorded and maintained in the Master List of Documents 4. All the latest ISMS formats/records are kept in the appropriate electronic folder (master copy). The details of ISMS formats/records held are recorded and maintained in the Master List of Records Pages 14 of 22 Approved By ISF

15 5. The proper back up of these folders is taken once in a month. 6. ISM maintains current revision status of the documents and process has been established to reflect the revision status on the documents 7. Changes to documents are initiated through document change requests (DCR) 8. CISO is authorized and responsible for review and approval of all changes 9. Control on external documents is limited to identification and issue 10. The extent of control on customer supplied document and data shall be as contractually agreed Control of Records A documented process is established for identification, collection, indexing, access, filing, storage, maintenance and disposition of ISMS records. (Reference MS/ISMS/COR). 1. The ISMS records are maintained either in soft copies or in hard copies 2. Each ISMS record are identified by its name. 4. ISM maintains the Master List of Records, which identifies the current revision status 5. All ISMS records are legible, readily identifiable and retrievable 6. Retention period of ISMS records is reflected in the list maintained by the ISM, the minimum retention period is for six months 7. Records of all occurrences of security incidents related to ISMS are maintained. Examples of records are a visitors book, audit reports and completed access authorization forms. 5 Management Responsibility 5.1 Management Commitment The top management of Mynd Solutions has provided the evidence of commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: Pages 15 of 22 Approved By ISF

16 a) Establishing the Information Security Policy b) Ensuring the information Security objectives & plans are established. c) Establishing the roles and responsibility for information security. d) The importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement is communicated to the organization. e) Providing required resources for establishing, implementing, operate, monitor, maintain, review and improve the ISMS. f) Deciding an acceptable level of risk & the criteria for accepting the risk. g) Ensuring Internal security audits are conducted. h) Conducting the Management Review at specified intervals The roles and responsibilities within ISMS are as mentioned below: Information Security Forum (ISF): ISF comprises of Top Management and shall be accountable for all Information Security initiatives and monitoring of the same across the organization. Chief Information Security Officer (CISO): CISO guides the entire organization and ensures that ISMS is implemented across the Mynd Solutions Pvt. Ltd. ensuring security of Information and Information processing assets. CISO chairs the Management review and ensures the provision of resources for ISMS improvement. Information Security Manager (ISM): Information Security Manager shall be responsible to establish, implement, monitor and continually improve Information Security Management System (ISMS). The role of ISM is also to ensure the timely completion of activities which have been planned and coordinate with all the other departments to arrange for the necessary interviews, training etc. Information Security officers (ISOs): ISOs shall comprise personnel from various functions and they shall be responsible for supporting, monitoring, managing and implementation of ISMS processes across their functions. Information Technology Team: They shall be responsible for implementation of technology controls. All process owners will check for compliance with the policy within their area of responsibility. They will take part in carrying out risk assessment and risk treatment plans. All users will abide by ISMS policy and all other related policies and procedures. They will also report security incidents and weaknesses to their respective process owners and Incident Management Group. Pages 16 of 22 Approved By ISF

17 5.2 Resource Management Provision of Resources Mynd Solutions has determined and provided the resources needed to: a) Establish, implement, operate and maintain, review, monitor and improve the ISMS. b) Ensure that information security procedures support the business requirements; c) Identify and address legal and regulatory requirements and contractual security obligations; d) Maintain adequate security by correct application of all implemented controls; e) Carry out reviews when necessary, and to react appropriately to the results of these reviews and f) Where required, improve the effectiveness of the ISMS. ISMS is implemented in all divisions of Mynd Solutions and is the responsibility of every individual Responsibility: Top Management/CISO & ISM Training, Awareness and Competence A process to ensure the following at Mynd Solutions has been established and being practiced: a) The minimum qualification, ideal experience and skills set required for each post / designation at Mynd Solutions are defined. b) The competence level of all personnel performing work affecting the ISMS shall be evaluated once in a year. c) The personnel falling below the required competency level shall be identified. d) The required training or actions shall be taken so as to improve the competency level of the personnel identified. e) The effectiveness of the actions taken shall be evaluated. f) All records relating to the education, training, skills and experience shall be maintained. Responsibility: Head HR Pages 17 of 22 Approved By ISF

18 6 Internal ISMS Audits Internal audits are conducted once in six months to determine whether the control objectives, controls, process and procedures of ISMS conform to the requirement of the standard and relevant legislation or regulations, identified information security requirements, effectively implemented, maintained and performed as expected. An internal audit is planned taking into consideration the status and importance of the processes and the areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods are defined. Selection of auditors and conducting audits ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. The ISM is responsible for planning audits, organizing audits; reporting results and maintaining records. The personnel responsible for the process being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Improvement activities include verification of the actions considered and the reporting of verification results. a) A documented procedure has been established for conducting Internal Audits to verify the compliance of the ISMS and also to determine the effectiveness of the ISMS (Reference: MS/ISMS/COD). b) Internal Audits is conducted at least once in Six months. The plan for audits is maintained by the ISM. c) Scheduling of audits is based on the status and importance of the activity. d) This is ensured that the personnel conducting the audit are independent of the activity being audited. e) Audits are conducted by the qualified Auditors. CISO shall arrange the training for Internal Security Auditors. f) The Process for Internal Audit shall take care of the recording of the audit results. The findings are reflected in the audit reports. The findings of audits is brought to the notice of personnel responsible for taking the corrective / Preventive actions as applicable g) ISM shall monitor the conduction of follow-up audits. The completion and effectiveness of corrective/ Preventive actions taken shall be verified in the follow-up audits. h) Results of Internal Audits shall be discussed in MRM. Pages 18 of 22 Approved By ISF

19 7 Management review of the ISMS 7.1 General 1. Management Reviews of the ISMS is done at least once in six months. 2. Management Review Meeting is coordinated by the ISM, and the Management Review Committee comprises of the following personnel: a) Board of Directors b) CISO c) ISM d) Functional/departmental Heads e) Any other person at to the discretion of CISO During the MRM, the ISMS is reviewed for the following: To ensure continuing suitability, adequacy and effectiveness of the ISMS, Security Policy and Security Objectives; To continually improve the ISMS; Reference: Procedure for Management Review MS/ISMS/MRM 7.2 Review Input The following inputs are received, coordinated and presented in the Management Review Meeting by ISM: a) Follow-up actions from previous MRM's decisions; b) Security incidents reported and recorded. c) Status of corrective and preventive actions taken; d) Results of security audit reports; e) Training needs; f) Status of resources likes Human Resources, infrastructure and working environment. g) Resource requirements; h) Customer feedback; i) Repeated non-conformances, if any; j) Recommendations for improvement; k) Any other relevant points. Pages 19 of 22 Approved By ISF

20 7.3 Review Output In the MRM, the various inputs received are reviewed with the following objectives and decisions/ actions are decided as required: a) To verify and improve the effectiveness and efficiency of the ISMS; b) Update of the risk assessment and risk treatment Plan. c) To take the appropriate actions so as to continually improve the ISMS related to organization and customer requirements; d) To provide the necessary resources. e) Any modifications to procedures that effect information security to respond to internal or external events that may impact on the ISMS, including, business requirements, security requirements, business process effecting the existing business requirements, regulatory or legal, levels of risk and/or levels of risk acceptance and resources needed. 8 ISMS Improvement 8.1 Continual Improvement The top management continually improves the effectiveness of the ISMS through the use of the information security policy, security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review. 8.2 Corrective Action The top management takes action to eliminate the cause of nonconformities associated with the implementation and operation of the ISMS in order to prevent recurrences. The documented procedure (MS/ISMS/CAPA) defines requirements for: a) Identifying nonconformities of the implementation and/or operation of ISMS b) Determining the causes of nonconformities c) Evaluating the need for actions to ensure that non conformities do not recur d) Determining and implementing the corrective action needed e) Recording results of action taken f) Reviewing of corrective action taken Pages 20 of 22 Approved By ISF

21 8.3 Preventive Action The top management determines action to guard against future nonconformities in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure (MS/ISMS/CAPA) shall define requirements for: a) Identifying potential nonconformities and their causes b) Determining and implementing preventive actions needed c) Recording results of action taken d) Reviewing of preventive action taken e) Identifying changed risks and ensuring that attention is focused on significantly changed risks The priorities of Preventive Actions are determined based on the results of the Risk Assessment. 9 Annexure (I) LIST OF MANAGEMENT DOCUMENTS S. No. Document Description Document Reference 1. Statement Of Applicability MS/ISMS/SOA Master list of Documents and Records ISMS Manual (II)LIST OF ISMS MANDATORY PROCEDURES MS/ISMS/MLDR S. No. Document Reference Document Name Clause No. 1 MS/ISMS/COD Control of Documents MS/ISMS/COR Control of Records MS/ISMS/CAPA 4 MS/ISMS/IIA Corrective Action and Preventive Action Procedure for Internal ISMS Audit & Pages 21 of 22 Approved By ISF

22 5 MS/ISMS/RAM 6 MS/ISMS/MRM 8 MS/ISMS/EOC (Effectiveness of Control) Risk Assessment Methodology (Risk Assessment Procedure) Procedure for Management Review Meeting Procedure for Effectiveness of Control and Adequacy c- h 5.6 & 8.4, f S.No. (III) LIST OF ISMS POLICIES Document Description Document Reference 1 Acceptable Usage Policy MS/ISMS/AUP 2 Antivirus Policy MS/ISMS/AP 3 Change Management Policy MS/ISMS/CMP 4 Classifying Information and Data Policy MS/ISMS/CIDP 5 Clear Desk and Clear Screen Policy MS/ISMS/CDCS 6 Policy MS/ISMS/EMP 7 Incident Management Policy MS/ISMS/IMP 8 Information Security Policy MS/ISMS/ISP IT Mobile and Computing Policy MS/ISMS/IMCP 9 10 Password Policy MS/ISMS/PP 11 Personnel Security Policy MS/ISMS/PSP 12 Physical Security Policy MS/ISMS/PHSP 13 Third Party Provider Policy MS/ISMS/TPP Pages 22 of 22 Approved By ISF