Establish a management framework to control how
your organization implements information security.

Establish a management forum that you can use to
review and approve your information security policy.

Establish a management forum to co‑ordinate and control the
implementation of your organization's information security program.

Establish a management forum that you can use to
assign information security roles and responsibilities.

Make sure that you have access to information security
experts and advisors within your own organization.

Make sure that your internal experts are able
to provide specialized information security advice.

Make sure that you have access to external
information security experts and advisors.

Make sure that your external advisors help you to monitor
changes in information security standards and methods.

Make sure that your external information security experts
and advisors help you to deal with security incidents.

Make sure that your organization encourages the use
of a multi‑disciplinary approach to information security.

Assign the responsibility for information security
to a single manager within your organization.

Establish a management forum that you can
use to support information security initiatives.

Make sure that your security management forum
promotes the importance of information security.

Make sure that your security management forum ensures
that adequate resources are provided to support security.

Make sure that your security management forum
reviews and approves your information security policy.

Make sure that your security management forum reviews
and approves information security responsibilities.

Make sure that your security management forum
monitors major security threat changes and trends.

Make sure that your security management forum
monitors how exposed your information assets are.

Make sure that your security management forum
monitors and reviews information security incidents.

Make sure that your security management forum reviews
and approves improvements in information security.

Establish a management forum that you can use to
co‑ordinate the implementation of security controls.

Make sure that management forum members
represent all relevant areas of your organization.

Make sure that your security management forum distributes information
security roles and responsibilities throughout your organization.

Make sure that your security management forum reviews
and approves information security methods and techniques.

Make sure that your security management forum
approves and supports information security initiatives.

Make sure that your security management forum ensures that
security is considered during the information planning process.

Make sure that your security forum evaluates the adequacy of security
controls that will be used to protect new information systems or services.

Make sure that your security management forum co‑ordinates the
implementation of security controls that will be used to protect new
information systems and services.

Make sure that your security management forum
reviews and evaluates information security incidents.

Make sure that your forum promotes the importance
of information security throughout your organization.

Define the responsibilities that control how
individual information assets should be protected.

Define the responsibilities that control how your
information security processes should be carried out.

Make sure that your information security policy describes how security
roles and responsibilities are distributed throughout your organization.

Define how specific information security roles and
responsibilities are distributed amongst various sites.

Define how specific information security roles and
responsibilities are distributed amongst systems.

Define how specific information security roles and
responsibilities are distributed amongst services.

Define how the responsibility for individual
physical assets are allocated at the local level.

Define how the responsibility for individual
information assets are allocated at the local level.

Define how the responsibility for individual
security processes are allocated at the local level.

Appoint an information security manager.

Make sure that your information security manager has been
given the responsibility for developing your security program.

Make sure that your information security manager has been
given the responsibility for implementing your security program.

Make sure that your information security manager has been
given the responsibility for identifying security controls.

Appoint an owner for each information asset.

Make sure that asset owners have been given the
responsibility for the security of their information assets.

Make sure that your asset owners delegate specific security
responsibilities to other managers or service providers.

Make sure that asset owners ensure that delegated
security responsibilities are clearly and completed stated.

Make sure that delegated responsibilities for security assets
and processes have been clearly and completely defined.

Make sure that you document all delegated responsibilities
for information security assets and processes.

Make sure that you define and document all delegated
authorization levels for security assets and processes.

Make sure that your asset owners ensure that delegated
security responsibilities are properly carried out.

Establish a management authorization process
to control new information processing facilities.

Make sure that user managers approve of the purpose and
authorize the use of all new information processing facilities.

Make sure that your information security maintenance
manager authorizes new information processing facilities.

Make sure that your information security maintenance manager
ensures that your new information processing facilities meet
all security requirements and policies.

Check new hardware to ensure that it will be
compatible with existing system components.

Check new software to ensure that it will be
compatible with existing system components.

Control the business use of personal
information processing facilities.

Evaluate personal information processing facilities
before they are used to process business information.

Authorize the use of personal processing facilities
before they are used to process business information.

Identify an in‑house information security advisor.

Make sure that your in‑house security advisor accumulates and
co‑ordinates your information security knowledge and experience.

Make sure that your in‑house information security advisor
helps your organization to make information security decisions.

Make sure that your in‑house information security advisor
has access to external security experts and advisors.

Make sure that your information security advisors are asked
to provide advice on all aspects of information security.

Make sure that information security advisors are asked to
assess security problems that threaten your organization.

Make sure that your information security advisors have been
asked to assess your organization's information security controls.

Make sure that your information security advisors have
direct access to your organization's management personnel.

Consult your information security advisors
whenever you have a security incident or breach.

Ask information security advisors to
investigate security incidents or breaches.

Maintain relationships with organizations that could
help you to cope with security incidents and breaches.

Make sure that you have a co‑operative
relationship with law enforcement authorities.

Make sure that you have a co‑operative
relationship with relevant regulatory bodies.

Make sure that you have a co‑operative
relationship with information service providers.

Make sure that you have a co‑operative
relationship with telecommunications operators.

Make sure that you belong to security groups and associations.

Make sure that you participate in security oriented industry forums.

Make sure that confidential information is not
accidentally passed on to unauthorized outsiders.

Perform independent reviews of your information security policy.

Make sure that your independent policy reviews examine whether or
not your practices are consistent with your information security policy.

Make sure that your independent policy reviews examine
whether or not your information security policy is feasible.

Make sure that your independent policy reviews examine
whether or not your information security policy is effective.

Make sure that security policy reviews are performed
by independent managers, auditors, or organizations.

Make sure that your information security policy
reviewers have the necessary skills and experience.

Control third party access to your information
processing facilities and information assets.

Maintain security while third parties access your
information processing facilities and information assets.

Carry out a risk assessment whenever third party
access to processing facilities and assets is required.

Make sure that your assessments examine the security
risks that you take whenever you allow third party access
to your information processing facilities and assets.

Make sure that your assessments identify the controls
that should be used to regulate third party access to
your information processing facilities and assets.

Make sure that your access control restrictions
and requirements are written into your contracts
with third parties.

Make sure that your third party access control contracts
define the conditions that must be met before other
unspecified participants are allowed access to your
information processing facilities and information assets.

Examine the risks that you take whenever
you allow physical access to third parties.

Examine the risks that you take whenever
you allow third party access to your offices.

Examine the risks that you take whenever you
allow third party access to your computer rooms.

Examine the risks that you take whenever you
allow third party access to your filing cabinets.

Examine the risks that you take whenever
you allow logical access to third parties.

Examine the risks that you take whenever
you allow third party access to your databases.

Examine the risks that you take whenever you
allow third party access to your information systems.

Carry out a risk assessment whenever third parties
have a special or unique business need to have physical
or logical access to your organization's information.

Establish special access controls whenever third parties
have a unique business need to have special access
to your organization's information.

Make sure that your special access controls limit and regulate
the type of access that third parties can have to your information.

Make sure that your special access controls consider
the controls used by third parties who have access
to your information.

Make sure that your special access controls reflect
the value of your organization’s information.

Make sure that you have special controls that regulate the
access that hardware specialists can have to your information.

Make sure that you have special controls that regulate the
access that software specialists can have to your information.

Make sure that you have special controls that regulate
the access that your trading partners or joint ventures
can have to your organization’s information.

Make sure that you have special controls that regulate the access
that your trading partners or joint ventures can have to your
organization's information systems and databases.

Use contracts to define all security requirements and to restrict
on‑site contractor access to your organization's information
and information processing facilities.

Ensure that information access contracts are signed
before you allow on‑site contractors to have access
to your information and information processing facilities.

Make sure that you implement access controls before
you allow on‑site contractors to access your information
or information processing facilities.

Make sure that you control consultant access to your
information and information processing facilities.

Make sure that you control hardware and software
maintenance contractor access to your organization's
information and information processing facilities.

Make sure that you control cleaning, catering, and security guard access
to your organization's information and information processing facilities.

Make sure that you control student and other short term contractor
access to your information and information processing facilities.

Use contracts to help control third party access
to your organization's information processing facilities.

Make sure that your third party contracts specify
or refer to all your information security requirements.

Make sure that your third party contracts specify or refer
to your organization's security policies and standards.

Make sure that your third party contracts include procedures
that should be used to protect your organization's assets.

Make sure that your third party contracts include procedures that
would be used to find out whether your organization's assets
have been damaged or compromised.

Make sure that your third party contracts specify when
your organization's assets should be returned or destroyed.

Make sure that your third party contracts specify limits on
the use and duplication of your organization's information.

Make sure that your third party contracts specify the services that
third parties are expected to provide to your organization.

Make sure that third party contracts specify the standard
of service that third parties are expected to provide.

Make sure that your third party contracts identify statutory or regulatory
roles and responsibilities that control how obligations should be met.

Make sure that your third party contracts clarify intellectual
property rights, obligations, assignments, and protections.

Make sure that third party contracts define access methods.

Make sure that your organization's third party
contracts control user IDs and passwords.

Make sure that your third party contracts define the
access authorization process that must be followed.

Make sure that your third party contracts expect contractors
to keep track of who has what access rights and privileges.

Make sure that your third party
contracts define performance criteria.

Make sure that your third party contracts define how
contractor performance will be monitored and reported.

Make sure that your third party contracts reserve the
right to monitor user activity and revoke user access.

Make sure that your third party contracts reserve
the right to audit contractor activities and results.

Make sure that third party contracts define an escalation
process that must be followed to resolve problems.

Make sure that third party contracts define contingency
plans that would be followed if contractors fail to perform.

Make sure that your third party contracts define responsibilities
for hardware installation and maintenance.

Make sure that your third party contracts define responsibilities
for software installation and maintenance.

Make sure that third party contracts define reporting structures.

Make sure that third party contracts define reporting formats.

Make sure that your third party contracts define the
change management process that should be followed.

Make sure that your third party contracts identify
physical protection controls that must be followed.

Make sure that your third party contracts define
methods, procedures, or security training that
your contractors should have.

Make sure that your third party contracts identify controls
that must be used to guard against malicious software.

Make sure that your third party contracts describe how
security incidents and breaches should be reported.

Make sure that your third party contracts describe how
security incidents and breaches will be investigated.

Make sure that your third party contracts specify
how contractors must work with subcontractors.

Maintain the security of your information when the job
of processing that information has been outsourced
to a different organization.

Make sure that contracts are used to define the security requirements
that outsourced information processing organizations must meet.

Make sure that outsourcing contracts address security risks.

Make sure that your outsourcing contracts identify the security controls
that must be used by outsourced information processing organizations.

Make sure that outsourcing contracts identify the security procedures that must be used by outsourced information process organizations.

Make sure that your outsourcing contracts specify
how legal and regulatory requirements should be met.

Make sure that your outsourcing contracts specify
how all participants will be made aware of their
information security obligations.

Make sure that your outsourcing contracts specify
how subcontractors will be made aware of their
information security obligations.

Make sure that your outsourcing contracts specify
how the integrity of your business assets will be maintained.

Make sure that your outsourcing contracts specify how
the integrity of your business assets will be tested.

Make sure that your outsourcing contracts specify
how the confidentiality of your business assets
will be protected and maintained.

Make sure that your outsourcing contracts specify how
the confidentiality of your business assets will be tested.

Make sure that your outsourcing contracts identify the physical controls
that must be used to restrict information access to authorized users only.

Make sure that your outsourcing contracts identify
the logical controls that must be used to restrict
information access to authorized users only.

Make sure that your outsourcing contracts specify how
outsourced services will be continued during a disaster.

Make sure that your outsourcing contracts specify what
level of security outsourced equipment must have.

Make sure that your outsourcing contracts establish
the right to audit outsourced service performance.

Make sure that your outsourcing contracts establish the
need to develop a detailed security management plan.

Make sure that your outsourcing contracts specify or refer
to your organization's security policies and standards.

Make sure that your outsourcing contracts include procedures
that should be used to protect your organization's assets.

Make sure that your outsourcing contracts include procedures
that would be used to find out whether your organization's
assets have been damaged or compromised.

Make sure that outsourcing contracts specify when your
organization's assets should be returned or destroyed.

Make sure that your outsourcing contracts specify limits on
the use and duplication of your organization's information.

Make sure that your outsourcing contracts specify the
services that suppliers are expected to provide.

Make sure that your outsourcing contracts specify the
standard of service that suppliers are expected to provide.

Make sure that your outsourcing contracts identify
statutory or regulatory responsibilities that control
how service obligations should be met.

Make sure that your outsourcing contracts clarify intellectual
property rights, obligations, assignments, and protections.

Make sure that outsourcing contracts define access methods.

Make sure that your outsourcing contracts require
service providers to control user IDs and passwords.

Make sure that your outsourcing contracts define the
access authorization process that must be followed.

Make sure that your outsourcing contracts expect suppliers
to keep track of who has what access rights and privileges.

Make sure that your outsourcing
contracts define performance criteria.

Make sure that your outsourcing contracts define how
supplier performance will be monitored and reported.

Make sure that your outsourcing contracts expect
suppliers to monitor user activities and results.

Make sure that your outsourcing contracts expect
suppliers to revoke user access when this is necessary.

Make sure that your outsourcing contracts reserve
the right to audit service provider activities and results.

Make sure that outsourcing contracts define an escalation
process that must be followed to resolve problems.

Make sure that your outsourcing contracts define contingency
plans that would be followed if service providers fail to perform.

Make sure that outsourcing contracts define responsibilities
for hardware installation and maintenance.

Make sure that outsourcing contracts define responsibilities
for software installation and maintenance.

Make sure that your outsourcing contracts define reporting structures.

Make sure that your outsourcing contracts define reporting formats.

Make sure that your outsourcing contracts define the
change management process that should be followed.

Make sure that your outsourcing contracts identify
physical protection controls that must be followed.

Make sure that your outsourcing contracts define
methods, procedures, or security training that
service providers should have.

Make sure that your outsourcing contracts identify controls
that must be used to guard against malicious software.

Make sure that your outsourcing contracts describe how
security incidents and breaches should be reported.

Make sure that your outsourcing contracts describe how
security incidents and breaches will be investigated.

Make sure that your outsourcing contracts specify how
service providers must work with their subcontractors.