A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

All information security responsibilities shall be defined and allocated.

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Appropriate contacts with relevant authorities shall be maintained.

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Information security shall be addressed in project management, regardless of the type of the project.

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Assets maintained in the inventory shall be owned.

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.