Hello, I would like your advice on what package of documents is useful for me to work on some rules and policies of ISO 27,000.
I have to comply with these points:
1. Secure management of electronic and paper information (secure means of printing, storage, transfer).
2. Timely management of critical and security updates of the operating systems of any equipment and corporate applications that receive, process and/or protect CLIENT information.
3. Correct administration of the antivirus systems that protect the equipment that receives, processes and/or protects the CLIENT's information.
4. Appropriate controls to protect against unauthorized access to IMR's corporate networks (protection of wired and wireless networks, intrusion detection, etc.).
5. Adequate controls over the privileges/profiles of all users, as well as administrative permissions exclusively to prevent the installation of unauthorized software, blocking of portable applications, games, unauthorized programs and any other code or executable files that could put at risk the information that is processed in the equipment with access to CLIENT information.
6. Appropriate controls for good use of internet connectivity, taking care that CLIENT information cannot be exposed in services such as public email, instant messaging, social networks, discussion forums, file sharing sites, among others. .
7. Appropriate procedures for the correct administration of Security Incidents (information theft, misuse of information, damage to equipment with CLIENT information, among others).
8. Appropriate controls for access to equipment containing CUSTOMER information, procedures for managing users due to employee termination or role changes, etc.
9. Correct controls to guarantee the integrity of the equipment when it is unattended (automatic locks with screen protection, physical locks to secure equipment, etc.).
10. Correct and complete documentation to ensure that the personnel who access the CLIENT's information have complied with a formal hiring process, signature of confidentiality agreements, among others.
11. Appropriate procedures to control confidentiality agreements with third parties, indicating the prohibition of contracting/sharing/accessing CLIENT information with unauthorized third parties, without having previously documented the CLIENT's authorization.