【正文】 ion shall establish and maintain procedures for controlling all documentation required under to ensure that the documentation is: a) readily available。 e) identified and retained when obsolete and required for legal or knowledge preservation purposes, or both. Documentation shall be legible, dated (together with dates of revision) and readily identifiable, maintained in an orderly manner and retained for a specified period. Procedures and responsibilities shall be established and maintained for the creation and modification of the various types of document. NOTE: Documents may be in any medium, such as hard copy or electronic media. Records Records, being evidence generated as a consequence of the operation of the ISMS, shall be maintained to demonstrate pliance with the requirements of this part of BS 7799 as appropriate to the system and to the anization, . a visitors’ book, audit records and authorization of access. The anization shall establish and maintain procedures for identifying, maintaining, retaining and disposing of the records demonstrating pliance. Records shall be legible, identifiable and traceable to the activity involved. Records shall be stored and maintained in such a way that they are readily retrievable and protected against damage, deterioration or loss. NOTE: Records may be in any medium, such as hard copy or electronic media. 4 Detailed controls Security policy Information security policy Objective: To provide management direction and support for information security Information security policy document A policy document shall be approved by management, published and municated, as appropriate, to all employees. Review and evaluation The policy shall be reviewed regularly, and in case of influencing changes, to ensure it remains appropriate. Security anization Information security infrastructure Objective: To manage information security within the anization. Management information security forum A management forum to ensure that there is clear direction and visible management support for security initiatives shall be in place. Information security coordination Where appropriate to the size of the anization, a crossfunctional forum of management representatives from relevant parts of the anization shall be used to coordinate the implementation of information security controls. Allocation of information security responsibilities Responsibilities for the protection of individual assets and for carrying out specific security processes shall be clearly defined. Authorization process for information processing facilities A management authorization process for new information processing facilities shall be established. Specialist information security advice Advice on information security provided by inhouse or specialist advisors shall be sought and municated throughout the anization. Cooperation between anizations Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telemunications operators shall be maintained. Independent review of information security The implementation of the information security policy shall be reviewed independently. Security of third party access Objective: To maintain the security of anizational information processing facilities and information assets accessed by third parties. Identification of risks from third party access The risks associated with access to anizational information processing facilities by third parties shall be assessed and appropriate security controls implemented. Security requirements in third party contracts Arrangements involving third party access to anizational information processing facilities shall be based on a formal contract containing all necessary security requirements. Outsourcing Objective: To maintain the security of information when the responsibility for information processing has been outsourced to another anization. Security requirements in outsourcing contracts The security requirements of an anization outsourcing the management and control of all or some of its information systems, works and/or desk top environments shall be addressed in a contract agreed between the parties. Asset classification and control Accountability for assets Objective: To maintain appropriate protection of anizational assets. Inventory of assets An inventory of all important assets shall be drawn up and maintained. Information classification Objective: To ensure that information assets receive an appropriate level of protection. Classification guidelines Classifications and associated protective controls for information shall be suited to business needs for sharing or restricting information and the business impacts associated with such needs. Information labelling and handling A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the anization. Personnel security Security in job definition and resourcing Objective: To reduce the risks of human error, theft, fraud or misuse of facilities. Including security in job responsibilities Security roles and responsibilities as laid down in the anization’s information security policy shall be documented in job definitions where appropriate. Personnel screening and policy Verification checks on permanent staff shall be carried out at the time of job applications. Confidentiality agreements Employees shall sign a confidentiality agreement as part of their initial terms and conditions of employment. Terms and conditions of employment The terms and conditions of employment shall state the employee’s responsibility for information security. User training