SG-08—Information Security Program

>Control Description

Organization has an established security leadership team including key stakeholders in the Organization Information Security Program; goals and milestones for deployment of the information security program are established and communicated to the company through the periodic security all-hands meeting.

Theme

Process

Type

Preventive

Policy/Standard

Information Security Management Standard

>Implementation Guidance

1. Ensure there is a dedicated information security management standard which consists of requirements pertaining to security leadership team and the establishment and communication of security goals and milestones. 2. Ensure the organization's information security management standard is uploaded on corporate intranet and made available to all employees. 3. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes are documented and communicated to relevant stakeholders.

>Testing Procedure

1. Inspect Information Security Management Standard to determine whether requirements for a security leadership team and the establishment and communication of security goals and milestones are defined. 2. Observe organization's corporate intranet to determine whether the Information Security Management Standard is communicated to the company. 3. Inspect the most recent ISMS Steering minutes to determine the participation from the security leadership team, and the establishment and communication of security goals and milestones.