Professional Documents
Culture Documents
Information Security Management System Manual
Information Security Management System Manual
SYSTEM MANUAL
Works
501, 5 th Floor, Tower-A, Spaze I-Tech Park, Sohna
Road, Sector-49, Gurgaon-122018(Haryana), India
Contact Details
Phone No. :0124-4201824
Email: anjul.pratyush@thinktalentindia.com,
anjul.pratyush@thinktalentindia.com,
Mobile No.: 8800636890
Website: www.thinktalent.co
(Director) (MR) TTS/ISMS/ 31-01-2019 Update with Stage-1 audit’s NC, and
Clause 0.0 02 correct the formatting
1. Issue Control
1.1Issue
This Information Security Management System Manual has been prepared in accordance
with ISO 27001: 2013 standards. It outlines the Information security Management system
requirements, which the company has adopted to meet the requirements of the
standards and company business objectives.
The Management shall issue the Manual. It shall be controlled as per the Clause 7.5.3 of
this Manual. All authorized holders as per distribution list shall be responsible for
implementation of the Information Security Management System in their respective area.
Individuals in possession of the controlled copies shall receive revision or amendments as
and when issued.
Information Security Management System manual may be issued outside the
Organization (if required) It shall however not be controlled, shall not have copy no. and
shall be stamped 'Uncontrolled'. No distribution record shall be maintained.
During the internal audit the concerned clauses shall be reviewed to ensure compliances
to the current business practices and effectiveness of the defined processes.
1.2 Distribution
This Manual shall be distributed as per the following distribution list:
Copy No Holder
1 Managing Director
2 Chief Operating Officer (COO), Director
3 Principal Architect (MR)
4 Consultant Operations
5 Certification Body
Note Management representative copy shall be treated as the Master Copy.
2. Change History
3. Introduction
3.1 Purpose
The purpose of this INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL is to
describe the information security system adopted by the organization. It has been
prepared to outline how the organization conducts its own affairs with respect to the
business objectives achievement. It is also intended to serve as a document for the
organization’s own staff and workforce for the understanding the organization’s policy
and procedures.
3.2 Scope
The INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL describes the way in
which the system operated by the organization satisfied the requirement of ISO
27001:2013. The system is applicable to M/S TAHINK TALENT SERVICES PVT. LTD. for the
scope of Digital Platforms and services for Talent Management. The INFORMATION
SECURITY MANAGEMENT SYSTEM MANUAL shall contain the Mandatory Procedures. All
applicable formats shall be referred at the appropriate locations of this manual. The Work
Instructions and the formats shall be available in the different files.
The objectives shall be made available in the form of Measurement analysis chart.
6. Planning
6.1 Actions to address risk and opportunities
a. General
When planning the Information Security Management System, the organization shall
consider the issues and requirements and determine the risk and opportunities that
need to be addressed to:
Reference
Procedure for risk assessment : DOC 17.1.1
List of internal & external issues : DOC. 4.1
Responsibility and authorities (KRA) : DOC. 7.2.1
Record of Risk and opportunities : DOC. 17.1.1F01
ISMS objectives : DOC. 5.3
Organization structure : DOC. 6.1
Approved by Revision No. 0 Clause Page No
(MR) Date: 5.0 1 of 1
7. Support
7.1Resources
7.2 Competence
The organization has a defined criterion for the competence level required for the various
positions. The same is available in the employee hand book of the organization.
While appointing the new person for a particular post, the same is compared in terms of
Education, training or experience.
If the enhancement of the competence is required and it is provided through training etc.
the effectiveness of the training imparted assessed and record maintained.
7.3 Awareness
It is ensured that the people working in any area are aware of the followings:
• The information security policy
• Responsibility to fulfil the requirements including benefits for the improvement in the
information security management systems.
• The implication of not conforming with the information security management systems.
7.4 Communication
The organization shall determine the need for internal and external communication
relevant to the information security management systems including:
• On what to communicate
• When to communicate
• With whom to communicate
• Who shall communicate?
• The processes by which the communication will be effective
• For details the communication matrix ref. no. DOC.6.1.1 version 1.0 may be referred.
7.5 Documented Information
a. General
The organization has developed and documented its information security management
system to ensure that products conform to the specified requirements. The information
security management system covers the organizational structure, responsibilities,
procedures, processes and resources for implementing effective Information Security
Management System.
The information security management system documented in this MANUAL, describes the
policies and procedures in the various areas of the organization describing different
function that ensure compliance to the requirements of ISO 27001: 2013 standard.
Reference
List of machines for preventive maintenance : DOC.11.2.4
: F01
Preventive maintenance Record : DOC.11.2.4 F02
Reference
Mater list of documents : DOC. 18.1.2 F01
8. Operation
8.1 Operation Planning and control:
The planning of the processes to meet the requirement of the customer is achieved
through the various procedures and the statement of applicability.
These documents describe: -
• Sequence of operations and sub operations required to realize the services.
• The control on the processes and the activity as applicable.
• The description of the non-applicability of the control points.
• The business activity starts with the generation of leads through:
▪ Sales team (b) Management
▪ If the requirements are received through the sales team, the customer
interaction is done with the solution team for gathering the information from
the client through requirement gathering form.
▪ If the information received through the management the above activity (b) is
done by the management itself and the complete information are gathered
and handed over to the solution team.
▪ The solution team decides that what solutions and services are best suited to
the customer and the same is send to the customer for approval.
▪ The approval note is sent to the client including payment and payment terms
▪ The negotiation takes place between the client and the sales team and the
approval takes place
▪ The creation of solution takes place with the help of tech team.
▪ Once the creation is completed, the testing is done internally and handed over
to the client for user acceptance testing (UAT)
▪ The project is then deployed with the help of operation team as per the terms
and conditions stated in the agreement.
▪ The service supports are provided as per the need of the customer.
9. PERFORMANCE EVALUATION
9.1Monitoring, Measurement, analysis and evaluation
The measurement and monitoring activities needed to assure conformity in the
operations performed in the organization have been defined.
The Process improvement is an ongoing activity and may sometimes need additional
measurement and monitoring activities. The measurements are also planned and
implemented while executing these improvements.
In order to obtain the scope of improvement and hence the continuous improvement,
problem solving tools shall be used.
9.2Internal Audit
• Internal audits shall be carried out to monitor continuous effectiveness of the quality
assurance system.
• Internal audits shall be coordinated by the M.R.
• The minimum frequency for audits shall be once per year. It will be ensured that all
the dept. is covered during each audit.
• The trained and qualified internal auditors shall carry out the audits. During the
planning of the audit, it will be ensured that the auditor should not have direct
responsibilities for the departments being audited.
• Prior to carrying out audits, audit plan and audit schedule shall be drawn by M.R.
• The auditor shall record the findings in the checklist for the internal audit available in
the procedure for the Internal Audits. The concerned auditor along with the
management representative shall prepare the System Nonconformance report. The
audit report shall be countersigned by the auditee.
• Respective Dept. in charge shall spell out corrective action and time frame for
correcting the non-conformance.
• Audit closing shall be carried out by concerned auditor/MR to verify effective
implementation of corrective action. The MR shall not verify the area for which he is
directly responsible.
• M.R. shall maintain and analyses audit records.
• External resources (Consultants) shall be the auditor for the training, internal audits
and M.R. function till internal auditors are fully trained.
9.3Management Review
a. General
The Management Review Meeting shall be conducted at least once in 12 months. The M.R
shall record minutes of the Management Review. The purpose of conducting the MRM to
review the status of implemented Information Security Management System,
identification of resource requirement & to meet the requirement of ISO 27001: 2013.
b. Review Input
The input to management review shall include information on
• Follow-up actions from previous management reviews.
• Changes in internal and external issues that is relevant to the Information Security
Management System.
• Information on the performance and effectiveness of the Information Security
Management System including trends in
• Result of audits.
• Customer satisfaction and feedback from relevant interested parties.
• Fulfilment of information security Objectives
• The effectiveness of action taken to address risks and opportunity
• Opportunities for continual improvement.
• Any other points raised by members.
c. Review Output
The output from the management review shall include any decisions and actions related
to
• Opportunities for improvement
• Any need for changes to the Information Security Management System.
▪ The agenda shall be prepared and circulated in advance by the MR.
10.IMPROVEMENT
10.1 Non-Conformity and Corrective action
When a non-conformity occurs including any arising from complaints, the organization
shall
• Take action to control and correct it
• Deal with the consequences
Evaluate the need for action to eliminate the causes of the non-conformity in order that
it does not recur or occur elsewhere by:
• Reviewing and analyzing the non-conformity
• Determine the causes of non-conformities
• Determine if similar non-conformities exist or could potentially occur;
And Implement any action needed, review the effectiveness of any corrective action
taken, update risk and opportunities determined during planning, make necessary
changes in the Information Security Management System. The record of this effect shall
be maintained in the form of CAPA.