Information Security Management System (ISMS)
Quark ISO27001
ISO27001 is an information security management system (ISMS) standard, that specifies the requirements for establishing, implementing, operating, monitoring, reviewing and maintaining a coherent and documented ISMS within an organization.
An ISMS includes policies, processes, procedures, systems and people to manage information security risks in a structured and systematic way. It is designed to ensure the selection of adequate and proportionate security controls to protect information assets.
Quark is ISO27001 certified (Cert. No. 244360) and the Information Security Management System (ISMS) that is scoped to the SaaS services will be subject to an annual independent audit.
ISMS Critical Elements
The intent of the ISMS is to provide effective management, operation, and technical controls that are balanced with the needs of the organization and the broad array of risks that it now faces.
The ISMS must be compliant with identified legal and regulatory requirements as well as with contractual obligations relevant to the organization and its cloud service customers in the field of information security and protection of Personally Identifiable Information (PII).
The following critical elements assist Quark in ensuring that the ISMS is successful:
-
Management commitment to information security and continuous improvement initiatives
-
Management awareness and involvement in information security issues that affect Quark
-
Information security risk assessment being integrated into all key processes, including planning and change management prior to the implementation/upgrade of information systems or projects
-
Information security and the various Quark departments being closely integrated, with identified communications channels and regular communications
-
Departments being accountable for implementing, monitoring, and reporting on information security initiatives
-
Employees being accountable and aware of the requirements on them, in regard to information security in their day-to-day activities
To ensure that Quark ISMS is viable, Quark has implemented the following information security initiatives that allows the organization to quickly adapt to new threats and vulnerabilities:
-
Policies and Procedures: Quark has established policies and procedures that meet the compliance and risk management needs of the organization. These are shared with employees via an internal content management system.
-
Risk Management: Quark has established a risk management framework, which defines Quark policy for developing, implementing, and maintaining a risk management program that ensures appropriate security measures are taken to protect Quark information systems and data.
-
Vulnerability Management: Quark maintains a vulnerability management policy, to provide a mechanism for needed employees to identify known vulnerabilities and weaknesses within the information systems and software.
-
Awareness and Training: Quark conducts security awareness training for all employees and consultants with access to Quark information systems to ensure that they are aware of their roles and responsibilities in protecting Quark information and information systems.
-
Incident Management: Quark responds and resolves information security incidents to minimize the business impact and risk of further incidents, including Root-Cause Analysis and lessons learned.
-
Audit & Compliance: Quark responds to and supports, where contractually agreed, compliance and security audits within Quark Software.
-
Internal Audit: Quark performs audits of internal systems and processes, to provide management and auditors with assurance that controls are operating effectively to meet risk management requirements.
-
Corrective Actions: Non-conformities or identified improvements to the ISMS are logged, root cause analysis identified and corrective actions planned, resourced and implemented as needed. This supports the continuous improvements principle.
-
Business Continuity / DR: Quark has a process in place to ensure mission critical functions continue to operate during an emergency, or are recovered to working function, in a safe manner.
-
Asset & Patch Management: Quark has a process in place to ensure timely remediation of vulnerabilities related to the IT systems by patching and preventing them from getting exploited by internal/external threats.
-
Monitoring: Quark alerts and reviews events and information security events to identify any anomalies and ensure smooth running of systems.
-
Asset Classification: Quark maintains an asset inventory to ensure that the organization has identified information and system owners (accountability / responsibility), data classification, and implemented appropriate controls to protect the data.
In addition, Quark has implemented physical and environmental security controls that are in place to protect the data and information systems from theft, damage, or loss.
List of Policy Areas Covered
The ISMS supports the following areas of ISO27001 Planning
-
Context and Scope
-
Risk Assessment and Treatment
-
Statement Of Applicability
-
Control of Documents
-
Internal Audits
-
Management Review
-
Management of Non-Conformity
The ISMS supports the following areas of the ISO27001 Annex A of controls
-
A.5 – Information security policies
-
A.6 – Organization of information security
-
A.7 – Human resource security
-
A.8 – Asset management
-
A.9 – Access control
-
A.10 – Cryptography
-
A.11 – Physical and environmental security
-
A.12 – Operations security
-
A.13 – Communications security
-
A.14 – System acquisition, development and maintenance
-
A.15 – Supplier relationships
-
A.16 – Information security incident management
-
A.17 – Business continuity management
-
A.18 – Compliance