Information security policy
We have developed IS polices and Procedures recently and as per our company rules, procedures shall be approved by CEO and policy by BOD. The management said tat the information security polices shouldn't be a policy yuo should name it procedure
and now i need evidence from ISO 27001 saying that we must have a policy.
Assign topic to the user
ISO 27001 mentions the following policies:
- Information Security Policy
- Mobile device policy
- Access control policy
- Policy on the use of cryptographic controls
- Clear desk and clear screen policy
- Secure development policy
- Information security policy for supplier relationships
According to ISO 27001, only the Information Security Policy must be approved by the top management (clause 5.2) - all the other mentioned policies are operational policies that are almost never approved by the top management.
You might try to change the names of operational policies to "procedures", however then you risk having problems at the certification audit. The name of the Information Security Policy should not be changed to procedure because the auditor would certainly raise a nonconformity for that.
Comment as guest or Sign in
Apr 03, 2021