About the IT security Policy and some documents mentioned as "implementation method" in the SOA

3.12.2. Clear screen policy
Our current communication to employees is to lock the screen whenever they leave their desk and to shut down when they leave the office (with or without the PC), and at least every evening. Our PC are also configured to lock automatically the screen with a password after 5mn without actions.

But we don’t have any automatic log out nor automatic shutdown. After a discussion with our IT administrator he does’nt know any solution to do so. Looking around with our consultants, none have seen such solution implemented by our customer, even the most concerned with security.

Then we decided to continue with the current situation. However, describing the current policy is not possible and that automatic shutdown option cannot be removed from the IT security policy in Conformio…  Could you help us?

Please note that the documented Clear screen policy in Conformio does not require automatic log out nor automatic shutdown (i.e., these can be performed manually). The term “clear screen policy” refers to the administrative document, not to an operating system policy. Considering that, the current text in the Clear screen policy document covers your current implementation and it does not need to be changed.

3.14. E-mail and other message exchange methods
Trying to fill that chapter, we found some ambiguity in the usage of the term “Users”

“Users may only send messages… Users must not send spam...” : the user is an inspearit employee sending mail
“Should a user receive a spam…” : we understood that the user is probably one of our prospect who do not want to receive such mail
“The user must save each message containing…” : the user is an inspearit employee receiving significant mails
Did we understood well? If so, the thing is that we cannot clarify the sentences 2 and 3.  It would be more explicit if “Users” were replaced by inspearit employees or prospect when applicable.

In another hand, our Marketing and communication director doesn’t think that inspearit send any “spam”, but some informative or commercial communications…

Once again, could you help us?

In the context of this document, the user is an employee of your organization (this definition is made in section 1 of the document).  

Considering that, customers are not to be considered as users in the context of this document.

About the evaluation of your Marketing and communication director about what should be considered “spam”, please note that any unwanted communication can be considered spam, so this situation should be evaluated from the prospector point of view (if the prospector does not indicate he wants to receive such email, it can be considered spam by him).

The second answer drives me to a complementary question :

Ok, we made a misinterpretation, I know understand that the sentence “Should a user receive a spam e-mail, he/she must inform <job name>” means that when a employee receive a spam, he don’t have to claim to the sender to be unregistered, it’s the role to someone in the organization to agregate spaming evidence and require senders to stop spaming anyone in the organisation. Obviously we currently don’t have such process nor role in our organization. What is the usage usually? Which role usually include such responsibility? Is it usually a “Marketing and comunication” role? An IT administration role? A legal department role?

ISO 27001 does not specify roles to handle spam, so organizations can define what better fits them, from creating a new role to designating an already existent role for the task. A common approach is blocking the origin of email identified as spam from reaching the organization, and in this case, some role from the IT staff that can authorize such procedure can be defined as the person responsible (e.g., IT head, system admin, etc.).