Access control policy and password policy
Assign topic to the user
I guess the Password Policy will be: A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
And the Access Control Policy?
Answer: First is important to note that ISO 27001 allows flexibility for each company to decide how many documents they want to have, and what to include in those documents. Of course, you still need to have all mandatory documents, but you are free on how to create them. For further information, see: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Additionally, controls must be kept in the documentation only if they are stated as applicable in the Statement of Applicability. The one that are not applicable on SoA must be deleted.
Considering that, if Access Control Policy and Password Policy are separated documents for your organization, the section 2 (reference documents) of each policy, regarding ISO 27001 requirements will be like this:
Section 2 of the Access Control Policy:
- ISO/IEC 27001 standard, clauses A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1. (you need to delete controls A.9.2.4, A.9.3.1, and A.9.4.3)
- All other references must be kept.
Section 2 of the Password Policy:
- ISO/IEC 27001 standard, clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
- All other references must be kept.
As you noted, controls A.9.2.1, A.9.2.2 must be kept on both documents.
Comment as guest or Sign in
Jul 26, 2019