Approving the security policies

Answer: ISO 27001 specifically calls these documents "policies", so if you select those controls as applicable then you should call them this way; of course, you can write also additional guidelines which would be much more detailed whereas you can leave policies rather general.

The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.

Answer: I'm not sure why would your board need to approve all the policies - you can define a rule by which they need to approve only the top-level documents like the Information Security Policy, implementation s trategy or the budget; you can specify in that rule that detailed policies can be approved by someone else in your organization.

These articles might also help you:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//