Have a few questions about documentation. So for the ISMS project, there is an IT security policy doc which includes e.q.:
3.12. Clear desk and clear screen policy
3.11. Password responsibilities
3.9. Authorizations for information system use
3.7. Backup procedure
Should it all be in one document (IT Security Policy) or we can divide them and use them by each?
ISO 27001 does not prescribe how documents should be grouped, so organizations can develop documents as best fit their needs.
Besides the IT security policy, Conformio provides the following templates that you can use to split these items: - Password Policy - Clear Desk and Clear Screen Policy - Backup Policy
In case you use the additional items, the same elements in the IT Security Policy will be automatically excluded.
For “Authorizations for information system use”, they are regulated through the Access Control Policy, whereas the authorizations themselves can be done simply through email, no specific type of record is needed.