We just have a question regarding the documents and then we are happy to upgrade.
I generated Information Security Policy using the document wizard, but it was missing the following information:
- Exception Handling: How exceptions to the policy will be managed is not stated. Usually, there's a process for requesting an exception and how it's reviewed.
- Consequences of Non-Compliance: Outline what the consequences are for employees who do not adhere to the policies.
- Links to Other Policies and Procedures: Usually, the top-level policy should link to or reference other detailed policies and procedures (e.g., Access Control Policy, Incident Response Plan).
- External Parties: You mention that the policy applies to 'relevant external parties'. It might be useful to specify who these external parties are (vendors, contractors, etc.).
- Review Frequency: You've stated the document must be reviewed every 12 months. It's good to also mention under what other conditions a review would be triggered (e.g., after a security incident).
- Audit and Monitoring: There's no mention of how compliance with this policy will be audited or monitored.
- Document Storage and Versioning: Information on where this document will be stored, how it will be versioned, and who will have access should be added.
- Terminology: While you've defined basic security terminologies, the inclusion of more specific terms used in the document might be beneficial.
Is there something we missed during the document wizard or anyway to generate the complete document?
Since we need to provide these policies to our customers and want to pass ISO 27001, that would be great to know how to generate the complete document.