Conformio questions
We just have a question regarding the documents and then we are happy to upgrade.
I generated Information Security Policy using the document wizard, but it was missing the following information:
- Exception Handling: How exceptions to the policy will be managed is not stated. Usually, there's a process for requesting an exception and how it's reviewed.
- Consequences of Non-Compliance: Outline what the consequences are for employees who do not adhere to the policies.
- Links to Other Policies and Procedures: Usually, the top-level policy should link to or reference other detailed policies and procedures (e.g., Access Control Policy, Incident Response Plan).
- External Parties: You mention that the policy applies to 'relevant external parties'. It might be useful to specify who these external parties are (vendors, contractors, etc.).
- Review Frequency: You've stated the document must be reviewed every 12 months. It's good to also mention under what other conditions a review would be triggered (e.g., after a security incident).
- Audit and Monitoring: There's no mention of how compliance with this policy will be audited or monitored.
- Document Storage and Versioning: Information on where this document will be stored, how it will be versioned, and who will have access should be added.
- Terminology: While you've defined basic security terminologies, the inclusion of more specific terms used in the document might be beneficial.
Is there something we missed during the document wizard or anyway to generate the complete document?
Since we need to provide these policies to our customers and want to pass ISO 27001, that would be great to know how to generate the complete document.
Assign topic to the user
Answer: Please note that the Information Security Policy document generated by Conformio is fully compliant with ISO 27001 as it is, so most of the elements you mentioned do not need to be included in the Information Security Policy (some are already included in other low-level policies, or are not needed at all – they would only increase administrative effort unnecessarily).
About each specific point:
- Exception Handling: exceptions are not mentioned in ISO 27001, and a good practice is either not to define them at all, or to define them for certain processes. For example, you could define an exception for granting access in the Access Control Policy.
- Consequences of Non-Compliance: reference to consequences of non-compliance and violations of security rules are included in the Statement of Acceptance of ISMS Documents
- Links to Other Policies and Procedures: The Policies, Procedures and other documents which supports the ISMS are identified in the Statement of Applicability Module
- External Parties: The external parties are identified in the Register of Requirements Module
- Review Frequency: Of course, the review could be done more often in various cases. However, we found that a large majority of our clients like the documents that are not too lengthy and are simple to read, and this is why we try not to explain such scenarios.
- Audit and Monitoring: Audit and monitoring rules are defined in the Internal Audit Procedure
- Document Storage and Versioning: Storage, versioning rules are defined in the Procedure for Document and Record Control. Who are allowed access to the policy is defined in section 1 of the document – Purpose, scope and users.
- Terminology: Large majority of our clients find the listed terms enough for their purpose; as mentioned before, our clients prefer to have shorter documents and this is why we limited the terms to those that are listed.
In case you want to develop an Information Security Policy with the elements you want, you can use the blank template provided by Conformio, which can be found by clicking on the Documents link in the left panel on the main screen, and after that, the folder Templates for manual editing.
Comment as guest or Sign in
Oct 04, 2023