Guest user Created: Oct 03, 2018 Last commented: Oct 03, 2018

Disciplinary process

I hope you can provide me with some general comments. Do we need to include a breach of policy section in each of the ISMS policy documents? What if the breach of policy conditions is too strict? How do we tune them down (for example, if a staff failed to report a breach he/she may be subject to dismissal, too strict?)

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Oct 03, 2018

Answer:

ISO 27001 does not prescribe how an organization should write its documents, so this decision is up to the organization, based on the results of risk assessment, legal requirements (e.g., contracts, regulations or laws the organization must comply with), or if Top Management decides this practice will be beneficial to the organization.

The same applies to the level of sanctions related to policy non compliance. Depending of the risks related to each policy, the sanction level may vary (e.g. non compliance to access control policy may be more severe than non compliance to clean desk policy).
These articles will provide you further explanation about writing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 03, 2018

Expert Advice Community