Disciplinary process
Assign topic to the user
Answer:
ISO 27001 does not prescribe how an organization should write its documents, so this decision is up to the organization, based on the results of risk assessment, legal requirements (e.g., contracts, regulations or laws the organization must comply with), or if Top Management decides this practice will be beneficial to the organization.
The same applies to the level of sanctions related to policy non compliance. Depending of the risks related to each policy, the sanction level may vary (e.g. non compliance to access control policy may be more severe than non compliance to clean desk policy).
These articles will provide you further explanation about writing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
Comment as guest or Sign in
Oct 03, 2018