SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Elaborating a security policy

  Quote
Guest
Guest user Created:   Apr 13, 2019 Last commented:   Apr 13, 2019

Elaborating a security policy

I know that information security objectives are not the same exact thing as information security policies. However, I find that the essential elements that I wish to capture in a simple policy statement can be crafted from the objectives in Annex A.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 13, 2019

My question for you is, can I modify the security control objectives from Annex A (ISO/IEC 27001) and rewrite them so that they represent my company's security policy?

For example, take information security objective A.7.1.2, which states: "To ensure that employees and contractors are aware of and fulfill their information security responsibilities." Can I reword this to say (something like): "It is our company's policy to ensure that employees and contractors are aware of and fulfill their information security responsibilities."?

Answer:

First it is important to note that a policy sets general directions, while an objective is specific about what must be achieved. Considering that, you can use elements from security control objectives from Annex A to fulfill your needs regarding wr iting policy statements, but you must consider the different purposes they have to build the text.
Your example is too specific to be used as a policy statement (e.g., what a about customers or suppliers which access your information? How do you handle them?). A proper example would be: "It is our company's policy that personnel which handles information must be prepared to protect them properly." In this example you do not limit to whom this statement applies to (it is valid also for customers, suppliers, and other entities), and how you are going to accomplish that (e.g., by means not only of awareness, but also by education, training, etc.).

This article will provide you further explanation about controls objectives:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This article will provide you further explanation about elaborating the information security policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 13, 2019

Apr 13, 2019