Elaborating a security policy
Assign topic to the user
My question for you is, can I modify the security control objectives from Annex A (ISO/IEC 27001) and rewrite them so that they represent my company's security policy?
For example, take information security objective A.7.1.2, which states: "To ensure that employees and contractors are aware of and fulfill their information security responsibilities." Can I reword this to say (something like): "It is our company's policy to ensure that employees and contractors are aware of and fulfill their information security responsibilities."?
Answer:
First it is important to note that a policy sets general directions, while an objective is specific about what must be achieved. Considering that, you can use elements from security control objectives from Annex A to fulfill your needs regarding wr iting policy statements, but you must consider the different purposes they have to build the text.
Your example is too specific to be used as a policy statement (e.g., what a about customers or suppliers which access your information? How do you handle them?). A proper example would be: "It is our company's policy that personnel which handles information must be prepared to protect them properly." In this example you do not limit to whom this statement applies to (it is valid also for customers, suppliers, and other entities), and how you are going to accomplish that (e.g., by means not only of awareness, but also by education, training, etc.).
This article will provide you further explanation about controls objectives:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
This article will provide you further explanation about elaborating the information security policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
Comment as guest or Sign in
Apr 13, 2019