General Information Security Policy

Previously, with ISO 27001: 2005, I used the general information security policy and right there I defined the scope and assembled it in a policy manual, separating the security policy, today I see that it is necessary to do an ISMS scope, which I have no doubt if it should be three documents, General Information Security Policy, Policy Manual (A whole set) and the scope of the ISMS separately.

ISO 27001 (even the previous 2005 version) does not prescribe how to document the Information Security Policy, the ISMS scope, and other developed policies, so organizations are free to document them in a single or separate document as best fit their needs.

Regarding policies, our recommendation is that these are documented as separate documents, because the information security policy is a high-level policy, while other policies are more specific, and developing them as a single document would only create a document too big and too complex to read and manage.

These articles will provide you a further explanation about developing policies:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding developing policies:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/