left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Information security policies

  Quote
Guest
Guest user Created:   Jun 23, 2022 Last commented:   Jun 23, 2022

Information security policies

Can you help me with the following questions:

1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives?

2 - What is the difference between an information security policy and a recommended control or can they be the same?

3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken?

4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken?

5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 23, 2022

1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives?

Answer: ISMS Security Objectives and Control Objectives are different. The ISMS Security Objectives are top-level objectives related to the business strategy, while the Control Objectives are operational objectives related to what is expected from the controls.

Examples you can consider for the ISMS Security objectives are:
- decrease the impact and/or number of information security incidents
- increase revenue
- win a new customer
- increase market share

When using our Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

These articles will provide you a further explanation about Objectives in ISO 27001:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2 - What is the difference between an information security policy and a recommended control or can they be the same?

Answer: Information Security Policy is a top-level document that does not specify any security controls. You can write a specific policy for a particular control, e.g. "Backup policy" for the control A.12.3.1 "Information backup", and in such case, the Backup policy is the implementation method for the control A.12.3.1.

For further information, see:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/

3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken?

Answer: You can use the requirements of the standard as guidance to write your own rules. You must not copy the requirement literally, because this would be a violation of ISO’s intellectual property. The templates in your toolkit are already written to be fully compliant with the standard.

4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken?

Answer: Like the previous answer, you must not copy the Controls Objectives’ statements literally, because this would be a violation of ISO’s intellectual property. With just small changes you can adapt the standard’s text to your needs.

5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken?

Answer: You need to adjust the text to avoid violating intellectual property rights. Something like:

“Employment agreements, including those established with contractors, must define information security responsibilities for both the employee and the organization.”

However, the Statement of Applicability that you will find in your toolkit already specifies the activities you need to perform to comply with each control from ISO 27001. There is no additional text needed.

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 23, 2022

Jun 23, 2022

Suggested Topics