Information security policies

1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives?

Answer: ISMS Security Objectives and Control Objectives are different. The ISMS Security Objectives are top-level objectives related to the business strategy, while the Control Objectives are operational objectives related to what is expected from the controls.

Examples you can consider for the ISMS Security objectives are:
- decrease the impact and/or number of information security incidents
- increase revenue
- win a new customer
- increase market share

When using our Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

These articles will provide you a further explanation about Objectives in ISO 27001:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2 - What is the difference between an information security policy and a recommended control or can they be the same?

Answer: Information Security Policy is a top-level document that does not specify any security controls. You can write a specific policy for a particular control, e.g. "Backup policy" for the control A.12.3.1 "Information backup", and in such case, the Backup policy is the implementation method for the control A.12.3.1.

For further information, see:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/

3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken?

Answer: You can use the requirements of the standard as guidance to write your own rules. You must not copy the requirement literally, because this would be a violation of ISO’s intellectual property. The templates in your toolkit are already written to be fully compliant with the standard.

4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken?

Answer: Like the previous answer, you must not copy the Controls Objectives’ statements literally, because this would be a violation of ISO’s intellectual property. With just small changes you can adapt the standard’s text to your needs.

5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken?

Answer: You need to adjust the text to avoid violating intellectual property rights. Something like:

“Employment agreements, including those established with contractors, must define information security responsibilities for both the employee and the organization.”

However, the Statement of Applicability that you will find in your toolkit already specifies the activities you need to perform to comply with each control from ISO 27001. There is no additional text needed.

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/