Expert Advice Community

Guest

Information security policy

  Quote
Guest
Guest user Created:   Apr 03, 2021 Last commented:   Apr 03, 2021

Information security policy

We have developed IS polices and Procedures recently and as per our company rules, procedures shall be approved by CEO and policy by BOD. The management said tat the information security polices shouldn't be a policy yuo should name it procedure
and now i need evidence from ISO 27001 saying that we must have a policy.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 03, 2021

ISO 27001 mentions the following policies: 

- Information Security Policy
- Mobile device policy
- Access control policy
- Policy on the use of cryptographic controls
- Clear desk and clear screen policy
- Secure development policy
- Information security policy for supplier relationships

According to ISO 27001, only the Information Security Policy must be approved by the top management (clause 5.2) - all the other mentioned policies are operational policies that are almost never approved by the top management.

You might try to change the names of operational policies to "procedures", however then you risk having problems at the certification audit. The name of the Information Security Policy should not be changed to procedure because the auditor would certainly raise a nonconformity for that.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 03, 2021

Apr 03, 2021