Information security policy content
Assign topic to the user
Answer: According ISO 27001, the Information Security Policy must include:
- the information security objectives, or how the objectives are proposed, how they are approved, and how they are reviewed
- a statement of top management about its commitment to fulfill the requirements of all interested parties, and to continually improve the ISMS
There is no need to include specific controls in the Information Security Policy. If you need to describe details about the application of one or more controls you should consider writing them in a specific policy (e.g., Access control policy, backup policy, etc.).
These articles will provide you further explanation about Information Security Policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advi sera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
These materials will also help you regarding Information Security Policy:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Apr 11, 2018