Information security policy content

Should I share the Statement of Applicability to all organisation? Or should I just insert the controls in the Information Security Policy?

Answer: No. The Statement of Applicability should be shared only with organization's personnel that needs it to perform their activities, and most organization's users will not be directly working with the controls (e.g., monitoring them, operating them, etc.).

Regarding including the controls in the Information Security Policy, according ISO 27001, the Information Security Policy must include:
- the information security objectives, or how the objectives are proposed, how they are approved, and how they are reviewed
- a statement of top management about its commitment to fulfil the requirements of all interested parties, and to continually improve the ISMS

So, there is no need to include the controls in the Information Security Policy. If you nee d to describe details about the application of one or more controls you should consider writing them in an specific policy (e.g., Access control policy, backup policy, etc.).

These articles will provide you further explanation about Information Security Policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

These materials will also help you regarding Information Security Policy:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

We received this question:

>I have another question, in the Information Security Policy we mention that the controls implemented as listed in the Statement of Applicability. Thus, users will ask question about it, e.g. what SoA is, how can I access it and etc…
>
>What should I tell my end users? Basically I’m just concern about the things which will not make a lot of sense to them.

Answer: In my understanding you are making your Information Security Policy unnecessarily complex. Since ISO 2700 standard does not require an organization to mention the SoA in the information security policy, and you think mentioning it will not make a lot of sense to your users, you should consider not referring it in the policy.

This way you will be avoiding overloading users with information that will not be directly useful to their activities. Remember, users need to see and understand the security policies and procedures that are relevant to their activities.