Information security policy in contracts
Does the information security policies have to explicitly be in the contract or is it enough if it’s in the employee handbook?
Assign topic to the user
ISO 27001 does not prescribe how to document your information security policies, so organizations are free to document them as they see fit.
The general practice is to have information security policies as internal operational documents, and including only references to them in contracts, as contractual clauses.
This article will provide you a further explanation about documenting policies and developing employment contracts:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
Comment as guest or Sign in
Jul 09, 2020