ISO 27001 & 22301 / Information security policy in contracts
Does the information security policies have to explicitly be in the contract or is it enough if it’s in the employee handbook?
Please select user.
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe how to document your information security policies, so organizations are free to document them as they see fit.
The general practice is to have information security policies as internal operational documents, and including only references to them in contracts, as contractual clauses.
This article will provide you a further explanation about documenting policies and developing employment contracts:
HTML tags are not allowed