Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Information security policy - including references to clauses of ISO 27001 stand

Shouldn't I include subsections/references regarding the clauses in the 27001 standard (i.e. chap. 4 - 10 and Annex A) in the Information Security Policy that is included in the package? Otherwise how do I ensure that IS policy, as an umbrella policy, covers all IS aspects?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: Actually, there is no requirement in ISO 27001 that Information Security Policy should cover all the information security aspects.

What you suggest is quite common - many companies insert references to detailed policies in the top-level Information Security Policy, but I see two potential problems with this approach:
1) You will need to update the Information Security Policy quite often - each time you create a new policy related to information security
2) You should show this Information Security Policy to many interested parties (requirement in ISO 27001 5.2. g) - if it includes a list of all detailed policies, this could cause a potential threat (too many people will know which kind of internal rules you have)

To conclude, Statement of Applicability is the document where you must make such references - I think this is enough, you don't have to do it again in the Information Security Policy.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community