Information security policy - including references to clauses of ISO 27001 stand
Assign topic to the user
Answer: Actually, there is no requirement in ISO 27001 that Information Security Policy should cover all the information security aspects.
What you suggest is quite common - many companies insert references to detailed policies in the top-level Information Security Policy, but I see two potential problems with this approach:
1) You will need to update the Information Security Policy quite often - each time you create a new policy related to information security
2) You should show this Information Security Policy to many interested parties (requirement in ISO 27001 5.2. g) - if it includes a list of all detailed policies, this could cause a potential threat (too many people will know which kind of internal rules you have)
To conclude, Statement of Applicability is the document where you must make such references - I think this is enough, you don't have to do it again in the Information Security Policy.
Comment as guest or Sign in
Jan 12, 2016