Information security policy vs. Acceptable use policy
Assign topic to the user
ISO 27001 is not very clear when it comes to this question. However, best practice is the following: Information security policy should be a short top-level document that describes general approach of a company towards information security; Acceptable use policy should be a longer document describing all the security rules that are applicable to all employees.
These articles will also help you:
Information security policy how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Comment as guest or Sign in
Jan 12, 2016