Information Security Policy vs IT Security Policy
My company has purchased your workshop and documentation toolkit for the ISO 27001 Implementation. We are working on the documents and the statement of Applicability is posing a real challenge.
One thing though I want to be clear on, in your documentation, folder 02 (General policies), I see the information security document which is a relatively short document and not very detailed. However, in the statement of Applicability, I see reference is made many times to the IT Security Policy, which means it should be quite an extensive document.
Please is the Information Security Policy the same as the IT Security Policy?
Assign topic to the user
Please note that these are different documents:
- the Information Security Policy is located on folder 02 (General policies), as you mentioned
- the IT Security Policy is located on folder 08 Annex A Security Controls, subfolder A.8 Asset Management
The purpose of the Information Security Policy is to define high-level information about how information security is managed, while the purpose of the IT Security Policy is to provide details on how to use the information system and other information assets.
In the List of Documents file included in your toolkit, you can identify where each document is located and which clauses and controls are covered by each of them.
This article will provide you a further explanation about the information security policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
Comment as guest or Sign in
Jun 05, 2020