ISO 27001:2013 (Information Security Policy / IT Security Policy)
Under ISO 27001:2013 Mandatory documents, both the Information Security Policy and IT Security Policy is listed.
We are trying to discern if both policies are required or if we can eliminate the IT Security policy and just use the Information Security Policy.
Is it feasible where we can insert controls from the IT Security Policy into the Information Security?
Please advise on best approach under the Mandatory document requirements.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Although it is possible to insert controls from the IT Security Policy into the Information Security, we do not recommend this approach. This is so because both policies have different purposes.
The Information security policy is a high-level policy that defines rules for the whole organization considering information security, while the IT Security Policy is an operational policy aimed at the security of the information regarding Information Technology.
For further information, see:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Comment as guest or Sign in
Oct 26, 2022