Expert Advice Community

Guest

ISO 27001:2013 (Information Security Policy / IT Security Policy)

  Quote
Guest
Guest user Created:   Oct 26, 2022 Last commented:   Oct 26, 2022

ISO 27001:2013 (Information Security Policy / IT Security Policy)

Under ISO 27001:2013 Mandatory documents, both the Information Security Policy and IT Security Policy is listed. 

We are trying to discern if both policies are required or if we can eliminate the IT Security policy and just use the Information Security Policy. 

Is it feasible where we can insert controls from the IT Security Policy into the Information Security? 

Please advise on best approach under the Mandatory document requirements.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 26, 2022

Although it is possible to insert controls from the IT Security Policy into the Information Security, we do not recommend this approach. This is so because both policies have different purposes.   

The Information security policy is a high-level policy that defines rules for the whole organization considering information security, while the IT Security Policy is an operational policy aimed at the security of the information regarding Information Technology. 

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 26, 2022

Oct 26, 2022