IT Security Policy too narrow
We are using the wizard to create the IT Security Policy, and we found that the context in the IT Security policy is too short and seems that it cannot meet the requirements of ISO 27001. For example, the context in the IT Security policy didn't make any references to SOA controls. How would you advise how we can complete the IT Security policy according to the ISO 27001 standard?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I’m assuming that you did not complete the Risk Register / Statement of Applicability in Conformio.
Considering that, to complete the IT Security policy according to the ISO 27001 standard, you need to perform the Risk Assessment and Risk Treatment, using the Risk Register Module. After you complete the assessment, Conformio will automatically generate the SoA indicating which controls need to be applied to your IT Security policy.
Then you need to start the Wizard and answer the required questions (these are based on the results of risk assessment, i.e., the controls that need to be considered for the IT Security policy).
This way all the relevant controls will be covered in the IT Security Policy, and section 2 of the policy will refer to all controls that are included.
Comment as guest or Sign in
Sep 28, 2022