IT Security Policy
I have been tasked to produce an IT Security Policy as our current one is outdated. I am currently considering approaching such policy in two folds : Information Security and Information Technology Security.
Since they’re both intertwined because of the CIA of information and related security controls (information, assets, physical security, networks, collaboration tools, online sharing, cyber space, etc.), is it worth to separate them or one encompassing both is sufficient and valuable from an audit standpoint?
The policy is driven by *** which includes 8 pillar requirements as far as security controls go.
So, I just need few tips and guidance to build an up-to-date policy reflective of new policy requirements based on new operational trends driven by new technologies and services (PaaS, SaaS, CaaS, to name a few). Also, such policy must be simple enough to optimize comprehension and adherence from Senior Management. Our organization is not looking to implement a framework on its own.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe how to write a document, so both approaches (to have two documents or a single one) are acceptable by the standard.
In this case, your decision should be based on how big and complex a single document would be because this can make it more difficult for people to read, understand, and use it properly.
To see how an Information Security Policy and Information Technology Security Policy compliant with ISO 27001 look like, please access the free demo of these templates:
- https://advisera.com/27001academy/documentation/information-security-policy/
- https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
- https://advisera.com/27001academy/documentation/it-security-policy/
These articles will provide you a further explanation about how to develop documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 19, 2021