Objectives documentation requirements
In an ISMS project, should there be a separate document for High Level Info Sec Objectives and another for Low level Objective? High level in Information Security Context, Requirements and Scope document and low level in ISMS Policy document ?
Assign topic to the user
ISO 27001 does not prescribe how to document information security objectives, so both way you proposed are acceptable.
What normally happens in ISO 27001 implementation projects is that High-Level Info Sec Objectives are documented in the Information Security Policy and other security objectives are documented in the Statement of Applicability document.
To see how these documents look like, please access these links:
- https://advisera.com/27001academy/documentation/information-security-policy/
- https://advisera.com/27001academy/documentation/statement-of-applicability/
These articles will provide you further explanation about Information Security Policy and Statement of Applicability:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Apr 08, 2020