Expert Advice Community

Home / ISO 27001 & 22301 / Policies approval process

Guest

Policies approval process

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Dec 19, 2017 Last commented:   Dec 19, 2017

Policies approval process

ISO 27001 & 22301
HI, We are currently completing the access control / management policy however, policies usually need approval from the Governance board. My understanding is that the only policy that would exist and need approval from the board would be the organizations IT Security Policy. All others are somewhat standards? Would I be correct in saying that or are they strictly required to be call policies etc? This is different ofocurse from the actual procedures.
0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Dec 19, 2017

Answer: First of all, to be sure about which policies the Governance board should approve you need to verify the current set of roles and responsibilities defined to it (e.g., the documented top management decision that established the Governance board). In general, policies can be divided in two types:
- High level policies, which define the organization's approach to broad issues, like quality policy, information security policy and IT security policy.
- Support policies, which define the organization's approach to specific issues, normally related to a high level policy like development polic y, information classification policy and access control policy.
Normally, a Governance board is responsible to approve high level policies, delegating the approval of support policies to specific roles in the organization, such as the HR department head or the IT senior manager.

Regarding how to name the policies, the word "standard" has a general understanding that is different from the purpose of a policy, then you should avoid use it to designate a policy not to cause confusion. A better approach would be to use the word "policy" to refer to high level policies approved by the Governance board and terms like "support policy", "detailed policy" or "complementary policy" to indicate policies that are related to a high level policy.

These articles will provide you further explanation about policies development:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

This material will also help you regarding policies development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 19, 2017

Dec 19, 2017

Suggested Topics
Guest user Created:   Apr 06, 2022 ISO 27001 & 22301
Replies: 1
0 0

27001 question
Guest user Created:   Nov 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001:2013 Certification