Policies details
I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?
Assign topic to the user
1 - I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance?
For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence.
Please note that ISO 27001 does not specify how detailed the documents need to be.
Considering that, the level of detail a policy or procedure needs to have, as well as the minimum requirements to be fulfilled will depend mainly on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts) related to that document.
For example, if you have a contract with a customer defining that workstations need to be locked after three minutes of inactivity, then these will be the requirements you need the document to fulfill. If there are no risks and no requirements, then you are free to define what will be written in the policy.
For further information, see:
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
2 - Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs?
Besides the information about what is configured, the auditor will look for evidence that the configuration is indeed implemented. In this case, the easiest way is to observe how long a workstation takes to activate the screen lock. Another test generally applied is to call for an employee, so the person goes away from the workstation and observes if the person locked the station.
For further information, see:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
3 - Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?
Handling remote employees will depend on which assets they are using.
If they are using the company’s assets, you can configure them to work the same way they work on premises, applying policies preventing users to change configurations.
If they are using their own assets, one approach would be to adopt a BYOD policy, so you can enforce the expected use of personal devices when accessing corporate data and systems.
An important element of enforcing policies is the training and awareness of workforce (whether remote or on-site).
For further information, see:
- What is a remote access policy and how do you develop it with ISO 27001? https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
- What is a BYOD policy, and how can you easily write one using ISO 27001 controls? https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
This material may also help you:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
Comment as guest or Sign in
Aug 03, 2022