Expert Advice Community

Guest

Policies details

  Quote
Guest
Guest user Created:   Aug 03, 2022 Last commented:   Aug 03, 2022

Policies details

I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?

0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 03, 2022

1 - I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance?

For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence.

Please note that ISO 27001 does not specify how detailed the documents need to be.

Considering that, the level of detail a policy or procedure needs to have, as well as the minimum requirements to be fulfilled will depend mainly on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts) related to that document.  

For example, if you have a contract with a customer defining that workstations need to be locked after three minutes of inactivity, then these will be the requirements you need the document to fulfill. If there are no risks and no requirements, then you are free to define what will be written in the policy.

For further information, see:

2 - Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs?

Besides the information about what is configured, the auditor will look for evidence that the configuration is indeed implemented. In this case, the easiest way is to observe how long a workstation takes to activate the screen lock. Another test generally applied is to call for an employee, so the person goes away from the workstation and observes if the person locked the station.

For further information, see:

3 - Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?

Handling remote employees will depend on which assets they are using.

If they are using the company’s assets, you can configure them to work the same way they work on premises, applying policies preventing users to change configurations.

If they are using their own assets, one approach would be to adopt a BYOD policy, so you can enforce the expected use of personal devices when accessing corporate data and systems.

An important element of enforcing policies is the training and awareness of workforce (whether remote or on-site).

For further information, see:

This material may also help you:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 03, 2022

Aug 03, 2022