Policy documentation
Assign topic to the user
Answer: ISO 2700 does not prescribe a way to organize information on documents, only requirements regarding how to create, update and control them, so organizations are free to define how to control documents the way that best fits them.
Considering that, it is not required that you have a stand-alone policy, and it is not necessary to document everything mentioned in ISO 27002, provided you are able to demonstrate the requirements for the policy are fulfilled according the results of your risk assessment.
Regarding external auditor evaluation, since there is no prescribed way for documentation format, if your documents, records and operation fulfil the requirements of control A.9.1.1 this will be enough.
These articles will provide you further explanation about documentation control:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
I think it's the wording in 27002 that is confusing me. When I read it, I'm taking it as gospel. In point 9.1.1 the wording reads 'An access control policy should be established, documented and reviewd based on business and information security requirements'. I interpret the 'should' part as meaning obligatory. Is 27002 just for guidance but not written in blood? I can't find anything anywhere in the document that implies that. The manditory documents has it listed on there too. I'm getting conflicting information basically.
In ISO world, mandatory requirements/documents are related to the words "must" or "shall", while non mandatory requirements/documents are related to words "may"or "should". In ISO 27002, since it provides recommendations for the implementation of controls that may be required as a result of a risk assessment, you will find the guidance ruled by "should", i.e., you only have to consider the recommendations that will help handle the risks you identified as unacceptable.
You can find more information in this article: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
Comment as guest or Sign in
May 10, 2018