Policy documents

The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.

Answers:
You can consider these particular documents as policies per se, I mean, they are only documents with rules which need to be followed by employees involved in the scope of the ISMS. But additionally you can add guidelines, as a best practice, indicating specifically with detailed information how to implement security controls related. For example, in the Policy on the use of cryptographic controls, you can include information about the system to be ciphered, the cryptographic tool to be used, etc. But additionally you c an have a guideline to know specifically how to use the cryptographic tool. You can see an example of policy with our template “Policy on the Use of Cryptographic Controls” : https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

So, from my point of view, generally the policy has general principles, and the guideline has detailed information about how to comply with anything.

Anyway, remember that there is a list of mandatory documents, which you can find here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

By the way, do you know our online course? We give information about the documents that you need for the implementation of the ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/