Policy elaboration

Answer: Roughly speaking, to formulate a good security policy you should consider the following steps: 1) identify and understand the requirements that justify the need for a policy (e.g., clauses of a standard or contract, business decisions, etc.); 2) consider the results of risk assessment, so measures to control relevant risks are supported by the policy; 3) make your policy manageable and integrated to you process (its hard to follow huge policies that are very different of the daily operations); 5) get high level approval (so the policy has more enforcement power); and 7) train and make people aware of the policy (if no one knows the policy, how can you expect they will follow it?)

This article will provide you further explanation about elaborating a policy:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- What should you write in your Information Security Policy accor ding to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

These materials will also help you regarding policy elaboration:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/