We have our audit fast approaching, and we would like to have the broadcast ready for our Quality Policy and ISMS Policy. Within 9001 and 27001, we have noticed these two documents have a very different format. 9001 is presented as a 1 page Certificate Format and 27001 is presented as a very detailed 4 page policy that cannot be used for a Certificate Format. Can you please assist here, so our 9001 and 27001 Policy Statements appear uniformed and aligned to present framed for our clients.
First is important to understand that these policies are different because they have very different audiences. ISO 27001 policy is to be used by top management, while ISO 9001 policy is for public display. We do not recommend to try to shorten the ISMS policy to a one page document because there is a risk of the document does not fulfill standard's requirements
You can develop a public display version of the ISMS policy to fulfill your needs, but this version has to have a disclaimer informing that it is not the full version of the ISMS polic y, where you can find the full version, and that this version does not deviate from the content from the full version.
Considering all this, to create a version of the ISMS policy statement in the same format as the Quality policy, as general guidance you should change the references from ISO 9001 to ISO 27001, because most of the requirements are the same. For example:
- in the first paragraph you should have something like this: "The basic orientation of [organization's name] [include here the objectives defined on section 4.1 of the ISMS policy]"
- in the bullet related to commitment you should have something like this: "Commitment to protect information from [processes/services described in the ISMS scope document]"