Question about policy

1. Is there any document showing how to link policies? That is which policies are dependent on which policies?

First is important to note that ISO 27001 does not require such a document, and since the standard does not prescribe which policies should be developed, it is unfeasible to develop such a list in a general way.

Now, considering the documents of our toolkits, we develop them with a "Reference documents" section, to point which documents are related to each template, so you can use the information in this reference to build such a list.

For further information, see:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

2. How to show risks of inadequate leadership in a nice way

If the risks are related to missing documents required by the standard, like the information security policy, you can simply mention that the document is missing and the action of leadership is to ensure they are developed.

In case the risks are related to leadership behavior required by the standard, like promoting continual improvement, a good way to present such risks is to state that related requirements of the standard are not being "properly" followed. This way you can imply that leadership is doing something, that is better than state that they are doing nothing, but that what is being done is not enough to comply with the standard.

For further information, see:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/