Questions around templates - policies vs procedures
- From your templates it seems like policies and procedures could be the same thing, since we don't need a change management policy if we include this as a procedure in the document Security Procedures for IT department?
- Is it okay to only have procedures or policies for certain controls?
Assign topic to the user
Please note that ISO 27001 does not prescribe how police and procedures need to be documented, so organizations are free to document them as best fit their needs (i.e., separated, or merged documents).
For large organizations, policies define the general rules for activities to be performed (what needs to be done), while procedures define specific steps to perform them (how to do).
For example, a Backup Policy can define that those users need to periodically update local data to corporate storage, and you can have specific procedures on how to do that considering different devices, operational software, or work sites.
For small organizations, you can have all this information in a single document, to reduce administrative effort.
These articles will provide you a further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
Comment as guest or Sign in
Mar 25, 2022