Questions ISO 27001
Good morning, is it possible to help me with the following Questions
1. Every information security policy must have at least one procedure associated with it.
2. Can security policies and procedures be written in the same document or should they be separate documents?
3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?
4. What is the difference between Policies, standards and Procedures?
5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?
6. Can the technology leader also be responsible for information security?
7. Do you have any template (template) of how to write a strategic information security plan?
8. Can you send me examples of Major nonconformities and minor nonconformities?
9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?
10. Is an information security incident the Materialization of a security risk?
11. What is the difference between an information security event, an information security incident and an information security risk?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Every information security policy must have at least one procedure associated with it.
ISO 27001 does not specify that you need to have procedures related to policies, nor does it specify what kind of policies and procedures to write. Our recommendation for smaller companies is to use a minimum number of policies and procedures to avoid overhead.
For further information, see:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
2. Can security policies and procedures be written in the same document or should they be separate documents?
ISO 27001 does not prescribe how policies and procedures must be documented, so organizations can develop them as best fit their needs.
Considering that, policies and procedures can be part of the same document but you have to take care to not create a document too big or complex to use or maintain. In such cases, it is best to keep policies and procedures as separate documents.
For further information, see:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?
Strategic and technical information generally have different publics (e.g., strategic information for top management, and technical information for operational staff), so while you can have both information in the same document, in general, they are developed as separate documents.
4. What is the difference between Policies, standards and Procedures?
A policy defines a certain intention and gives direction (e.g., Information Security Policy), whereas a standard specifies a standardized way of doing something (e.g., ISO 27001 specifies how to manage information security).
As for a procedure, it defines the steps required for performing an action (e.g., a procedure back defines the steps to back up information).
5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?
ISO 27001 does not prescribe who should be responsible for information security, so organizations can designate this person as best fit their needs.
So, this person being or not being part of the area of information technology is an acceptable possibility.
For further information, see:
- Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
6. Can the technology leader also be responsible for information security?
This role can also be an alternative for the person responsible for information security.
7. Do you have any template of how to write a strategic information security plan?
Please note that ISO 27001 does not require a strategic information security plan to be developed. A similar high-level document compliant with ISO 27001 is the Information Security Policy, located in the folder General policies in your toolkit.
For further information, see:
- What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
8. Can you send me examples of Major nonconformities and minor nonconformities?
First, it is important to note that major nonconformities and minor nonconformities are commonly used only in certification audits. Internal audits do not require the application of such classifications.
Examples of minor non-conformities: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc.Examples of major non-conformities: management review not performed, and a minor non-conformity not being resolved within the defined deadline.
For further information, see:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?
Please note that ISO 27001 does not prescribe who must perform vulnerability tests, so both alternatives are accepted by the standard.
10. Is an information security incident the Materialization of a security risk?
Your assumption is correct.
Risk refers to the probability of something negatively affecting information.
An information security incident means that something in fact negatively affected the business or information which should be protected.
11. What is the difference between an information security event, an information security incident and an information security risk?
An event refers to something that happened that is relevant to be recorded, but you are not sure it negatively impacted information security.
An incident refers to something that happened and that in fact has negatively affected information security.
Risk refers to the probability of something happening and negatively impacting information security.
For further information,see:
- ISO 27001 information security event vs. incident vs. non-compliance https://advisera.com/27001academy/blog/2018/12/03/iso-27001-information-security-event-vs-incident-vs-non-compliance/
For additional support, we suggest these materials:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Dec 17, 2022