Good morning, is it possible to help me with the following Questions
1. Every information security policy must have at least one procedure associated with it.
2. Can security policies and procedures be written in the same document or should they be separate documents?
3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?
4. What is the difference between Policies, standards and Procedures?
5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?
6. Can the technology leader also be responsible for information security?
7. Do you have any template (template) of how to write a strategic information security plan?
8. Can you send me examples of Major nonconformities and minor nonconformities?
9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?
10. Is an information security incident the Materialization of a security risk?
11. What is the difference between an information security event, an information security incident and an information security risk?