Expert Advice Community

Guest

Template content

  Quote
Guest
Guest user Created:   Mar 13, 2020 Last commented:   Mar 13, 2020

Template content

We need some guidance in understanding and applying one section of your template for the Acceptable Use Policy, §3.14 — E- mail and other message exchange methods.

The final paragraph of that section requires that “Each e-mail message must contain a disclaimer, except messages sent through communication systems determined by IT Manager. Should a user post a message on a message exchange system (social networks, forums, etc.), he/she must unambiguously state that it does not represent the organization's viewpoint.“

It is not clear to us the intended purpose or scope of this requirement. Does it apply to both business and personal messages?  We state elsewhere that only business communications may take place over the organization’s information exchange systems. Is it referring to postings on social mediatalking about the company which should state that it does not represent the organization's viewpoint? Can you give us examples of the kind of disclaimer that is intended here? I find no direct reference to this within ISO 27001.

Is this really two separate requirements?  One for all e-mail communications stating privacy requirements that we often see at the bottom of incoming e-mails, and another requirement stating that someone's personal opinion does not necessarily represent the organization’s viewpoint. Can you please help us understand this requirement so we can establish the appropriate controls.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 13, 2020

These are two separate requirements.

The phrase about the e-mail message refers to business messages, sent through approved business channels. The phrase about the message on a message exchange system refers to personal messages posted on non-business channels.

Please note that sometimes, when people know where you work, comments posted on social media can be interpreted by others as your organization's point of view. That's why many organizations have internal rules orienting their employees to not make comments related to work (in most cases if you want to include your organization in your timeline, organizations suggest you share organization's posts). These suggestions are not requirements of ISO 27001, but good practices. You can decide for yourself whether to apply this or not. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 13, 2020

Mar 13, 2020

Suggested Topics

Guest user Created:   Mar 11, 2020 ISO 27001 & 22301
Replies: 1
0 0

Template content

Guest user Created:   Feb 26, 2020 ISO 27001 & 22301
Replies: 1
0 0

Template content - DRP

Guest user Created:   Dec 12, 2019 ISO 27001 & 22301
Replies: 1
0 0

Template content