1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2
Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.
There IS a A.7.2_Statement of Acceptance.
Also, the following are policies we need; however they seem to paint to no specific document. Where would you recommend we add these?
Patch Management Policy – in A.8.2 – IT Security Policy?
Information Security in Project Management – where to discuss this or assign project manager responsibilities?
Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.