What to include in Information security policy?
Assign topic to the user
Answer:
ISO 27001 does not require you to include product and services, nor partnerships, supply chains and interested parties in your Information security policy. According to ISO 27001, this policy is a top-level document without many details - see this article: Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Typically, you should include info rmation about your products and services in your ISMS Scope document, see this article: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And the information about interested parties and their requirements should go to a separate list, learn about it here: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
You could include all this information in the Information security policy, but this would be very impractical.
This free online course will also be of great help to you: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 14, 2016