5.1.1 Information Security Policy Document

Sponsored Links:

This control is related to Management and Operations.

The management should provide support and a clear policy direction across the organization in the form of a written business document for information security. Management must communicate information security policy to all employees and relevant parties including consultants, contractors, vendors, business partners etc.

The information security document can be merged with some other policy document. A formal process can be developed for the communication of information security policy document. Effective information security policy document contains clear strategy and a series of well defined goals. Important questions to be answered while implementing this control:

Rest of the article will continue after below advertisement:

Sponsored Links:

  • Is there a formal information security document published by management representing the business, legal, contractual and regulatory requirements of the organization?
  • Does the security policy contain the definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing?
  • Is the information security document made available to all employees and users including third parties of the organizations information systems?
  • How is the policy communicated to all affected parties and what is the frequency of communication?
  • Does the information security policy document address the business objectives of the organization?
  • Does the information security policy document account for all applicable laws, regulations and contractual requirements?
  • Is there a documented structure for risk assessment and risk management within the body of information security policy?
  • Does the information security policy document represent the all applicable 11 control areas within the standard?
  • Does the information security policy document contain explanation about information security education, training, and awareness requirements?
  • Does the information security policy document contain explanation about business continuity management?
  • Does the information security policy document contain explanation about consequences of information security policy violations?
  • Does it describe the roles and responsibilities for information security management and reporting information security incidents?
  • Does the information security policy document reference other policies, standards or control procedures as appropriate?

Management interaction and support is mandatory for this control to be fully effective. Apart from funding support, cultural support is very important. This is critical for helping build cultural standards or models within the organization and gaining the acceptance of individual users and groups.

Please note: Information security policy addresses that what must do. It does not address how to do it. A number of processes/procedures/guidelines should be developed to support the information security policy document.

Categories: ISO 27001 Tags:
Comments are closed.