Is policy required for each procedure in ISMS ?

*baynoli* · #1 31st July 2012, 04:18 AM

Hi All,

Good Day,

In documentation part of isms, do i really need a policy/ies for each procedure I made?

Cheers Everyone,

Thanks,

klooden

**Stijloor** · #2 31st July 2012, 04:46 AM

A Quick Bump!

Can someone help?

Thank you very much!!

**Colin** · #3 31st July 2012, 05:23 AM

I am not quite sure I understand the question. 27001 requires an ISMS policy (4.2.1 b) and it requires procedures in various areas e.g. for monitoring and reviewing the ISMS.

I don't see the need for a policy for each procedure though it would be normal to define the purpose and scope of each procedure you prepare.

**Richard Regalado** · #4 11th August 2012, 12:27 AM

Colin is correct. You need an information security policy. But not a policy for all of your procedures.

If you are referring to the Annex-A controls, I usually create "sub-policies" for each applicable control and have them in an ISMS manual. BTW, an ISMS manual is not a requirement but I found it very useful to link to other documented information within the ISMS.

For example for Control A.10.4.1 Controls against malicious code, you could have a policy statement which says "All information processing facilities which connect to the organization's network and processes information owned by the organization shall have the official anti-virus software used by the organization and is updated frequently."

	The Deming PDCA Cycle	ISO 9001 QMS Implementation	FMEA Information	APQP Information
Auditing Information	8-D Problem Solving	Statistics	Error Proofing (Poka Yoke)	Brainstorming
Identifying Waste	Pull Systems	Lead Time Reduction	Planned Maintenance	Quick Setup
Discovering Change	Process Capability - Cp vs. Cpk	Histogram Animation	Process Loop Animation	Taguchi Loss Function
		Fishbone / Cause and Effects Animation