Clarification in organizing required documents for ISO 27001

S

Sizzles

Hello all,

I am a technical writer that is new to the information security industry. The new company I work for wants to implement ISO 27001 as a means to provide structure to their information security, and of course, pick up a certification. They have some existing documentation that is scant, and disorganized. I am in the process of reorganizing this information, and write up missing policies and procedures. We have already defined the internal and external limits, and a scope.

My central question at this time is what needs to be in the Information Security Policy (5.2), and how is that policy different from the litany of other policies (access control, password management, classification scheme, asset management, etc)? Do all of these ancillary policies need to be included in the ISP of 5.2 or is it OK to have one generalized information security policy that speaks to the requirements of 5.2, and then reference those other polices?

Thanks in advance for any clarity on these documents!
 
I

infosaas

I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!
 

Colin

Quite Involved in Discussions
You may also want to consider getting the free download of ISO 27000 and when it comes to understanding Annex A in 27001 you may also need 27002.

I certainly agree with infosaas, get the policies in place first, you will most likely find that you already have practices in place for many of them, it is about structuring them. One thing I usually include is an employee handbook, it is a good repository for things like password policies and the like.
 
M

Moonlight17

I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!

Hey all,
We too take the approach as infosaas.
We have an ISP referencing the others - works for us!
 
S

Sizzles

I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!

Thanks for the feedback, and that helps clarify. I already have a copy of 27001 and 27002. I have finished the first draft of what I am deeming the "general" ISMS policy to satisfy clause 5.2. It includes the scope, who is responsible for ISMS, a list of policy objectives and principles, and commitment to continual improvement (a section regarding scheduled meetings, internal audits, etc., to continue goals).

Is that sufficient for the "top level" policy? I'm ready to start working out the second level policies, but first want to make sure the initial framing is enough.
 
I

infosaas

Hi Sizzles

No problem. The top level Information Security Policy format we provide to our customers has the following structure:

1. ISMS Policy Objectives (the purpose of the policy)
2. ISMS Scope - where we explain what is in scope and (if applicable) out of scope. We use this section to introduce the difference between information assets (data) and supporting assets (hardware, software, media etc)
3. Policy Statements. This is the section that contains 12-15 separate paragraphs, each explaining in a sentence of two a specific requirement of the ISMS (e.g. acceptable use, access control etc) and then provides a reference to the appropriate second level policy.
4. ISMS Responsibilities - the key "runners and riders" as required both by the ISO27001 standard and your own organisation's structure.
 
Top Bottom