S
Sizzles
Hello all,
I am a technical writer that is new to the information security industry. The new company I work for wants to implement ISO 27001 as a means to provide structure to their information security, and of course, pick up a certification. They have some existing documentation that is scant, and disorganized. I am in the process of reorganizing this information, and write up missing policies and procedures. We have already defined the internal and external limits, and a scope.
My central question at this time is what needs to be in the Information Security Policy (5.2), and how is that policy different from the litany of other policies (access control, password management, classification scheme, asset management, etc)? Do all of these ancillary policies need to be included in the ISP of 5.2 or is it OK to have one generalized information security policy that speaks to the requirements of 5.2, and then reference those other polices?
Thanks in advance for any clarity on these documents!
I am a technical writer that is new to the information security industry. The new company I work for wants to implement ISO 27001 as a means to provide structure to their information security, and of course, pick up a certification. They have some existing documentation that is scant, and disorganized. I am in the process of reorganizing this information, and write up missing policies and procedures. We have already defined the internal and external limits, and a scope.
My central question at this time is what needs to be in the Information Security Policy (5.2), and how is that policy different from the litany of other policies (access control, password management, classification scheme, asset management, etc)? Do all of these ancillary policies need to be included in the ISP of 5.2 or is it OK to have one generalized information security policy that speaks to the requirements of 5.2, and then reference those other polices?
Thanks in advance for any clarity on these documents!