Clarification in organizing required documents for ISO 27001

S

Sizzles

#1
Hello all,

I am a technical writer that is new to the information security industry. The new company I work for wants to implement ISO 27001 as a means to provide structure to their information security, and of course, pick up a certification. They have some existing documentation that is scant, and disorganized. I am in the process of reorganizing this information, and write up missing policies and procedures. We have already defined the internal and external limits, and a scope.

My central question at this time is what needs to be in the Information Security Policy (5.2), and how is that policy different from the litany of other policies (access control, password management, classification scheme, asset management, etc)? Do all of these ancillary policies need to be included in the ISP of 5.2 or is it OK to have one generalized information security policy that speaks to the requirements of 5.2, and then reference those other polices?

Thanks in advance for any clarity on these documents!
 
Elsmar Forum Sponsor
I

infosaas

#3
I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!
 

Colin

Quite Involved in Discussions
#4
You may also want to consider getting the free download of ISO 27000 and when it comes to understanding Annex A in 27001 you may also need 27002.

I certainly agree with infosaas, get the policies in place first, you will most likely find that you already have practices in place for many of them, it is about structuring them. One thing I usually include is an employee handbook, it is a good repository for things like password policies and the like.
 
M

Moonlight17

#5
I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!
Hey all,
We too take the approach as infosaas.
We have an ISP referencing the others - works for us!
 
S

Sizzles

#6
I've seen two approaches to this. One is the "war and peace" approach, where an organisation seeks to encompass every possible information security related policy (access control, BYOD, acceptable use, business continuity etc.) into one massive document. The downside to this is that it is hard to effectively communicate the contents to employees and contractors, so effective personnel engagement may suffer.

My preferred approach, and one that I have used for many successful certifications, is to have a "top level" information security policy, which acknowledges and points towards individual "second level" policies, one for each of the areas above (normally between 8 and 15 in total). Easier to write, easier to manage, and easier to communicate to those who you.

As other respondents have noted, make sure that you have a copy of ISO/IEC27001:2013 to hand so that you can ensure that policies match the requirements of the standard, and support the effectiveness of controls which you may introduce to manage risks.

Hope this helps!
Thanks for the feedback, and that helps clarify. I already have a copy of 27001 and 27002. I have finished the first draft of what I am deeming the "general" ISMS policy to satisfy clause 5.2. It includes the scope, who is responsible for ISMS, a list of policy objectives and principles, and commitment to continual improvement (a section regarding scheduled meetings, internal audits, etc., to continue goals).

Is that sufficient for the "top level" policy? I'm ready to start working out the second level policies, but first want to make sure the initial framing is enough.
 
I

infosaas

#7
Hi Sizzles

No problem. The top level Information Security Policy format we provide to our customers has the following structure:

1. ISMS Policy Objectives (the purpose of the policy)
2. ISMS Scope - where we explain what is in scope and (if applicable) out of scope. We use this section to introduce the difference between information assets (data) and supporting assets (hardware, software, media etc)
3. Policy Statements. This is the section that contains 12-15 separate paragraphs, each explaining in a sentence of two a specific requirement of the ISMS (e.g. acceptable use, access control etc) and then provides a reference to the appropriate second level policy.
4. ISMS Responsibilities - the key "runners and riders" as required both by the ISO27001 standard and your own organisation's structure.
 
Thread starter Similar threads Forum Replies Date
K IPC-610 Section 10.4.2.2 clarification - Distance to be measured Various Other Specifications, Standards, and related Requirements 0
M Off-Label Use - Clarification of FDA Policy US Food and Drug Administration (FDA) 1
T Implant Card - Article 18.1(a) and MDCG 2019-8 clarification EU Medical Device Regulations 3
Q Need clarification on requirements.... Class i, gmp & 510(k) exempt Medical Device and FDA Regulations and Standards News 12
M Informational TGA Consultation: Proposed clarification of the regulatory requirements for medical device systems and procedure packs Medical Device and FDA Regulations and Standards News 2
R ASQ reference material clarification - Spiral bound materials allowed in ASQ Exam? Professional Certifications and Degrees 1
Q ISO 3310 Clarification Help - Aperture sizes for sieves used for particle sorting Other ISO and International Standards and European Regulations 2
S The Severity of a Medical Device Hazard - Risk Analysis Clarification ISO 14971 - Medical Device Risk Management 6
M 8.3.2.3 Development of products with embedded software - request for clarification IATF 16949 - Automotive Quality Systems Standard 1
M FDA News USFDA Draft Guidance – Clarification of Radiation Control Regulations for Manufacturers of Diagnostic X-Ray Equipment Medical Device and FDA Regulations and Standards News 0
T Clarification on MDR - Article 18(d) - Implant Card EU Medical Device Regulations 14
S QS, RS deflection - clarification wanted IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
A ISO 2859 Single Sampling - Clarification regarding the sampling table Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
S Requirements for Interval Measurement test & Frequency Response test clarification IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
S Clarification regarding tests in IEC 60601-2-25 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
V Clarification - Hydrogen De-embrittlement Manufacturing and Related Processes 6
K UDI Direct Marking Compliance Date Clarification and one other UDI question Other US Medical Device Regulations 0
N Applied Parts Classification Clarification - Breast Pump IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
V Clarification of Injection part shrinkage ratio Manufacturing and Related Processes 1
J ISO 9001:2015 8.2.3 - Review of Requirements (Clarification on compliance) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
B Health Canada Recall Definition - Seeking Clarification Canada Medical Device Regulations 5
Q ISO 9001:2015 - Clarification in 6.1.2 Note 1 (Options to Address Risks) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
S Clarification of threaded ring gage calibration procedure/requirements General Measurement Device and Calibration Topics 2
M Clarification on Calibration/Verification Records 7.1.5.2.1d (IATF 16949) General Measurement Device and Calibration Topics 11
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
S AS9102 - Clarification - PO asking for an Assembly at Rev B (Print at Rev C) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
Pmarszal Clarification for 21 CFR Part 11.100 - General Requirements Other US Medical Device Regulations 14
B Clarification of ISO 9001:2015 Clause 8.5.6 Control of Changes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
M Integrated Phased Processes - AS9100D cl. 8.1 Operational Planning - Clarification AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
A Monitoring and Measuring Resources (7.1.5) - Clarification ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
dubrizo Clarification Requested in 6.2.2 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F TS 16949 Clause 7.2.1 - Note 2 - Recycling program - Clarification IATF 16949 - Automotive Quality Systems Standard 4
K EN ISO 15223-1:2012 Clarification or Examples on when to use Safety Symbols Other Medical Device Related Standards 3
S Clarification regarding types of processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
D Clarification of Applicability of TS 16949 Requirements to a Non-Automotive Business IATF 16949 - Automotive Quality Systems Standard 13
M Request for clarification on TS 16949 Clause 5.6.1.1 IATF 16949 - Automotive Quality Systems Standard 5
Q Configuration management clarification and example AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
J Definition Actively Manufacturing - ISO 13485 Definition and clarification Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 8
T Early Research & Development - ISO 13485:2003 requirements Clarification ISO 13485:2016 - Medical Device Quality Management Systems 34
B Detachable Power Supply Cable Connection ESD Clarification IEC 60601 - Medical Electrical Equipment Safety Standards Series 7
D NIST HDBK 44 Table T.3. Class III Tolerance in Divisions Clarification General Measurement Device and Calibration Topics 4
M UDI - Direct Marking and Reprocessing Clarification Other US Medical Device Regulations 12
S 21 CFR Part 820.40(b) Clarification on Required Document Approvers 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
E Clarification on Document Signatories under ISO9001 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
C Positional Tolerance - Bonus / Datum Shift / ASME Y14.5M - Clarification Various Other Specifications, Standards, and related Requirements 9
K Free from any Undue Internal and External Pressures - 4.1.5b clarification General Measurement Device and Calibration Topics 2
B MSA 4th edition reference manual - Page 120-121 Clarification Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
W Quality Objective clarification - Requirements for "levels within the organization" Quality Manager and Management Related Issues 9

Similar threads

Top Bottom