ISO/IEC 27001 | Documents Kit

Management systems for information security

How to document the Information Security Policy in ISO 27001: 2017 and the security policies related to Annex A controls

You are here: Home / Security Check / How to document the Information Security Policy in ISO 27001: 2017 and the security policies related to Annex A controls

For ISO 27001 compliance, we need to design two different policy levels in the management system. The first one to satisfy the requirement 5.2 of the Standard, the other one must foresee single more specific policies, to satisfy the controls of Annex A

Do you want to proceed with the development of the information security policy without wasting time?

First, in the context of Leadership development define the General Security Policy.

Then, when implementing the Information Security Plan (or Applicability Statement), establish the following 9 policies:

  • Policy for the use of portable devices
  • Telework Policy
  • Access control policy
  • Policy of the use of cryptographic controls
  • Clean screen and desk policy
  • Backup policy
  • Information Transfer Policy
  • Safe development policy
  • Security policy in relations with suppliers

There are two steps to take. The practical examples that follow can provide you with effective suggestions for structuring the Security Policy and the policies envisaged in the controls. First of all, it is important to understand a difference: that is, the difference between the term expressed in Italian “politics” in ISO 27001 and the term used by Annex A, in English, “policy”.

The information security policy pursuant to 5.2 of ISO 27001

Don’t be confused by the similarity. The term “politics”, expressed in Italian, refers to an assumption of general responsibility for the conduct of information security by the organization. This is a policy that generally affects all safety. From the ISO 27001 requirement it is clear the general scope of the term which intends to incorporate the aims of the organization, all the objectives, all the requirements, etc.

The policies of Annex A of the security controls of ISO 27001

The term “policy”, deliberately left in English in Annex A by the same standardization body, has a meaning that is anything but “general”. On the contrary, “the policies” required by Annex A must be understood in the original meaning of the Anglo-Saxon language which translates policies into rules.

Rules for portable devices, rules for teleworking, rules for access control, etc.

CLOSE

CLOSE