ISO 27001 Implementation Guideline Clause 5.2 Policy


Required activity

Top management establishes an information security policy.

Explanation

The information security policy describes the strategic importance of the ISMS for the organization and is out there as documented information. The policy directs information security activities within the organization.The policy states what the requirements for information security are within the actual context of the organization.
The information security policy should contain brief, high level statements of intent and direction concerning information security. It is often specific to the scope of an ISMS or can have wider coverage. All other policies, procedures, activities and objectives associated with information security should be aligned to the knowledge security policy.
The information security policy should reflect the organization’s business situation, culture, issues and concerns concerning information security. The extent of the knowledge security policy should be in accordance with the aim and culture of the organization and will seek a balance between simple reading and completeness. it’s important that users of the policy can identify themselves with the strategic direction of the policy.
The information security policy can either include information security objectives for the organization or describe the framework for a way information security objective are set (i.e. who sets them for the ISMS and the way they ought to be deployed within the scope of the ISMS). for instance , in very large organizations, high level objectives should be set by the highest management of the whole organization, then, consistent with a framework established within the information security policy, the objectives should be detailed during a thanks to provides a sense of direction to all or any interested parties.
The information security policy should contain a transparent statement from the highest management on its commitment to satisfy information security related requirements. The information security policy should contain a transparent statement that top management supports continual improvement altogether activities. it’s important to state this principle within the policy, in order that persons within the scope of the ISMS are conscious of it.
The information security policy should be communicated to all or any persons within the scope of the ISMS.Therefore, its format and language should be appropriate in order that it’s easily understandable by all recipients.
Top management should plan to which interested parties the policy should be communicated. the knowledge security policy is often written in such how that it’s possible to speak it to relevant external interested parties outside of the organization. samples of such external interested parties are customers, suppliers, contractors, subcontractors and regulators. If the knowledge security policy is formed available to external interested parties, it shouldn’t include tip.
-----------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

  1. I agree with all of you that this information is pretty useful which definitely deserve
    for bookmark.

    ISO 27001 Certification Bodies in India

    ReplyDelete

Post a Comment

Popular posts from this blog

10 Secrets You Will Never Know About Cyber Security And Its Important

ISO 27001 Annex : A.5 Information Security Policies

Impact Of ISO 27001 Lead Auditor