ISO 27001 Implementation Guideline Clause 5.2 Policy

-

Required activity

Top management establishes an information security policy.

Explanation

The information security policy describes the strategic importance of the ISMS for the organization and is out there as documented information. The policy directs information security activities within the organization.The policy states what the requirements for information security are within the actual context of the organization.
The information security policy should contain brief, high level statements of intent and direction concerning information security. It is often specific to the scope of an ISMS or can have wider coverage. All other policies, procedures, activities and objectives associated with information security should be aligned to the knowledge security policy.
The information security policy should reflect the organization’s business situation, culture, issues and concerns concerning information security. The extent of the knowledge security policy should be in accordance with the aim and culture of the organization and will seek a balance between simple reading and completeness. it’s important that users of the policy can identify themselves with the strategic direction of the policy.
The information security policy can either include information security objectives for the organization or describe the framework for a way information security objective are set (i.e. who sets them for the ISMS and the way they ought to be deployed within the scope of the ISMS). for instance , in very large organizations, high level objectives should be set by the highest management of the whole organization, then, consistent with a framework established within the information security policy, the objectives should be detailed during a thanks to provides a sense of direction to all or any interested parties.
The information security policy should contain a transparent statement from the highest management on its commitment to satisfy information security related requirements. The information security policy should contain a transparent statement that top management supports continual improvement altogether activities. it’s important to state this principle within the policy, in order that persons within the scope of the ISMS are conscious of it.
The information security policy should be communicated to all or any persons within the scope of the ISMS.Therefore, its format and language should be appropriate in order that it’s easily understandable by all recipients.
Top management should plan to which interested parties the policy should be communicated. the knowledge security policy is often written in such how that it’s possible to speak it to relevant external interested parties outside of the organization. samples of such external interested parties are customers, suppliers, contractors, subcontractors and regulators. If the knowledge security policy is formed available to external interested parties, it shouldn’t include tip.
-----------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

  1. Savitha Lachan24 March 2021 at 10:07

    I agree with all of you that this information is pretty useful which definitely deserve
    for bookmark.

    ISO 27001 Certification Bodies in India

    ReplyDelete

Post a Comment

Popular posts from this blog

ISO 27001 Annex : A.5 Information Security Policies

-
Image
5. 1  Management direction for information security ISO 27001 Annex : A.5 Information Security Policies, Its objective is to provide management guidance and  information security  assistance in accordance with business requirements and relevant laws and regulations. 5.1.1 Policies for Information Security Control-   A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties. Implementation Guidance-  At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals. Information security policies should meet criteria that have been created by: Business strategy; Regulations, legislation and contracts; The present and projected  information security threat  environment Related Product :   ISO 27001 Lead Auditor Training And Certification ISMS The informa
Read more

Top 5 Key Elements of an Information Security

-
Image
Top 5 Key Elements of an Information Security and its critical elements, including systems and hardware that use, store, and transmit that information. Necessary tools: policy, awareness, training, education, technology etc. IS is the application of measures to ensure the safety and privacy of data by managing its storage and distribution. Information security has both technical and also social implications. Information security system is the process of protecting and securing the data from unauthorized access, disclosure, destruction or disruption. An organization that attempt to compose a operating ISP must have well-defined objectives regarding  security  And strategy. On that management have reached an agreement. Any existing dissonances during this context could render the data security policy project dysfunctional. The foremost necessary factor that a security skilled should bear in mind is that his knowing. The protection management practices would allow him to include t
Read more

Types of Vulnerability Assessment

-
Image
Given below are the different types of vulnerability assessments:   Active Assessment Active assessments are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform.   Passive Assessment Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are a recently using the network. External Assessment External assessment assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks
Read more