%20PNG.png)
Policies for Information Security are your building blocks for success.
But which Information Policies do you need?
We get a lot of questions related to the writing of security policies, not just ‘how many do I need’, but ‘why aren’t they working for us?’, and 'What Information Security Policies I need for ISO27001?'
This is a big area and it is the first control in the Annex A controls of ISO27001, so perhaps that gives you an idea that the creators of the standard believe this is where it all starts.
So what does the standard actually require? The control states;
“Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties and reviewed at planned intervals and if significant changes occur.” (A5.1 Policies for Information Security)
Whatever policies you put in place, it is important to ensure their continuing suitability, adequacy, and effectiveness otherwise, why write them?
How many Policies of Information Security do you need?
There are fewer policies than you might think. In fact, ISO27001 only mandates that there is an Information Security Policy, but there are ‘topic-specific’ policies that may be required (depending on the controls you apply).
Information Security policies are mentioned 7 times throughout the Annex A Controls, so you might deem the following to be mandatory too;
A5.1 - Information Security Policy
A7.7 - Clear Desk Policy
A8.1 - Mobile (and BYOD)
A8.13 – Back-up Policy
A8.24 – Cryptographic Controls
We will discuss these policies in detail in other blogs, but keep in mind that these are the only policies named in ISO27001. There may be other policies you need, based on your security risks and requirements.
Why it’s important
Policies are a clear sign that there is leadership, management, direction and support for information security within your organisation. They give internal and external parties a good understanding of what is required of them, and what you are doing to protect information.
What evidence you need for compliance
For ISO27001 compliance you’ll need to demonstrate a number of key things, and it’s detailed within the control itself. Firstly it states that policies shall be defined. This means they need to be written down in some way. Keep in mind the person reading the policy and that you want them to read AND understand the policy.
Next, you need to ensure the policy is approved by management. This should be evidenced by having a signature on the policies, or showing evidence that they’ve been reviewed at a meeting. Evidence of meeting minutes will be enough to satisfy this requirement.
Once written and approved, you need to communicate them to internal and external ‘interested parties’. These are the people you want to make aware of your policy.
Evidence of communication can come in the form of;
· Contracts – with suppliers and employees
· Websites and intranets (e.g. Privacy Notices)
· Emails to interested parties about the policies
A new requirement for ISO27001:2022 is the need to acknowledge they have read the policies. For smaller organisations this could simply be an email saying “I have read and understood the policy”. You can also use specific HR systems which will require a formal acceptance and acknowledgement of the policy too.
Finally, you’ll need to ensure policies are reviewed at planned intervals or when something significant changes. Our advice would be to plan an annual review of all your policies with the policy owners, or update them if there has been a change in the business. For example if there has been a merger or sale of part of the business, or you have implemented any new security controls.
What the auditor is looking for
The auditor will look at all the areas mentioned above, and will want to see you’re addressing each point.
The evidence required will include;
· Policy packs
· Minutes from meetings
· Intranet sites
· Contracts (which mention policies)
· Schedules and planners that show when policies will be reviewed
Policies for Information Security are the building blocks
Without setting a clear picture of what you expect of people (aka interested parties), then you can’t expect to implement security well.
We know this is a complex area and you may have other questions so check out our ISO27001 FAQ page or get in touch with us to discuss your specific issues. Policies and procedures are fundamentally important so don’t leave them to chance. They should be fun and engaging (like our blog posts!)
No standard (including ISO27001) says they need to be boring. Have fun with them and you’ll build trust and engagement.
If you’re finding it hard to do this, then take a look at our other blog posts on this topic or get in touch for a free consultation to discuss why your policies are failing you.