ISO 27001 Implementation Guideline Clause 5.2 Policy, a security policy is to be developed by the top management.
Documented information on the ISMS strategy and its importance for the organization can be found in the information security policy. Whenever an organization performs information security activities, it is guided by its policy. The policy outlines the minimum information security requirements within the organization’s context.
A brief, high-level statement of intent and direction concerning information security should be included in the information security policy. Often, these elements are specific to an ISMS or they can cover a wider range of subjects. All other policies, procedures, activities, and objectives related to information security must be aligned to the knowledge security policy.
An organization’s information security policy should reflect the business environment, culture, and information security concerns it faces. In terms of the extent and content of a knowledge security policy, the policy should be aligned with the goal and culture of the organization and ensure an appropriate balance between readability and completeness. It is essential for policy users to identify with the policy’s strategic direction.
In an information security policy, either the organization’s information security objectives are described or the framework for setting them is described (e.g. who should determine the objectives and how they should be implemented following the ISMS). For example, in very large organizations, top management should establish high-level objectives, then, using a framework defined within the information security policy, explain how those objectives will be achieved to give direction to all or any interested parties.
Management should make a transparent statement in the information security policy about its commitment to satisfying information security requirements. A clear statement of top management’s support for continual improvement should be a part of any information security policy. A policy should clearly state this principle so that it is understood by all the persons involved in the ISMS.
Any person within the scope of the ISMS should be informed of the ISMS information security policy. It must, therefore, follow the proper format and language so that all recipients can easily understand it.
The top management should decide which interested parties should be informed about the policy. Most knowledge security policies are written in such a way that relevant external interested parties should be able to understand them. Customer, supplier, contractor, subcontractor and regulatory bodies are a few examples of external interested parties. Knowledge security policies should not contain tips if available to external parties.
An organization can include an information security policy as a separate standalone policy or as part of a broader policy that addresses a variety of subjects within the organization (such as quality, environment, and knowledge security).
As documented information, the information security policy should be readily available. As a result of ISO/IEC 27001’s requirements, no specific form is outlined for this documentation, and the organization must decide what is most appropriate for the organization. Whenever possible, the knowledge security policy should follow an organization’s standard policy template.
1. What does ISO 27001 Implementation Guideline Clause 5.2 Policy mean?