5. Information Security Policies

A.5 Information Security Policies

5. 1  Management direction for information security

5 Information Security Policies, Its objective is to provide management guidance and information security assistance in accordance with business requirements and relevant laws and regulations.

5.1.1 Policies for Information Security

Control-  A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties.

Implementation Guidance- At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals.

Information security policies should meet criteria that have been created by:

  1. Business strategy;
  2. Regulations, legislation and contracts;
  3. The present and projected information security threat environment
Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The information security policy should contain statements concerning:

  1. Information security concept, goals and principles that guide all information security activities;
  2. Assigning general and specific responsibilities of information security management to defined roles;
  3. Deviation and exception handling processes.

At the very least, Information security policy should be accompanying with  topic-specific policies that also enforce the implementation of information security controls which are usually designed to meet the needs of certain target groups within the organization or to cover other topics. Few policy topics are :-  Access Control (Clause 9), cryptographic control (Clause 10), physical and environmental security (Clause ), etc.

At Info-savvy, we guide you with proper knowledge of information security assistance and how can you make them meet the business requirements, we give flood of practical examples, customizing our teaching style; thus making learning easy and amazing experience for the participants so that they can excel in managing ISMS, This learning is covered in our training sessions of IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (training certified by TÜV SÜD)

Other information

The need for internal information security policies varies across organizations. Internal policies are particularly useful in larger and more complex organizations where those defining and approving the expected levels of control are separated from those implementing the controls or in situations where the policy applies to a number of different people or functions within the organization. Information security policies are often issued in the context of a single “information security policy” document or as a group of individual but related documents.

If some of the information security policies are shared publicly, it is important to be careful not to reveal details. In such policy documents, certain companies use certain terminology such as “standards,” “directives” or “regulations.”

5.1.2 Review of the policies for information security

Control– The information safety policies should be reviewed at regular intervals or where there are major corrections to ensure that they are acceptable, relevant, and efficient.

Implementation Guidance– Each policy should include an owner who has agreed to manage and evaluate policies for the event. The evaluations will include identifying opportunities to improve the procedures and practices and addressing the management of information security corresponding  to the changes in  business environment, regulatory requirements or technical environment.

The results of the management reviews should be taken into account for the review of information security policies. Management approval of a new policy should be obtained.

Questions related to this topic

1. What should be in an information security policy?
2. What are the three types of security policies?
3. What are security policies and procedures?
4. Are security policies distinct from guidelines standards procedures and controls?


Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment

Your email address will not be published. Required fields are marked *