Organization of the Information Security Policy
The information security policy may include the following attributes:
1. Scope of the ISMS
2. ISMS policy
3. Importance of security for the organization
4. Explanation of how the organization will maintain information security and
information security systems
5. Comment on a management framework that needs to be established to initiate,
implement, and control information security within the organization
6. Procedures for approval, including information security, assigning of the
security roles, and coordination of security across the organization
7. Responsibility of information security
8. Business continuity processes, management, and testing
9. Security awareness and training
10. Explanation of how reporting is done for a security breach and the consequence
of a security violation
11. Virus control
12. Organization information classification
13. Safeguarding of organization’s records
14. Data protection
15. Compliance with the ISMS policy
16. Security forum
17. Access control
The following sections provide additional detail for each of the attributes in the
list above. Scope of the ISMS
The scope of the ISMS may be the entire enterprise, regional, or business line (i.e., a
holding company may comprise many separate business lines). Describe the locations
AU3648_C004.indd 106 10/5/07 4:01:11 PM
Implementing an ISMS—PDCA  n 107
and relationships with respect to operations, technical connectivity, interdependences,
key assets, and key business functions. The scope provides focus for the remainder of
the ISMS, security policy, and security controls. ISMS Policy Document
ISO provides an integrated set of organizational standards that include ISO 9001:
2000, ISO 14001:2004, and now ISO 27001:2005. One effective management
system may apply to many standards; ISO intends the ISO ISMS to integrate with
other standards to create a single management system applicable to many aspects of
the organization. To this effect, the ISMS policy is part of the management framework
as well as part of the information security policy.
The ISMS policy is a high-level document where the organization prescribes
the driving principles and overall sense of direction for actions regarding information
security. An effective length is no more than a few pages. These pages should
strongly reflect management’s commitment to securing information and information
technology. The ISMS policy document includes the need to preserve confidentiality,
integrity, and availability of information, information technology and
associated business functions, personnel, infrastructure, etc. The policy may also
state the use of ISMS to support a compliance management program, that is, adhere
to regulations, legislation, and other compliance requirements. Include a statement
of management involvement, accountability to management, and the need for
management review of the ISMS. Also, include a statement that conveys management
commitment to invest money and labor to uphold information security


Leave Comment

Your email address will not be published. Required fields are marked *