On the path to ISO 27001 certification, one of the most important guideposts is the Information Security Policy document. Many of the organizations we work with already have a “policy” document in some form—but often there’s a disconnect between what that document says, what they actually do, and what ISO 27001 specifies that document should do.
What to Avoid
I got the idea for this post when I looked at a new client’s information security policy document the other day and it was 658 pages long…
One reason you don’t want to put too much detail in your policy document is you’ll run yourself ragged going through the ISO-mandated re-approval process every time you need to make a change.
Focus on Strategic Goals
Keep your information security policy document at a high level, and setup a process where you review it once annually by a specific date. Operational details go in your procedures and your guidelines. These documents can be reviewed multiple times per year, because ISO 27001 doesn’t require a formal approval process for these. (The standards document is meant to be strategic.)
The main purpose of your information security policy is to define what senior management says it wants to achieve in terms of information security. It should be written at a level that execs can understand, so they can use it as a tactical tool to guide the evolution of your information security management system (ISMS).
Your ISO 27001 Policy Document Should Cover:
- What your InfoSec objectives are (which can include the scope of your ISMS)
- How these objectives align with/support your overall strategic objectives
- How you will specify, approve and review/validate these objectives
- What your accountability process will be to ensure “we do what we say and say what we do”
- Who is responsible for communicating, reviewing and updating this policy
The way I see it, helping a client create an information security policy is like a microcosm of the ISO 27001 gap assessment or risk review processes: it helps prepare you for certification by highlighting where you’re currently aligned with ISO 27001, and where you’re not. Developing the policy also reveals areas where “we do what we say and say what we do” doesn’t quite line up.
Likewise, as your ISO 27001 journey moves along, everything you identify as a risk/gap and subsequently mitigate feeds back into your policy, procedures, guidelines, standards and related documents. Beyond your initial certification, as new risks arise and you mitigate them, this may also change your policies, procedures, etc. These are living, reference documents—not “set it and forget it” documents.
Creating the documentation that ISO 27001 requires can be far more than a time-consuming exercise. It can be a value-add preparation for certification, a critical support for your ISMS, and a tool your senior management can leverage for both insight and control.
To get the guidance you need to create dynamic, functionally effective ISO 27001 documentation, contact Pivot Point Security.
It's a little more complicated than just checking off a few boxes.