ISO 27001 policies are the formal rules and guidelines an organisation creates to protect its information. They are a key part of an Information Security Management System (ISMS), which is a set of rules a company follows to manage its sensitive data. These policies make sure that everyone in the company understands what’s expected of them regarding information security.
Examples
- Access Control Policy: This policy says who can use certain information or systems. For example, it might state that only a few people can see customer credit card details.
- Acceptable Use Policy: This policy explains how employees should use company computers and networks. It might say you shouldn’t visit risky websites or download unapproved software.
- Remote Work Policy: This policy provides rules for working from home. It might require using a secure company laptop and a special type of internet connection (VPN).
Context
An organisation’s top leaders set the tone and direction for these policies. They approve the policies, making them official. Policies are different from procedures. Policies are the “what”—the high-level rules—while procedures are the “how”—the step-by-step instructions. For example, a policy might say, “All laptops must be encrypted,” and a procedure would explain exactly how to do that. These policies are a core part of an organisation’s efforts to get and keep ISO 27001 certification.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to policies:
ISO 27001:2022 Annex A 5.1: Policies for Information Security: the main ISO 27001 control for the requirement for ISO 27001 policies.
ISO 27001:2022 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security: the requirement to be compliant with policies.
