The ISO 27001 information security policy is your main high level policy. This policy sets the principles, management commitment, the framework of supporting policies, the information security objectives and roles and responsibilities and legal responsibilities. This is the policy that you can share with everyone and is your window to the world.
You are going to have a suite or pack of policies that are required by ISO 27001 and make good sense for a governance framework. Each policy whilst it can be in one mahoosive document is best placed into its own document. By having separate documents:
- They are easy to assign and owner to keep up to date and implement
- They are easy to review and sign off
- They are easy to share with only the people they are relevant to
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
- DP 01 Data protection Policy
- DP 02 Data Retention Policy
- IS 01 Information Security Policy ( this policy )
- IS 02 Access Control Policy
- IS 03 Asset Management Policy
- IS 04 Risk Management Policy
- IS 05 Information Classification and Handling Policy
- IS 06 Information Security Awareness and Training Policy
- IS 07 Acceptable Use Policy
- IS 08 Clear Desk and Clear Screen Policy
- IS 09 Mobile and Teleworking Policy
- IS 10 Business Continuity Policy
- IS 11 Backup Policy
- IS 12 Malware and Antivirus Policy
- IS 13 Change Management Policy
- IS 14 Third Party Supplier Security Policy
- IS 15 Continual Improvement Policy
- IS 16 Logging and Monitoring Policy
- IS 17 Network Security Management Policy
- IS 18 Information Transfer Policy
- IS 19 Secure Development Policy
- IS 20 Physical and Environmental Security Policy
- IS 21 Cryptographic Key Management Policy
- IS 22 Cryptographic Control and Encryption Policy
- IS 23 Document and Record Policy