ISO 27001 Information Security Management Standard - Clause 5.2

Posted by Craig Thornton

Part 15: Clause 5.2 Information Security Policy

At the head of every information security management system (ISMS) sits the information security policy.  This is one of the first documents you create when building your ISMS, and is also one of the most important. 

The Policy is the foundation of your whole ISMS.  It’s what your entire system will be built on.  The Policy should clearly communicate the intentions and the strategic impact of information security.

This Policy is a document that is established, implemented and maintained by the senior managers of your organisation.  Not involving them in creating the document is a big mistake.  If they aren’t involved it will then make implementing and maintaining your ISMS very difficult.

security print.jpg

The Policy must align with the overall purpose and context of your organisation and be formally communicated to all staff.

Its role is to create one clear vision so that everyone understands the objectives and strategic direction of your information security.  And it had better do this well, because it’s from the Policy that everything else contained in the entire system will flow.

Here’s an example of what I mean.  The Policy sits at the top of the documentation hierarchy.  From the Policy flow objectives.  From these objectives high-level procedures will be created.  These procedures will drive the creation of forms and records, which in turn will create the details for SOPs and so on.  Essentially the policy is embedded in each and every document in the system.

What can go wrong with Information Security Policies?

Organisations which find themselves with an ineffective Policy will eventually find themselves with a poorly performing ISMS as a whole.  If your ISMS is performing poorly, it could be because your Policy is:

  • Too complex and lacking in clarity;
  • A process instead of a policy;
  • Not clearly communicated throughout the organisation, and/or
  • Not fully committed to by management.

Our Experience at Mango

Here at Mango, we asked for input into the Policy from all employees of the company.  We listened to our staff because we value them highly, and because we wanted to encourage them to get on board with our Policy and to share the same desired vision.  This was an effective strategy for us as it encouraged participation and enhanced the engagement of our staff.  If you are part of a small organisation then I strongly encourage you to adopt a similar approach.

Communicate the Policy

Once your Policy is finalised it is important that management clearly communicates it to your staff and makes access to it easy.  At Mango, we sat down with our staff and went over our finalised Policy to ensure everyone’s understanding was correct.  We then uploaded it into our Mango document management system so that our staff could access it at any time.

 

Takeaways

Here are the takeaways from this:

  • The Policy does not need to be overly complicated. Simplicity is best.
  • The Policy needs to be communicated, understood and applied within the organisation.
  • Management need to show commitment to the Policy and be role models for the staff under them.
  • Commitment needs to be shown at all levels of the organisation.

 

Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013 

ISO 27001 Information Security Management Standard: Clauses 5.1 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification