08 May ISO27001. A.5.1.1. Information security policies
Among the control points that we have to take into account is the one related to information security policies, as part of section A.5 Information security policies and specifically within subsection A.5.1. Management of information security management. At this point I want to comment on how I work with my clients when I collaborate as ISO27001 Internal Auditor and what we expect the auditor to review.
ISO27001. A.5.1.1. Information security policies
A set of information security policies must be defined, approved, managed and published to employees and third or border parties involved.
How to implement it in our companies?
The organization’s policies in this section should be simple. The organization’s policies should not be excessively related in a single document, but rather more normal, as they have different links to the policies that the company may have, distributing these high-level policies to all employees and stakeholders.
It is recommended to have a list of policies that the organization has defined. I put some examples below:
- Access control policy: access is granted according to the principle of need to know / need to use.
- Backup Policy: Laptops are not backed up, but can be restored from the image in case of disaster.
- Code of conduct: mobile device policy
- Cryptography policy: Following the information classification policy, encryption must be used to protect information classified as confidential, at rest or on the move.
- Mobile device policy: remote work
- Password Policy: Passwords must be strong (at least 8 characters, use of lowercase / uppercase / numbers / symbols)
- Privacy Policy: We recognize the importance of information security and privacy protection.
- …
Then it is necessary to develop each policy based on the characteristics and expectations of each organization. Depending on each employee, we will communicate some policies or others that they must know and comply with, as well as those that are distributed to third parties or outside the organization, we must be sure not to include sensitive information for our company.
Information security policies should be reviewed and form part of the ISO27001 documentation.
Next I include a reduced example of policy in this case Password policy:
Summary
- The password policy defines the requirements for passwords.
- The policy is applicable to all internal and external personnel.
Beginning
- Passwords must be strong (at least 8 characters, use of lowercase / uppercase / numbers / symbols).
- Do not use the same password for more than one service or system.
- Do not share your password with anyone.
- Change the password at least once a year.
- Do not reuse old passwords.
- The password cannot contain any of the following information: username, pseudonym, name, surname or date of birth.
- Avoid writing passwords on post-it, notebooks, or any other physical format.
- The use of tool X for tools and password management is mandatory.
Related Policies
- Information security policy
- Information classification policy.
- Access control policy
What will the ISO27001 certification auditor focus on?
Depending on the scope and other issues, I can generalize that the auditor focuses on the following aspects:
- Be generated from a high level of the organization with version control.
- Signed by the senior manager.
- Comprehensive definition of information security for the company, scope and objectives.
- Reasons why information security is key for the organization.
- Defined support from senior management.
- A summary of the chosen framework for risk management including its objectives and controls.
- Summary of security policies, principles, criteria and compliance requirements.
- How non-compliances or limitations to information security are managed.
- In other aspects …
The lead auditor will likely verify that the policies are accessible by employees and interested third parties depending on their role in the organization. This could verify that it has been communicated and that these third parties are knowledgeable or have access to a security policy document of the company with relative ease, that is, it is at their disposal, being able to form part of even a more extensive document called MANUAL OF SECURITY POLICIES that includes the detail of how security policies are implemented in the organization. You may also be interested in finding evidence that employees who are within the defined scope of applicability of ISO27001 have responsibilities for information security.
Likewise, the auditor could verify that the policy is up-to-date following the management of changes in information security and that there is an owner of each policy, responsible for its maintenance.
I also invite you to consult the ISO27002 guide specifically in point 5.1.1.
Luis Vilanova Blanco. CISA Auditor by ISACA and trained in ISO27001 by SGS.
luis@luisvilanova.es
606954593