Information Security Policy and the ISMS Manual
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 52 minutes
less than 3.2,
the Information Security Policy and the Isthmus Manual.
In this video, we will cover
the understanding of what is required in the information security policy in relationship the ISO 27,001 requirements.
We will also understand what the ice miss manual is and how this is different or similar to the information security policy.
So we all know an information security policy is one of the key documents in any information security program
when implementing an ice mess and working towards becoming I. So, 27,001 certified or compliant.
This is a mandatory documents
for 5.2 specifically pertains to the information security policy.
Top management must be involved in the review and the approval of the policy to ensure that it is appropriate for the organization
as well as including their statement of commitment to the ice Miss
and its continual improvement within the organization.
It is up to you to decide how the information security policy will be documented.
Generally, it is easier to have a light, overarching policy stating objectives, policy statements and anything else required,
and then having more detailed supporting policies and procedures which foot underneath this policy,
having a high level information security policy statement will give you a one pager that highlight specific information security objectives.
It is important that this is written in a way that everyone in the organization can understand and relate. Thio
Keep it simple.
An information security policy statement can also be created to have a one page of view of the objectives policy statements
in statement of commitment by top management.
So, just to recap some key things that your information security policy needs to contain
for a nice mess specifically
is your top management support statement
your information security objectives.
What objectives the Iceman's seeks to achieve
specific to information security.
For example, ensuring the business resilience off X Y traders
by preventing and minimizing the impact of security incidents.
Information Security policy statements,
which are high level policy statements off the overarching policy.
this organization will make use off Kaspersky anti virus technology
references to supporting documents.
This includes legislative considerations as well as any other policies or procedures.
It also pertains to any guideline standards baselines
that support your organization.
So we've mentioned an isthmus manual. How is the isthmus manual different from the information security policy.
Well, it's up to you how you want to split or not split your ice Miss Manual and Information Security policy.
The standard requires an information security policy to be documented as part of was 5.2.
In my experience, I've created both an information security policy, a swell as an SMS manual.
The ice mess manual contains information for all clauses from clause for to close 10
specific to my ice mess
and meeting requirements off the standard.
So if there are any decisions that need to be made or key information that needs to be documented somewhere,
I group that altogether in my ice Miss manual,
the information security policy
was more along the lines of what we as information security professionals are familiar with your organizational information security policy containing the clauses and directives for information security within your organization.
The only difference is when implementing an ice miss is the inclusion off the
components mentioned on the previous slide,
specifically the most important being the statement of commitment from top management,
the information security policy gets communicated to the entire organization. We often wanted to be a concise and to the point document,
focusing only on policy statements off what is allowed or not.
The document might become too long and over compliment Complicated. If you combine elements from the ice miss inside as well.
If you're ice, Miss Scope does not cover the whole organization, but your information security policy does.
It might be best to keep them separate in order to avoid confusion.
So what should the ice mess manual contain? And why is this one of the most important documents for your eyes mess
as well as for the orders?
The Ice Miss manual is basically your collection of all the information required for each force in the standard.
As I mentioned earlier,
it's an overview of your eye Smith S and all of its components.
It is definitely not the only document that is important, nor the only document that will exist in your eyes mess.
This is a critical point for the order, and this document should also reference any other supporting documents.
So to summarize, what is your quiet in your eye Smith Manual
As mentioned, it is a central place to document a summary of information for each pause.
For example, if you have nowhere else to document
decisions made or supporting information for specific clauses,
having one central document for that to make life easier.
The information that we covered in Clause four, which is the context of the organization,
is really important here.
So we recovered
internal and external factors that influence the organization, the identification of internal and external interested parties
as well as their needs and requirements. And if any other legal or regulatory requirements can be documented in your manual,
your statement from top management can be duplicated across these manuals
just to ensure you cover your basis.
However, it is only required in your information security policy documents.
Your ice amiss manual must be communicated to all personal that fall within the ice, miss scope
and support the ice mess in some other way.
The best way to communicate this is to keep it on
some sort of shared working folder,
either on your company, Internet
or if you make use of child services such as Google
having a central place where the personal that need access to this document, whether it is to edit or only have read, write to it.
That's one way off
showing that this has been communicated. Um, certain cloud
services such as Google
and possibly also your company Internet would keep in order trail of who has accessed
with the data in time, which provides a great order trail to show
demonstratively that people have been accessing and interacting with the document
This lesson recovered the difference between the information security policy and the ice M s manual.
We looked at the required components to be documented in each of these documents
specific to a nice miss.
The is a 27,001 components can be documented in a stand alone document manual or incorporated into the information security policy.
What we mean here by the ISO 27,001 components.
That is all the information pertaining to Clause 4 to 10 that you have nowhere else to document the information or decisions made for those clauses