Information Security Policy and the ISMS Manual

00:00

less than 3.2,

00:02

the Information Security Policy and the Isthmus Manual.

00:09

In this video, we will cover

00:12

the understanding of what is required in the information security policy in relationship the ISO 27,001 requirements.

00:21

We will also understand what the ice miss manual is and how this is different or similar to the information security policy.

00:31

So we all know an information security policy is one of the key documents in any information security program

00:38

when implementing an ice mess and working towards becoming I. So, 27,001 certified or compliant.

00:44

This is a mandatory documents

00:47

for 5.2 specifically pertains to the information security policy.

00:54

Top management must be involved in the review and the approval of the policy to ensure that it is appropriate for the organization

01:00

as well as including their statement of commitment to the ice Miss

01:04

and its continual improvement within the organization.

01:08

It is up to you to decide how the information security policy will be documented.

01:15

Generally, it is easier to have a light, overarching policy stating objectives, policy statements and anything else required,

01:23

and then having more detailed supporting policies and procedures which foot underneath this policy,

01:30

having a high level information security policy statement will give you a one pager that highlight specific information security objectives.

01:38

It is important that this is written in a way that everyone in the organization can understand and relate. Thio

01:44

Keep it simple.

01:46

An information security policy statement can also be created to have a one page of view of the objectives policy statements

01:53

in statement of commitment by top management.

01:57

So, just to recap some key things that your information security policy needs to contain

02:04

for a nice mess specifically

02:06

is your top management support statement

02:09

your information security objectives.

02:13

What objectives the Iceman's seeks to achieve

02:15

specific to information security.

02:19

For example, ensuring the business resilience off X Y traders

02:23

by preventing and minimizing the impact of security incidents.

02:29

Information Security policy statements,

02:31

which are high level policy statements off the overarching policy.

02:37

For example,

02:38

this organization will make use off Kaspersky anti virus technology

02:46

references to supporting documents.

02:49

This includes legislative considerations as well as any other policies or procedures.

02:55

It also pertains to any guideline standards baselines

03:00

that support your organization.

03:09

So we've mentioned an isthmus manual. How is the isthmus manual different from the information security policy.

03:17

Well, it's up to you how you want to split or not split your ice Miss Manual and Information Security policy.

03:25

The standard requires an information security policy to be documented as part of was 5.2.

03:35

In my experience, I've created both an information security policy, a swell as an SMS manual.

03:42

The ice mess manual contains information for all clauses from clause for to close 10

03:49

specific to my ice mess

03:52

and meeting requirements off the standard.

03:53

So if there are any decisions that need to be made or key information that needs to be documented somewhere,

04:00

I group that altogether in my ice Miss manual,

04:02

the information security policy

04:05

was more along the lines of what we as information security professionals are familiar with your organizational information security policy containing the clauses and directives for information security within your organization.

04:18

The only difference is when implementing an ice miss is the inclusion off the

04:24

components mentioned on the previous slide,

04:27

specifically the most important being the statement of commitment from top management,

04:36

the information security policy gets communicated to the entire organization. We often wanted to be a concise and to the point document,

04:44

focusing only on policy statements off what is allowed or not.

04:47

The document might become too long and over compliment Complicated. If you combine elements from the ice miss inside as well.

04:57

If you're ice, Miss Scope does not cover the whole organization, but your information security policy does.

05:02

It might be best to keep them separate in order to avoid confusion.

05:09

So what should the ice mess manual contain? And why is this one of the most important documents for your eyes mess

05:15

as well as for the orders?

05:17

The Ice Miss manual is basically your collection of all the information required for each force in the standard.

05:23

As I mentioned earlier,

05:25

it's an overview of your eye Smith S and all of its components.

05:30

It is definitely not the only document that is important, nor the only document that will exist in your eyes mess.

05:38

This is a critical point for the order, and this document should also reference any other supporting documents.

05:46

So to summarize, what is your quiet in your eye Smith Manual

05:51

or Policy?

05:55

As mentioned, it is a central place to document a summary of information for each pause.

06:00

For example, if you have nowhere else to document

06:01

decisions made or supporting information for specific clauses,

06:06

having one central document for that to make life easier.

06:12

The information that we covered in Clause four, which is the context of the organization,

06:16

is really important here.

06:18

So we recovered

06:19

internal and external factors that influence the organization, the identification of internal and external interested parties

06:29

as well as their needs and requirements. And if any other legal or regulatory requirements can be documented in your manual,

06:38

your statement from top management can be duplicated across these manuals

06:42

just to ensure you cover your basis.

06:45

However, it is only required in your information security policy documents.

06:51

Your ice amiss manual must be communicated to all personal that fall within the ice, miss scope

06:57

or four

06:59

and support the ice mess in some other way.

07:05

The best way to communicate this is to keep it on

07:09

some sort of shared working folder,

07:12

either on your company, Internet

07:14

or if you make use of child services such as Google

07:18

having a central place where the personal that need access to this document, whether it is to edit or only have read, write to it.

07:27

That's one way off

07:29

showing that this has been communicated. Um, certain cloud

07:34

services such as Google

07:36

and possibly also your company Internet would keep in order trail of who has accessed

07:43

the document

07:44

with the data in time, which provides a great order trail to show

07:47

demonstratively that people have been accessing and interacting with the document

07:59

to summarize.

08:01

This lesson recovered the difference between the information security policy and the ice M s manual.

08:09

We looked at the required components to be documented in each of these documents

08:15

specific to a nice miss.

08:18

The is a 27,001 components can be documented in a stand alone document manual or incorporated into the information security policy.

08:30

What we mean here by the ISO 27,001 components.