Information Security Policy and the ISMS Manual

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
less than 3.2,
00:02
the Information Security Policy and the Isthmus Manual.
00:09
In this video, we will cover
00:12
the understanding of what is required in the information security policy in relationship the ISO 27,001 requirements.
00:21
We will also understand what the ice miss manual is and how this is different or similar to the information security policy.
00:31
So we all know an information security policy is one of the key documents in any information security program
00:38
when implementing an ice mess and working towards becoming I. So, 27,001 certified or compliant.
00:44
This is a mandatory documents
00:47
for 5.2 specifically pertains to the information security policy.
00:54
Top management must be involved in the review and the approval of the policy to ensure that it is appropriate for the organization
01:00
as well as including their statement of commitment to the ice Miss
01:04
and its continual improvement within the organization.
01:08
It is up to you to decide how the information security policy will be documented.
01:15
Generally, it is easier to have a light, overarching policy stating objectives, policy statements and anything else required,
01:23
and then having more detailed supporting policies and procedures which foot underneath this policy,
01:30
having a high level information security policy statement will give you a one pager that highlight specific information security objectives.
01:38
It is important that this is written in a way that everyone in the organization can understand and relate. Thio
01:44
Keep it simple.
01:46
An information security policy statement can also be created to have a one page of view of the objectives policy statements
01:53
in statement of commitment by top management.
01:57
So, just to recap some key things that your information security policy needs to contain
02:04
for a nice mess specifically
02:06
is your top management support statement
02:09
your information security objectives.
02:13
What objectives the Iceman's seeks to achieve
02:15
specific to information security.
02:19
For example, ensuring the business resilience off X Y traders
02:23
by preventing and minimizing the impact of security incidents.
02:29
Information Security policy statements,
02:31
which are high level policy statements off the overarching policy.
02:37
For example,
02:38
this organization will make use off Kaspersky anti virus technology
02:46
references to supporting documents.
02:49
This includes legislative considerations as well as any other policies or procedures.
02:55
It also pertains to any guideline standards baselines
03:00
that support your organization.
03:09
So we've mentioned an isthmus manual. How is the isthmus manual different from the information security policy.
03:17
Well, it's up to you how you want to split or not split your ice Miss Manual and Information Security policy.
03:25
The standard requires an information security policy to be documented as part of was 5.2.
03:35
In my experience, I've created both an information security policy, a swell as an SMS manual.
03:42
The ice mess manual contains information for all clauses from clause for to close 10
03:49
specific to my ice mess
03:52
and meeting requirements off the standard.
03:53
So if there are any decisions that need to be made or key information that needs to be documented somewhere,
04:00
I group that altogether in my ice Miss manual,
04:02
the information security policy
04:05
was more along the lines of what we as information security professionals are familiar with your organizational information security policy containing the clauses and directives for information security within your organization.
04:18
The only difference is when implementing an ice miss is the inclusion off the
04:24
components mentioned on the previous slide,
04:27
specifically the most important being the statement of commitment from top management,
04:36
the information security policy gets communicated to the entire organization. We often wanted to be a concise and to the point document,
04:44
focusing only on policy statements off what is allowed or not.
04:47
The document might become too long and over compliment Complicated. If you combine elements from the ice miss inside as well.
04:57
If you're ice, Miss Scope does not cover the whole organization, but your information security policy does.
05:02
It might be best to keep them separate in order to avoid confusion.
05:09
So what should the ice mess manual contain? And why is this one of the most important documents for your eyes mess
05:15
as well as for the orders?
05:17
The Ice Miss manual is basically your collection of all the information required for each force in the standard.
05:23
As I mentioned earlier,
05:25
it's an overview of your eye Smith S and all of its components.
05:30
It is definitely not the only document that is important, nor the only document that will exist in your eyes mess.
05:38
This is a critical point for the order, and this document should also reference any other supporting documents.
05:46
So to summarize, what is your quiet in your eye Smith Manual
05:51
or Policy?
05:55
As mentioned, it is a central place to document a summary of information for each pause.
06:00
For example, if you have nowhere else to document
06:01
decisions made or supporting information for specific clauses,
06:06
having one central document for that to make life easier.
06:12
The information that we covered in Clause four, which is the context of the organization,
06:16
is really important here.
06:18
So we recovered
06:19
internal and external factors that influence the organization, the identification of internal and external interested parties
06:29
as well as their needs and requirements. And if any other legal or regulatory requirements can be documented in your manual,
06:38
your statement from top management can be duplicated across these manuals
06:42
just to ensure you cover your basis.
06:45
However, it is only required in your information security policy documents.
06:51
Your ice amiss manual must be communicated to all personal that fall within the ice, miss scope
06:57
or four
06:59
and support the ice mess in some other way.
07:05
The best way to communicate this is to keep it on
07:09
some sort of shared working folder,
07:12
either on your company, Internet
07:14
or if you make use of child services such as Google
07:18
having a central place where the personal that need access to this document, whether it is to edit or only have read, write to it.
07:27
That's one way off
07:29
showing that this has been communicated. Um, certain cloud
07:34
services such as Google
07:36
and possibly also your company Internet would keep in order trail of who has accessed
07:43
the document
07:44
with the data in time, which provides a great order trail to show
07:47
demonstratively that people have been accessing and interacting with the document
07:59
to summarize.
08:01
This lesson recovered the difference between the information security policy and the ice M s manual.
08:09
We looked at the required components to be documented in each of these documents
08:15
specific to a nice miss.
08:18
The is a 27,001 components can be documented in a stand alone document manual or incorporated into the information security policy.
08:30
What we mean here by the ISO 27,001 components.
08:33
That is all the information pertaining to Clause 4 to 10 that you have nowhere else to document the information or decisions made for those clauses
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By