At the peak of the typical policy pyramid sits a ‘corporate information security policy’. In clause 5.2, ISO/IEC 27001 explicitly requires a high level policy, specifying related aspects such as demonstrable management commitment.
- The usual boilerplate for any formal policy e.g. summary,
applicability, version and date up front, plus responsibilities and references
at the back;
- A short introduction, using the pyramid diagram to outline the entire information security policy structure;
- A set of seven principles (objectives) driving information
risk and security e.g. “Information
is a valuable business asset that must be protected against inappropriate
activities or harm, yet exploited appropriately for the benefit of the
organization. This includes our own
information and that made available to us or placed in our care by third
parties.”;
- A set of 35 policy axioms (key policy statements) derived from the control objectives in ISO/IEC 27002 with some modifications and extensions to the wording to suit this purpose.
The principles fascinate me. They aren’t (yet!) stated in any of the ISO27k
standards, and yet these are fundamental concepts underpinning the entire field such as 'least privilege' and 'personal accountability'. In researching and preparing our corporate infosec policy, I dug
out a bunch of principles from various places and rationalized them down
to the present set. I’d like to revisit that sometime,
maybe even prepare a paper about the principles and then propose either a new ISO27k
standard or an appendix to, say, the information security governance
standard ISO/IEC 27014.
No comments:
Post a Comment