Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

ISO/IEC 37001:2005 question

From: Clifford Collins <collinsc () FRANKLIN EDU>
Date: Wed, 4 Jun 2008 12:08:13 -0400
Colleagues, 
Having read through the ISO/IEC 37001:2005 code of practices I noticed in section 5.1.1 the need for an information 
security policy document "approved by management, and published and communicated to all employees and relevant external 
parties." 

Does anybody have such a document they feel could serve as a model? If so, would you please share it with me? 

If you want more detail about what the code of practices expects to be in this document, here's an excerpt on it: 

The information security policy document should state management commitment and set out the 
organization’s approach to managing information security. The policy document should contain 
statements concerning: 


a) a definition of information security, its overall objectives and scope and the importance of 
security as an enabling mechanism for information sharing (see introduction); 
b) a statement of management intent, supporting the goals and principles of information 
security in line with the business strategy and objectives; 
c) a framework for setting control objectives and controls, including the structure of risk 
assessment and risk management; 
d) a brief explanation of the security policies, principles, standards, and compliance 
requirements of particular importance to the organization, including: 
1) compliance with legislative, regulatory, and contractual requirements; 
2) security education, training, and awareness requirements; 
3) business continuity management; 
4) consequences of information security policy violations; 
e) a definition of general and specific responsibilities for information security management, 
including reporting information security incidents; 
f) references to documentation which may support the policy, e.g. more detailed security 
policies and procedures for specific information systems or security rules users should 
comply with. 

This information security policy should be communicated throughout the organization to users in a 
form that is relevant, accessible and understandable to the intended reader. 

This is a pretty tall order and the reason why I'm looking for some samples. Any help is appreciated. 

Clifford A. Collins 
Information Security Officer 
Franklin University 
201 South Grant Avenue 
Columbus, Ohio 43215 
"Security is a process, not a product"
Previous By Date Next
Previous By Thread Next

Current thread: