Educause Security Discussion mailing list archives
ISO/IEC 37001:2005 question
From: Clifford Collins <collinsc () FRANKLIN EDU>
Date: Wed, 4 Jun 2008 12:08:13 -0400
Colleagues, Having read through the ISO/IEC 37001:2005 code of practices I noticed in section 5.1.1 the need for an information security policy document "approved by management, and published and communicated to all employees and relevant external parties." Does anybody have such a document they feel could serve as a model? If so, would you please share it with me? If you want more detail about what the code of practices expects to be in this document, here's an excerpt on it: The information security policy document should state management commitment and set out the organization’s approach to managing information security. The policy document should contain statements concerning: a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; d) a brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including: 1) compliance with legislative, regulatory, and contractual requirements; 2) security education, training, and awareness requirements; 3) business continuity management; 4) consequences of information security policy violations; e) a definition of general and specific responsibilities for information security management, including reporting information security incidents; f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with. This information security policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader. This is a pretty tall order and the reason why I'm looking for some samples. Any help is appreciated. Clifford A. Collins Information Security Officer Franklin University 201 South Grant Avenue Columbus, Ohio 43215 "Security is a process, not a product"
Current thread:
- ISO/IEC 37001:2005 question Clifford Collins (Jun 04)
- <Possible follow-ups>
- Re: ISO/IEC 37001:2005 question Hugh Burley (Jun 05)
- Re: ISO/IEC 37001:2005 question Paul Kendall (Jun 05)
- Re: ISO/IEC 37001:2005 question Hugh Burley (Jun 05)