According to the ISO/IEC 27001:2022 standard, an information security policy is a high-level document that defines the management approach and objectives for information security within the organization. It should include, among other things, the legal and regulatory obligations imposed upon the organization, such as compliance with laws, contracts, agreements, and standards that are relevant to information security. The information security policy should also provide the basis for establishing, implementing, maintaining, and continually improving the information security management system (ISMS).
References:
ISO/IEC 27001:2022, Clause 5.2 Policy
ISO/IEC 27002:2022, Clause 5.1 Policies for information security
PECB ISO/IEC 27001 Lead Implementer Course, Module 3: Information Security Management System (ISMS)
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit