Security Policy: Difference between revisions

Line 10:

The organization shall determine:

# Interested parties that are relevant to the information security management system; and

:1. Interested parties that are relevant to the information security management system; and

# The requirements of these interested parties relevant to information security.

:2. The requirements of these interested parties relevant to information security.

<small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small>

Line 36:

Top management shall demonstrate leadership and commitment with respect to the information security management system by:

#Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;

:1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;

#Ensuring the integration of the information security management system requirements into the organization’s processes;

:2. Ensuring the integration of the information security management system requirements into the organization’s processes;

#Ensuring that the resources needed for the information security management system are available;

:3. Ensuring that the resources needed for the information security management system are available;

#Communicating the importance of effective information security management and of conforming to the information security management system requirements;

:4. Communicating the importance of effective information security management and of conforming to the information security management system requirements;

#Ensuring that the information security management system achieves its intended outcome(s);

:5. Ensuring that the information security management system achieves its intended outcome(s);

#Directing and supporting persons to contribute to the effectiveness of the information security management system;

:6. Directing and supporting persons to contribute to the effectiveness of the information security management system;

#Promoting continual improvement; and

:7. Promoting continual improvement; and

#Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

:8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO]

Line 161:

The organization shall:

:1. determine the necessary competence of person(s) doing work under its control that affects its information security performance;

#determine the necessary competence of person(s) doing work under its control that affects its information security performance;

:2. ensure that these persons are competent on the basis of appropriate education, training, or experience;

#ensure that these persons are competent on the basis of appropriate education, training, or experience;

:3. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and

#where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and

:4. retain appropriate documented information as evidence of competence.

#retain appropriate documented information as evidence of competence.

<small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>

Line 173:

Line 172:

Persons doing work under the organization’s control shall be aware of:

#the information security policy;

:1. the information security policy;

#their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and

:2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and

#the implications of not conforming with the information security management system requirements.

:3. the implications of not conforming with the information security management system requirements.

===Communication===

Line 181:

Line 180:

The organization shall determine the need for internal and external communications relevant to the information security management system including:

#on what to communicate;

:1. on what to communicate;

#when to communicate;

:2. when to communicate;

#with whom to communicate;

:3. with whom to communicate;

#who shall communicate; and

:4. who shall communicate; and

#the processes by which communication shall be effected.

:5. the processes by which communication shall be effected.

=== Documented information===

Line 205:

Line 204:

When creating and updating documented information the organization shall ensure appropriate:

#identification and description (e.g. a title, date, author, or reference number);

:1. identification and description (e.g. a title, date, author, or reference number);

#format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and

:2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and

#review and approval for suitability and adequacy.

:3. review and approval for suitability and adequacy.

====Control of documented information====

@@ Line 10: / Line 10: @@
 The organization shall determine:
-# Interested parties that are relevant to the information security management system; and
+:1. Interested parties that are relevant to the information security management system; and
-# The requirements of these interested parties relevant to information security.
+:2. The requirements of these interested parties relevant to information security.
      <small>NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations. </small>
@@ Line 36: / Line 36: @@
 Top management shall demonstrate leadership and commitment with respect to the information security management system by:
-#Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
+:1. Ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
-#Ensuring the integration of the information security management system requirements into the organization’s processes;
+:2. Ensuring the integration of the information security management system requirements into the organization’s processes;
-#Ensuring that the resources needed for the information security management system are available;
+:3. Ensuring that the resources needed for the information security management system are available;
-#Communicating the importance of effective information security management and of conforming to the information security management system requirements;
+:4. Communicating the importance of effective information security management and of conforming to the information security management system requirements;
-#Ensuring that the information security management system achieves its intended outcome(s);
+:5. Ensuring that the information security management system achieves its intended outcome(s);
-#Directing and supporting persons to contribute to the effectiveness of the information security management system;
+:6. Directing and supporting persons to contribute to the effectiveness of the information security management system;
-#Promoting continual improvement; and
+:7. Promoting continual improvement; and
-#Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
+:8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
     Link - [https://drive.google.com/file/d/0BzUoGNHs0-kpVEhHejlQOVZfNWM/view?usp=sharing Commitment letter from CEO]
@@ Line 161: / Line 161: @@
 The organization shall:
+:1. determine the necessary competence of person(s) doing work under its control that affects its information security performance;
-#determine the necessary competence of person(s) doing work under its control that affects its information security performance;
+:2. ensure that these persons are competent on the basis of appropriate education, training, or experience;
-#ensure that these persons are competent on the basis of appropriate education, training, or experience;
+:3. where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
-#where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
+:4. retain appropriate documented information as evidence of competence.
-#retain appropriate documented information as evidence of competence.
 <small>NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. </small>
@@ Line 173: / Line 172: @@
 Persons doing work under the organization’s control shall be aware of:
-#the information security policy;
+:1. the information security policy;
-#their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
+:2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
-#the implications of not conforming with the information security management system requirements.
+:3. the implications of not conforming with the information security management system requirements.
 ===Communication===
@@ Line 181: / Line 180: @@
 The organization shall determine the need for internal and external communications relevant to the information security management system including:
-#on what to communicate;
+:1. on what to communicate;
-#when to communicate;
+:2. when to communicate;
-#with whom to communicate;
+:3. with whom to communicate;
-#who shall communicate; and
+:4. who shall communicate; and
-#the processes by which communication shall be effected.
+:5. the processes by which communication shall be effected.
 === Documented information===
@@ Line 205: / Line 204: @@
 When creating and updating documented information the organization shall ensure appropriate:
-#identification and description (e.g. a title, date, author, or reference number);
+:1. identification and description (e.g. a title, date, author, or reference number);
-#format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
+:2. format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
-#review and approval for suitability and adequacy.
+:3. review and approval for suitability and adequacy.
 ====Control of documented information====

Security Policy: Difference between revisions

Navigation menu

Search