Difference between revisions of "Security Policy"
(Created page with "== Context of the organization == '''1. Understanding the organization and its context''' The organization shall determine external and internal issues that are relevant to i...") |
|||
| Line 36: | Line 36: | ||
== Leadership == | == Leadership == | ||
| − | 1. Leadership and commitment | + | '''1. Leadership and commitment |
| + | |||
Top management shall demonstrate leadership and commitment with respect to the information security management system by: | Top management shall demonstrate leadership and commitment with respect to the information security management system by: | ||
| + | |||
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; | a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; | ||
| + | |||
b) ensuring the integration of the information security management system requirements into the organization’s processes; | b) ensuring the integration of the information security management system requirements into the organization’s processes; | ||
| + | |||
c) ensuring that the resources needed for the information security management system are available; | c) ensuring that the resources needed for the information security management system are available; | ||
| + | |||
d) communicating the importance of effective information security management and of conforming to the information security management system requirements; | d) communicating the importance of effective information security management and of conforming to the information security management system requirements; | ||
| + | |||
e) ensuring that the information security management system achieves its intended outcome(s); | e) ensuring that the information security management system achieves its intended outcome(s); | ||
| + | |||
f) directing and supporting persons to contribute to the effectiveness of the information security management system; | f) directing and supporting persons to contribute to the effectiveness of the information security management system; | ||
| + | |||
g) promoting continual improvement; and | g) promoting continual improvement; and | ||
| + | |||
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. | h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. | ||
| − | + | ||
| + | '''2 Policy | ||
| + | |||
Top management shall establish an information security policy that: | Top management shall establish an information security policy that: | ||
| + | |||
a) is appropriate to the purpose of the organization; | a) is appropriate to the purpose of the organization; | ||
| + | |||
b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; | b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives; | ||
| + | |||
c) includes a commitment to satisfy applicable requirements related to information security; and | c) includes a commitment to satisfy applicable requirements related to information security; and | ||
| + | |||
d) includes a commitment to continual improvement of the information security management system. | d) includes a commitment to continual improvement of the information security management system. | ||
The information security policy shall: | The information security policy shall: | ||
| + | |||
e) be available as documented information; | e) be available as documented information; | ||
| + | |||
f) be communicated within the organization; and | f) be communicated within the organization; and | ||
| + | |||
g) be available to interested parties, as appropriate. | g) be available to interested parties, as appropriate. | ||
| − | 3 Organizational roles, responsibilities and authorities | + | '''3. Organizational roles, responsibilities and authorities |
| − | Top management shall ensure that the responsibilities and authorities for roles relevant to information | + | |
| − | security are assigned and communicated. | + | Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: |
| − | Top management shall assign the responsibility and authority for: | + | |
a) ensuring that the information security management system conforms to the requirements of this | a) ensuring that the information security management system conforms to the requirements of this | ||
International Standard; and | International Standard; and | ||
| + | |||
b) reporting on the performance of the information security management system to top management. | b) reporting on the performance of the information security management system to top management. | ||
| − | NOTE Top management may also assign responsibilities and authorities for reporting performance of the | + | NOTE Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization. |
| − | information security management system within the organization. | ||
Revision as of 08:13, 16 July 2019
Context of the organization
1. Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
2. Understanding the needs and expectations of interested parties
The organization shall determine:
a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
NOTE The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
3. Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the information security management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
The scope shall be available as documented information.
4. Information security management system
The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard.
Leadership
1. Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the information security management system by:
a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to the information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
2 Policy
Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;
c) includes a commitment to satisfy applicable requirements related to information security; and
d) includes a commitment to continual improvement of the information security management system.
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.
3. Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this International Standard; and
b) reporting on the performance of the information security management system to top management.
NOTE Top management may also assign responsibilities and authorities for reporting performance of the information security management system within the organization.
