Security Policy: Difference between revisions
Jump to navigation
Jump to search
| Line 202: | Line 202: | ||
The organization’s information security management system shall include: | The organization’s information security management system shall include: | ||
:1. Documented information required by this International Standard; and | |||
:2. Documented information determined by the organization as being necessary for the effectiveness of the information security management system. | |||
<small>NOTE The extent of documented information for an information security management system can differ from one organization to another due to: </small> | <small>NOTE The extent of documented information for an information security management system can differ from one organization to another due to: </small> | ||
:3. The size of organization and its type of activities, processes, products and services; | |||
:4. The complexity of processes and their interactions; and | |||
:5. The competence of persons. | |||
====Creating and updating==== | ====Creating and updating==== | ||
| Line 219: | Line 219: | ||
#identification and description (e.g. a title, date, author, or reference number); | #identification and description (e.g. a title, date, author, or reference number); | ||
#format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and | #format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and | ||
#review and approval for suitability and adequacy. | #review and approval for suitability and adequacy. | ||
| Line 228: | Line 226: | ||
Documented information required by the information security management system and by this International Standard shall be controlled to ensure: | Documented information required by the information security management system and by this International Standard shall be controlled to ensure: | ||
:1. it is available and suitable for use, where and when it is needed; and | |||
:2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). | |||
| | ||
For the control of documented information, the organization shall address the following activities, as applicable: | For the control of documented information, the organization shall address the following activities, as applicable: | ||
:3. distribution, access, retrieval and use; | |||
:4. storage and preservation, including the preservation of legibility; | |||
:5. control of changes (e.g. version control); and | |||
:6. retention and disposition. | |||
Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as | Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. | ||
appropriate, and controlled. | |||
<small>NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc </small> | <small>NOTE Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc </small> | ||