A detailed comparison between ISO 9001 and 27001
Download this document to learn how ISO 9001 and ISO 27001 overlap with each other.
.jpg?ext=.jpg)
8 Information Security Policy Examples
In the next several posts, you are going to see a deep dive into the controls located in Annex A of ISO 27001. If your organization is working toward ISO 27001 compliance, purchasing a copy of the standard, which you can do by clicking the above hyperlink, is an essential step for preparation.
The first control in Annex A is in regard to policies. What kinds of policies should a company establish if they are working toward ISO 27001 certification? Here are some examples.
-
Acceptable Use Policy
An acceptable use policy lets employees know what they are allowed and not allowed to use company assets for. For example, if employees should not log into social media platforms on company computers, this policy will be the one to outline that.
-
Disaster Recovery Plan
What will your company do if it experiences a data breach? Obviously the hope is this policy will never have to be used, but preparation is a key to a faster recovery.
-
Encryption Policy
How will encryption be used to protect data? Who will manage the keys?
-
Password Management Policy
You might think of passwords as protection in and of themselves. However, many cyber incidents occur because hackers are able to unlock one password which cascades into unlocking more and more. A password management policy may outline how passwords are set. How often should passwords be reset? How complex should passwords be?
-
Data Backup Policy
How often does data in your organization get backed up? A data backup policy will outline how often backups should occur, where data that is backed up will be stored, and who is responsible/accountable for data storage.
-
Security Training Policy
Cybersecurity experts attribute an alarming and surprising number of data breaches to a lack of security training. A security training policy can include how onboarded employees are trained, how often trainings occur, and who is responsible for ensuring the training happens.
-
Remote Access Policy
The increase in hybrid and remote environments has opened up entirely new challenges for cybersecurity. This policy should outline how employees access the work environment when they are working offsite. That might include whether they use a VPN, whether or not they need to use multi-factor authentication, and more.
-
Identity Access and Management Policy
Can all employees access the tools they need to do their jobs? Are certain resources locked down so only specific and appropriate people can access them? This policy should outline all of that information as well as who is accountable for maintaining those roles and access capabilities.
Document, Document, Document!
Whatever types of policies your organization creates, it is essential to:
- Document them
- Make sure leadership approves of them
- Establish a means of communicating them to all employees
- Monitor and update as needed
Do you have questions about ISO 27001 or are you seeking an audit? Contact us today!