Quite a number of organisations have aligned their information security measures with an effective ISO 27001 policy. ISO 27001 is the standard that defines a practice code for a information security management system.

The part where most of these organisations fall short is in the documentation requirements. An effective ISO 27001 information security management system must include control of documentation, descriptions of the activities and the processes of information security, risks assessment strategies and reports, a risk management plan and an applicability statement which details the control objectives and other controls which are important and useful to information security.

A documented process means that the ISO 27001 policy itself has been established, implemented, maintained and thus, documented.

The Statement of Applicability

The document which is mostly found missing is the particular one that involves the reasons why some specific decisions as regards to security were made and also, which security measures are being made use of and why; this document is called ISO 27001 Statement of Applicability.

The ISO 27001 statement of applicability shows the information security controls that have already been set up within the environment and describes why and how they are suitable. This document shows the relationship between the outcomes of the selected controls, the risk assessment and the original risks which the controls were meant to mitigate.

This document is very vital in the ISO 27001 policy as it helps to bring together both why and how the information security works. A good statement of applicability demonstrates how information security controls combine to give layers of protection and aren’t just remote obstructions to day to day jobs.

Information security training which references the statement of applicability is efficient because workers will start to understand how security in their company works and the justification for what might initially seem to be unnecessary and tedious controls. By demonstrating the diverse ISO 27001 policies and processes in relation to information security objectives, the reasons for developing an effective ISO 27001 policy then becomes more vivid. As a result of the employees newly found understanding of the need for this policy, they are more likely to give it their utmost attention.

Maintaining an Effective ISO 27001 Policy Documentation

The quantity of information security policy documentation can vary significantly from one company to the next. This quantity is dependent on the nature of the company’s activities and the size of the company, as these have major effects on the complexity and the scope of the information security requirements as well as the systems being controlled. Nonetheless, even small companies end up with a bulky set of documents. This is the reason why it is essential to cross-reference important information security objectives, controls and decisions so that in the future, anyone can easily check for the reason an ISO 27001 policy was implemented and the place of the policy in the overall information security of the organisation.

The ISMS required documents also need to be managed and protected by a documented procedure which defines the actions of the management requirement for review, approval and update of documents and also ensure that they are available to anyone who needs them. Reviewing and modifying ISMS documents is also part of the continual, systematic improvement required by the ISO 27001 policy.

Promotions and changes amongst the top management or even beginning of a new service could swiftly change major business drivers. As a result, whenever there are changes in the organisation, it is paramount that the information security policies are reviewed to make sure they place emphasis on delivering the particular type of security the company requires, supporting the technologies which will give maximum business advantage and also assist the company achieve its goals.

To prevent the company’s ISO 27001 policy from becoming misaligned, the head of the IT security has to frequently meet with the company’s top management so as to discuss the areas of concern. When every stakeholder is informed on both the security and business imperatives, this results in  more informed decisions being made when it comes to buying and implementing security technologies, and the ISO 27001 policies and procedures would also be updated to reflect the organisation’s needs as well as its security objectives.

Feel free to contact us if you are looking to implement an ISO 27001 information security management system or outsource your internal audits. Our ISO 27001 consultants are always available for a free consultation on how we can help with your project.