WHY DOES YOUR COMPANY NEED IT POLICIES?
In practice, the clear distinction between policy and procedure, which is customary in Anglican-speaking countries, has proven its worth. The target state is defined in a policy, and the implementation is then described in a procedure description.
Policies and procedure descriptions serve to ensure that recurring processes in a company are carried out in a uniform manner by the persons acting. This enables companies to achieve the desired actual state independently of individual persons, although the person carrying out a process description should always be familiar with the underlying guidelines.
Guidelines and process descriptions jointly define the target state
Our approach to the creation of IT guidelines is a clear separation of guidelines and process descriptions.
When creating IT guidelines, the required target state is worked out together with the customer. In particular, the following points must be taken into account:
- Necessary management support
- Consideration of business requirements
- Compliance requirements, including customer and supplier contracts
- Consideration of the structure and process organization
- Risk consideration
Clear requirements lead to all employees rowing in the same direction and must be created and communicated in a manner and scope appropriate to the addressees.
What policies and procedures does ISO/IEC 27001 require?
There is no prescribed list of which IT specifications you need to create in the course of an ISO/IEC 27001 certification. Typically the following documents are developed in the first step:
- Methodology for risk assessment and risk treatment
- Permitted use of assets (user policy)
- Access control policy
- Supplier security policy
- Information classification policy
- Password policy
- Disposal and destruction policy
SEC4YOU will be happy to support you in the creation of IT policies.
YOUR ADVANTAGES
- Guidelines lead to all employees rowing in the same direction!
- An important milestone for ISO/IEC 27001 certification
- Targeted creation helps with the adoption of the guidelines by the employees
- Target/actual comparison as a basis for subsequent IT audits
Questions about IT-Policies? You would like to talk to an expert?