ISO 27001 Policies: Implementing Effective Information Security Management

What Policies Are Required for ISO 27001?

While the ISO doesn’t prescribe a set list of ISO 27001 policies and procedures, you can carefully go over ISO 27001 security standards to develop your own for your company. Below is a detailed list of general policies you should consider to get certified. Note that ISO 27001:2013 has been updated to the 2022 version in October 2022, so make sure you’re referencing the correct version.

Information Security Policy

This policy provides the direction and support for information security in your company. It comprises of the following:

• Objectives
• Leadership commitment
• Staff roles and responsibilities
• Legal and regulatory compliance
• Plans for continual improvement

Access Control Policy

Who should have access to your data? This policy ensures that only authorized persons can handle, modify, create, transmit, and retrieve sensitive information. Thus, this policy should cover:

• User access management
• User responsibilities
• Passwords
• Remote access
• Network access control
• System and application access control

Data Retention Policy

This policy sets the period your company keeps data, such as invoices, employee records, emails, and legal documents before they’re deleted or archived. It ensures your company complies with regulations and helps optimize storage costs. Furthermore, it should also state how your company securely disposes of unnecessary data.

Asset Management Policy

Asset management policy answers the question: What and who manages your company’s assets? It helps identify, classify, and control your company’s assets so you can protect data better. For instance, knowing that certain servers store sensitive customer data allows you to provide enhanced security measures for those servers. This policy covers:

• Asset inventory and classification
• Asset ownership and responsibilities
• Acceptable use of assets

Incident Response Policy

This policy ensures your company can consistently and effectively handle information security incidents. For instance, healthcare employees should know the proper procedures in case of a data breach. The contents of your incident response policy include the following:

• Incident reporting process
• Incident response team and responsibilities
• Incident management procedures
• Post-incident evaluation

Business Continuity and Disaster Recovery Policy

This policy ensures your company can continue to operate, guard sensitive data, and recover quickly during or after a disruption. Outline the strategies and procedures to help you manage risks in case of unforeseen events that disrupt your business operations. Contents include:

• Business Impact Analysis
• Business Continuity Planning
• Disaster Recovery Planning
• Team roles and responsibilities
• Plan testing and Maintenance

Teleworking Policy

Security incidents can happen when employees work remotely and use mobile devices. This policy helps them protect the company’s data they access when telecommuting or working from home. It includes:

• Remote access controls
• Mobile device registration
• Data protection measures
• Authorization guidelines

Backup Policy

Data loss can cost your company millions of dollars. This policy ensures that critical data is backed up properly and can recovered swiftly in case of a data loss or corruption. It should outline the procedures for creating, storing, and maintaining backups. Include the following under this policy:

• Backup frequency and retention
• Backup storage
• Backup testing
• Roles and responsibilities (e.g., backup administrator, IT staff, data owners, audit and compliance)

Third-Party Supplier Policy

If your company employs contractors, subcontractors, and other suppliers, then you need a third-party supplier policy. These guidelines ensure that third-party access to data is secure and managed properly. Contents include:

• Third-party selection
• Third-party agreements and contracts
• Monitoring third-party compliance
• Managing changes in third-party services