Information Security Management System Policy [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The ISMS Policy is a document which acts as the root “Quality Manual” of the Information Security Management System (ISMS).
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: 5 Leadership 5.2 Policy
General Guidance The information security management system policy must be approved by Top Management (normally defined as the “person or group of people who direct and control the organization at the highest level”) as evidence of their commitment. Section 5.2 of the standard sets out some of what the policy must contain, and these areas are covered by the template document. We would therefore recommend that no section headings are removed. Prior to the certification audit you must ensure that the policy has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means.
Review Frequency We would recommend that this document is reviewed as part of an annual exercise which also covers key documents such as the risk assessment and training plan. This exercise should include significant business involvement to ensure that changed requirements are captured and customer feedback obtained. Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016.
Version 1
Page 1 of 12
[Insert date]