Is your Quality, Health & Safety or Environmental Compliance system working for you? How much time are you wasting trying to chase people to get things done, trying to remember to follow up on tasks, getting your Audits up to date, controlling documentation, dealing with customer complaints and capturing your Health & Safety Risks or incidents?
Let MANGO help you with a simpler way that makes the system not only work for you but, gets everyone involved in the system simply so you never have to remember again.
Please complete all required fields!
Clause 5.2 of ISO27001:2013 is all about your Information Security Management Policy and it is pretty insistent that you have one, in fact its Mandatory. That is a pretty good thing since everything else in your entire Information Security Management System happens because of this policy which make sense if you think about it.
Policies sit at the top of your Management Systems, it doesn't matter if it's 9001 for quality, 14001 for environmental, 27001 information security or 45001 for Occupational Health & Safety the policy is the top level document that sets the tone and direction for every other part of your Management System. Flowing out from the policy you set will be objectives for you to meet, in order to meet these you need to set up procedures on how to do things, which then drives what other things you need like forms, SOP's, training and of course records. Throughout all of these lower levels you should be able to trace the impact on them that the policy has. The reason for that is simple, the Policy sets direction and needs to give a really clear vision of what you are trying to achieve with your Information Security management system.
The clause itself has 7 points that you need to tick off and your auditor is going to be looking for them when they come to visit you.
There is no point brining the policy you had at the last company or creating a policy that an international organisation of 5000 people would be proud of if you are a 50-person company. The Policy has to be yours; it should mean something to your company, and it should be developed by you and a team. Typically, you would include the snr managers of your organisation since they are going to be the people working with it. Remember you want to implement, not inflict your ISMS.
I'm a fan of setting a framework rather than objectives that way your policy needs less updating, that said you do need to keep reviewing your policy to ensure that it is still valid. By creating a framework however you give a great structure for objectives at every level of your organisation.
This one seems rather obvious doesn't it? Yet you would be surprised that number of companies who forget that they need to think about what the applicable requirements are (these may be legal, corporate, industry and so forth).
The theme of continuous improvement runs through all ISO Management Systems. Remembering that this policy is setting the tone of your entire ISMS creating an expectation of continuous improvement at the top level policy is important. Setting up on going reviews, changing things as you need to when you find a better way of working just makes sense.
This means you do have to write it down, which again seems like an obvious and smart thing to do yet many try not to. The standard makes it explicit that you need to make it available as documented information, so that means it needs to be written down but also means that it has to be able to be accessed by those who need to know about it, so you can't hide it away in a dusty folder on the top shelf in a dark room in the basement only to be brought out for the auditor.
Much in line with what we just said, you cannot hide it away, what is the point of having a policy and then not telling anyone about it? How do you expect it to be followed and implemented if it is a secret? The standard expects you to roll it out properly which means you need to train people on what the policy means. If you cast your eye back up a bit we mentioned that you needed to involve your snr management in the development, this is where it comes in handy as they also get to ensure that it is communicated to the organisation, that's made a lot easier if they have had input to the policy and have bought into it.
Again, this means you must be able to provide the policy to interested parties e.g. auditors, customers, suppliers, employees, banks, or investors. The qualifier however is 'as appropriate' which is means there will be some people who you should not make your policy available to, that is for you to decide.
There are a range of things that can go wrong when creating your policy. When you have a policy that just doesn't work for the organisation then it's going to have some pretty big impacts further down the system. Typical examples are when you create a policy that just isn't right for your company or you create a policy without gaining any input from the users and the result is an ISMS policy that actually cripples your organisation rather than helps it.
Instead of creating a policy you create a process, i.e. you create a document that tells you how to do things, that's not the point of the policy, remember it's a top level vision not a detail step by step document.
Then of course you have the obvious things, not communicating it with the employees, making it way to complex by stuffing it with clauses and buzzwords and the typical one where the top management are really not committed to it, or believe that it is applicable to the rest of the organisation but not to them.
Creating your policy is a critical part of your Information Security Management Policy, it's going to set the tone for everything else and so if you get it wrong then there will be problems. Ensure that you involve the management in developing it so that they can get behind it and can help roll it out to the rest of the organisation. Once you have it finalised then ensure everyone is aware of it and it is available to those who need to know about it (hint all of your employees are in this group!). Keep it clear and avoid buzzwords remembering you are trying to communicate a structure and a framework that can be used to develop the ISMS objectives. Finally, remember that all important continuous improvement requirement by continuously looking at your policy and asking how can we make it better?
© Many Caps Consulting Ltd | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/