1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Policy or Procedure

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Arjun Nayak, Jul 19, 2021.

Tags:
  1. Arjun Nayak

    Arjun Nayak New Member

    Joined:
    Jul 8, 2021
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello - We are implementing ISO 27001 on a small organization.

    I was wondering if we need to write only policies OR only procedures OR both policies and procedures for the below domains:

    A.16 Information security incident management
    A.17 Information security aspects of business continuity management
    A.18.2 Information security reviews

    Please let me know your thoughts. Thanks!
     
    Arjun Nayak, Jul 19, 2021
    #1
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,109
    Likes Received:
    2,562
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hello Arjun - good question. My experience has been that both policy and procedure are fitting for an ISMS. I have found it is typical to "set the scene" for some aspect of the ISMS as a policy - taking A.18.2, for example:

    Policy: "The top management of XXXX Organization will perform a high level security review at least twice a year and after the following events..."

    Procedure: The Organization's InfoSec manager schedules a top level security review in accordance with this procedure, blah, blah, blah..."
     
    Andy Nichols, Jul 19, 2021
    #2
    tony s, John C. Abnet and Arjun Nayak like this.