Clause 5.2 of the ISO 27001 standard requires that top management establish an information security policy. This requirement for documenting a policy is pretty straightforward. However, it is what is inside the policy and how it relates to the broader ISMS that will give interested parties the confidence they need to trust what sits behind the policy.
Senior management must also do a range of other things around that policy to bring it to life - not just have the policy ready to share as part of a tender response! In the recent past, when a customer asked a prospective supplier for a copy of their information security policy, that document might say some nice and fluffy things around information security management, risk management and information assurance to meet a tick box exercise by a procurement person in the buying department. No longer is that (generally) the case. Smart buyers will not only want to see a security policy, they might want it backed up by evidence of the policy working in practice - helped of course with an independent information security certification body like UKAS underpinning it, and a sensible ISMS behind it.
Some of the other things that top management needs to do around this clause beyond establishing the policy itself include:
- Making sure it is relevant to the purpose of organisation (so not just copying one from Google;)
- Clarifying the information security objectives (covered more in 6.2) or at least sets the conditions for them - tip, this should include the relevant and measurable aspects of protecting confidentiality, integrity and availability around the information assets identified in 4.1 and held in line with A5.9
- A commitment to satisfy the applicable requirements of the information security needs of the organisation (i.e. those covered across ISO 27001 core requirements and the Annex A controls)
- Ensuring its ongoing continual improvement - an ISMS is for life, and with surveillance audits each year that will be obvious to see (or not)
- Sharing and communicating it with the organisation and interested parties as needed