5.2 ISO 27001:2022
Information security policy is a formal statement from top management which is...
appropriate to the business context.
Business context is about the situation in which business operates. Here are few typical examples.
- An OEM (e.g.,Microsoft) of software products owns product IPR, source code of software but not the customer data. OEM remains owner of the products and customers only can buy rights to use under license agreement. OEM has an obligation to maintain support (updates etc.) during its lifetime to all of its users.
= Service Providers (consultants, resellers of OEM products, system integrators or developers of software applications against requirements of customers) have a different business context. Even though they develop and support products for customers but, have no product right, no right of source code and no role in handling data.
- Schools, banks or hospitals have a business context in which they acquire a software application from an OEM (like Microsoft) on a user license, customize it for their requirements and deploy it in local servers or in the cloud, to run their business and keep data in it at their responsibility. Banks will onboard customers with KYC/Finacial laws or privacy policy and hold client data in their control.
- Telecommunication and internet service providers offer infrastructure of the connectivity to those in business of IT, communication and Software application.
- Cloud providers (AWS, Azure) offer servers (in which customers can deploy their own software applications and keep the data) and manage its security.
- SaaS providers (Microsoft O365, Facebook, Instagram, LinkedIn, Internet banking) offer plug and play services (of email, storage/drive, social media and online payments etc) on subscription basis. Data in SaaS is controlled by customers using the functionality of the application and terms of uses; but customers need to connect with servers of SaaS. Clients depend on SaaS providers to store data in its servers and for the availability of servers to clients.
giving confidence to the external interested parties (public, customers, employees, regulators, investors etc) that the organization is committed to data protection within stated scope of the organization.
It forms a basis of
For every set of interested parties, an organization or its relevant business processes will have subsets of the information security policy used in acquisition, processing, storage, transfer and deletion of data. For example ...
- Privacy Policy. commitment of organization to protect personal information of individuals (engagement using personally identifiable information of customers, suppliers, employees, public, who come either physically or by website/portal). Relevant processes in which this policy applies are, acquiring customers in sales. employee recruitment in HR, websites in advertising and marketing, entry control of visitors and staff in office or work areas by physical security etc.
- Policy to Address Data Security in Business Agreements that involve sharing of sensitive business information between parties concerned (customer, supplier, regulatory etc). this explains the need to identify the data to protect, its ownership and need to classify and label such data and IT assets, need of non-disclosure/confidentiality agreement for the classified data in parties of agreement, need of secure communication (single point of contact, plan and means of communication), need of consent of data subjects in sharing its data with trusted third parties or service providers and their acceptance of the conditions/control over such data sharing, provision of data retention, and deletion or return upon de-boarding, etc.
- Acceptable Use/user responsibility Policy for the users of IT assets (internal and external, business users and support users, in their various roles). users of IT resources to which acceptable use policy applies can have different roles. they can be internal or external, and business users or technical/support users. typical example is that customers of internet banking are external business users, a branch manager of a bank who onboards and deboards customers is an internal business user, IT admin or staff providing technical support to these business users can be technical/support users of banking application.
- Policy to Protect Intellectual Property (IPR). it explains position of an organization with regard to rights of product design, source code of software application, logo/trade mark and digital signature etc. As a licensor, processes and procedures exist which ensure that its licensees or partners don't violate IPR agreements or terms of licenses in use, transfer, decommissioning. Similarly, as a licensee, it doesn't do any copyright violations such as use of unlicensed software or other materials.
- Policy to Protect Publicly Available Information and Information on the Social Media. it explains position of an organization that information in public (such as web site, annual report, advertisement, social media etc.) is free from error or misrepresentation. Provision in relevant processes ensures that such content is reviewed by a designated authority/ corporate communication department before publication. Organization will react to if some thing comes in its notice as unauthorized publication and makes disclaimers.
- Data Breach Notification Policy. it explains position of an organization for employees, sub-contractors and others in the control of organization to report any loss or suspected loss of company data or violation of the confidentiality or integrity of classified data or its data network to the Information Security department using the given procedures
a message to internal management, all relevant functions or departments or processes within the organization to
- proactively think and determine the objectives in their areas of work and
- plan and control/overcome the risks or hurdles in achieving the objectives (by identifying and assess, and treatment of risk in their areas)
领英推荐
- show that these internal objectives are good enough to secure the policy or commitment made by the top management to external interested parties.
Objectives or expected results are the internal targets for the departments which is more stringent than the policy or commitments or promises to external interested parties. A safety margin is necessary in objectives which is an internal decision to make sure that the policy of organization can never fail.
A Policy (for example, Information security policy) is organizational commitment and it is a call of the top management. When the same policy is interpreted by different departments or functions (such as sales and commercial, or software development, or IT or HR) each of these will have their specific and relevant objectives and these are called information security objectives.
not just the commitment but an assurance to parties concerned that -
- this commitment or policy will be fulfilled by establishing a credible and verifiable management system (PDCA approach) in all relevant business processes inside the organization.
Going further, the top management will
- review the policy when required or at least once within a certain stated period and update it if necessary.
- communicate the policy and upon any updates, to internal management and make it available to external interested parties.
- come back to the interested parties at regular interval and do timely disclosures of the results of achievement of the commitment,
- foresee the challenges/risks and will proactively address them,
- will learn from errors or failures in the past, remove the weaknesses if any in risk treatment, to ensure that errors in the past do not repeat
- will continue to improve the benchmark of performance from past levels to pursue journey in the strategic direction.
regards
Krishna Gopal Misra
Senior Scientific Officer
10 个月Nicely explained. Thank you Sir