ISO 2701 anexa 5.1 policies for information security right we're going to start doing implementation videos now on the nxa controls this one specifically looking at information security policies you've got a load of resources on the hi. website that are going to help you out there's a video on how to implement it a stepbystep guide and about how you deploy them there's a Blog that you can read that gives you a lot more detail but for now let me give you an introduction and a bit of a dive into information security policies for ISO 2701 so ISO 2701 is founded on risks and risk management and also on policies now one of the things that we see out in the real world is a little bit of a misunderstanding around What policies are and what policies you need so let's make a start with that so policies are statements of what you do they're documents that state what it is that you do for certain topics topics they're not statements of how you do it how you do it is covered in your process documentation and in your own individual process implementations we separate out the Pol uh the process of what you do from how you do it because by having a policy that states what we do we can communicate that to staff and to stakeholders that clearly shows what it is that we're doing and we can share those externally under audit or with potential clients without compromising things like confidentiality or information uh security by not having specific project steps in there so often what we see is policies are written in such a way that they include process steps these may be SP spoke to you they may include people's names right they may include email addresses and telephone numbers and internal operations we don't want to expose that internal operation externally and we don't want to confuse use that necessarily internally so we separate those out and we have policies when it comes to uh ISO 27,1 the 2022 update a version of the standard calls out having a high level information security policy and then having topic specific policies I think this is a fantastic move away from the old style of having one giant policy um with everything in it it allows us to communicate particular topics specific topics to the relevant people uh without overc confusing people we don't want to put cryptography policy um in something that's going to be shared with uh staff or cleaning staff or reception staff um when it's just not relevant to them call center staff don't necessarily need to know that so we're going to have a high level topic uh sorry a high level information security policy and then we're going to have topic specific policies under it the quickest way to do this is clearly to download the iso 270001 toolkit the ultimate toolkit for ISO 2701 certification because I've written all of these for you I've prepopulated them for you with what good looks like just a little bit of a Rebrand and they're good to go on the website you can actually download individual policies and there is a sub tool kit where you can just download the policy pack that's going to be the quickest way to do it if you don't want to do that be sure to head over to my YouTube channel or over to the hi. where I go through in detail how you can create these policies and under five minutes each so I show you that and I give you a tutorial on that so satisfy the requirements of iso 2701 anexa 5.1 there's a couple of things that we're going to do we're going to write our policies our policies are going to be based on the controls that we have and they're going to be based on our business risk so we will have done our risk identification we will be seeking controls to mitigate those risks and we will be writing policies that back up those controls they say what it is that we do as an organization so we're going to write our policies we're going to choose our policies policies that are specific to us if we don't do software development it is pointless having a software development policy if we are fully remote it is pointless having a physical security policy that covers the things that we don't have CCTV perimeter fences things like that so there are s of ways that we can go around that and sort of ways that we can address that but first of all what we're going to do is we're going to write our policies we're going to choose our policies the policies are going to be owned by somebody within the organization we want to assign ownership to these policies ownership and accountability this is the person that's going to be ultimately responsible so we're going to assign that accountability it doesn't necessarily mean that they do the work in writing it and if you're an information security manager like me it's going to be you that's writing it no doubt but they're going to own it going forward and they're going to be responsible for it once we have those information security policies written we've got our uh accountability assigned we're going to get those policies approved Now using whatever internal approval mechanism that you've got you need to get those policies approved if you're following my ISO 2701 certainty methodology and or using the iso 270001 toolkit then the way that we're going to get those approved is by sharing those at the information security management meeting walking through those in the information security management meeting seeking approval for those policies and then in the meeting and meiting that approval in the implementation guide where I talk you through that I also say that before they go out for release when they become the next release it's good practice from my perspective to write in the Version Control the change that happened which was policy was approved at management review meeting on what such and such a date um so it just can show you and it's an instant visual uh identification of that policy is now live once the policy has been approved you then need to distribute that policy so the policy is going to go out to the people to whom it is relevant in a small organization It's usually the case that all policies will go to nearly everybody um but in larger organizations as we said because we have topic specific policies then we're going to Target them to relevant people from an admin point of view belts and braces could you have a table of the teams that you've distributed which policies to or could you automate it in some way yeah you can it's not a requirement of the standard you work out how that distribution works best for you once we've communicated out those policies we're going to communicate what where those policies are and those policies are going to be located in an area that is accessible to the people that we distribute them to right makes common sense so they need to be readily and easily accessible then what we need is an acknowledgement from people that they have read understood and accept those policies there are many different ways to do that from getting an email back from everybody and keeping email copies getting people to sign copies Distributing from your learning LMS Learning Management systems and using those and the sign off methodologies in those or you may have some other way of seeking improving that approval but you need to get those policies approved so we've created our policies we've assigned accountability to them we've approved them we've distributed them and we've seen that they have been approved the next step that we have in that is that when anything changes and at least annually we're going to update our policies even if it is the case that all we do is put policy review no update in our Version Control and increment the version number just to show that at least we've done a review of it on an annual basis and of course if something's changed we're going to put the change in there in the doc do increment for documentation and how to uh manage your documentation and your numbering check out one of the other videos that's coming up imminently so at that stage our policies are pretty much done right they're pretty much done from a top tip perspective what I would suggest is that you communicate throughout the year on where those policies are it isn't just the one and done that yes you include them in your communication plan which there are other videos on and that you are regularly communicating those and pushing those policies out we don't want to just communicate them once a year we don't want to just get them approved once a year ideally we want to keep reinforcing that message and of course it's going to be part of your HR onboarding process so that people are made aware of policies when they join your organization what are some of the other top tips that I can say things that Auditors like to look for is they like to look at very simple things like document markup they want evidences that the Version Control matches in the headers Footers and in the in the uh Version Control table they want to see that those policies were approved they do want to see that those policies were distributed and that people have signed up and and agreed to them when it comes to which policies you need the iso 270001 standard does not say you need a policy for every single control and that rightly makes common sense when I created ISO 270001 toolkit I did it to remove fluff and filler right there are loads of policies people regularly ask me do you have such and such a policy and the answer is usually no because the standard doesn't require it and it adds no value so yes we can generate policy after policy after policy but if the policy adds no value and has very little content and the standard only requires a process then we're going to rely solely on that process and that is absolutely fine so my name is Stuart Barker I am the iso 2701 ninja thanks for joining me on the first of the iso 27,1 nxa videos there's only a 90 odd left to go uh as we go uh deep dive on each of the nxa closes but until the next video be sure to check out uh the blog that goes along with this video for much more detail uh but until the next one peace [Music] out