Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Security Policy Information

I would like to get your opinion regarding an issue on Security Policy Information . The A.5.1 control 27001 : 2005 provides that the Security Policy Information should be critically analyzed at planned intervals or when significant changes occur. In the case of significant changes were not identified during the review of the Policy, you understand that we can maintain the same policy and that there is no need to republish it ?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Yes, you are correct - if you reviewed the policy and no changes were needed, then there is no need to republish such a document. This is basically true for any of your policies and procedures.

However:

1) I find it quite difficult to believe there would be nothing to change in a document after a one-year period.

2) Even if there is absolutely nothing to change, you should have some kind of a record that particular person has reviewed the policy and that the conclusion is there were no changes needed - this could also be done through email.

By the way, 2005 revision of ISO 27001 is not valid any more - currently 2013 revision of ISO 27001 is published, but basically the requirements about reviewing the policies and procedures remained the same. See also: A first look at the new ISO 27001 (2013 draft version) https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community