Security Policy Information
Assign topic to the user
Yes, you are correct - if you reviewed the policy and no changes were needed, then there is no need to republish such a document. This is basically true for any of your policies and procedures.
However:
1) I find it quite difficult to believe there would be nothing to change in a document after a one-year period.
2) Even if there is absolutely nothing to change, you should have some kind of a record that particular person has reviewed the policy and that the conclusion is there were no changes needed - this could also be done through email.
By the way, 2005 revision of ISO 27001 is not valid any more - currently 2013 revision of ISO 27001 is published, but basically the requirements about reviewing the policies and procedures remained the same. See also: A first look at the new ISO 27001 (2013 draft version) https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
Comment as guest or Sign in
Jan 12, 2016