richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

removed emoji from filenames, Obsidian changed all relevant links

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-07 15:01:04 +02:00
parent d316285a74
commit 68f1c38681
638 changed files with 710 additions and 3176 deletions
Download patch file Download diff file Expand all files Collapse all files

68
Corpus/Sparks/Triggers for Reviews of Policies.md Normal file
View file

@ -0,0 +1,68 @@
# Triggers for Reviews of Policies
**From [A 5.35](../Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md), Independent review of information security:**
The organization should consider conducting independent reviews when:
a\) laws and regulations which affect the organization change;
b\) significant incidents occur;
c\) the organization starts a new business or changes a current business;
d\) the organization starts to use a new product or service, or changes the use of a current product or service;
e\) the organization changes the information security controls and procedures significantly.
ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.
## From NotebookLM
The source documents specify several explicit triggers that necessitate the review and updating of an organization's policies, particularly the main information security policy and supporting topic-specific policies.
Key triggers for policy review include:
### 1. Significant Changes
Both the overarching organizational information security policy and specific topic-specific policies must be reviewed when **significant changes occur**.
Specifically, management should review and update information security policies in response to changes in:
- **Regulations, statutes, legislation, and contracts**.
- **The organization's business strategy**.
- **The organization's technical environment**.
- **Information security risks**.
- **The current and projected information security threat environment**.
- **The organization itself**, such as starting a new business or changing a current business.
- **Products or services**, such as starting to use a new product or service, or changing the use of a current one.
- **Information security controls and procedures**, if they change significantly.
The requirement for independent review of the organization's approach to managing information security (which includes policies) is also triggered **when significant changes occur**.
### 2. Planned Intervals
In addition to being reviewed when significant changes occur, policies must be reviewed at **planned intervals**.
- The information security policy and topic-specific policies should be reviewed at **planned intervals**.
- Confidentiality or non-disclosure agreements should be **regularly reviewed**.
- The organization's approach to managing information security (which includes policies) should be reviewed independently at **planned intervals**.
- Compliance with the organizations policies, rules, and standards should be **regularly reviewed**.
### 3. Incidents and Learning
Feedback from incidents and assurance activities also triggers policy review:
- The review should be built on **lessons learnt from information security incidents**.
- Lessons learned from **information security events and incidents** should be taken into account during the review of the information security policy and topic-specific policies.
- The evaluation of information gained from information security incidents should be used to update the organization's information security risk assessment and **determine and implement necessary additional controls**. This necessitates policy review if control changes are determined.
- The organization should consider conducting independent reviews when **significant incidents occur**.
### 4. Management Activities and Audits
Policy reviews are integrated into the management system framework:
- Review and update of policies should take the **results of management reviews and audits** into account.
- The management review inputs include considering **changes in external and internal issues** (relevant to the ISMS scope), and **changes in needs and expectations of interested parties** (relevant to the ISMS), which inherently requires reviewing the policy for continuing suitability.
When a policy is changed, review and updates of **other related policies** should be considered to maintain consistency.