Restore files to match origin/27002-metadata
Both a-5.1-Policies-for-information-security.md and a-5.2-Information-security-roles-and-responsibilities.md had extraneous content (duplicate headers, extra frontmatter, text changes) compared to their expected state. Restored from origin/27002-metadata branch.
This commit is contained in:
parent
2d92263a43
commit
890e0d8c4f
2 changed files with 29 additions and 8 deletions
|
|
@ -1,4 +1,27 @@
|
|||
#iso27002/2022/EN
|
||||
---
|
||||
notetype: sourcetext
|
||||
standard: ISO 27002
|
||||
version: 2022
|
||||
language: EN
|
||||
type: control
|
||||
id: "A.5.1"
|
||||
title: "Policies for information security"
|
||||
theme: Organizational
|
||||
control_type: [Preventive]
|
||||
information_security_properties:
|
||||
- Confidentiality
|
||||
- Integrity
|
||||
- Availability
|
||||
cybersecurity_concepts: [Identify]
|
||||
operational_capabilities: [Governance]
|
||||
security_domains:
|
||||
- Governance_and_Ecosystem
|
||||
- Resilience
|
||||
tags:
|
||||
- iso27002/2022/EN
|
||||
status: active
|
||||
---
|
||||
|
||||
## 5.1 Policies for information security
|
||||
|
||||
#### Control
|
||||
|
|
@ -8,7 +31,7 @@ Information security policy and topic-specific policies should be defined, appro
|
|||
To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements.
|
||||
|
||||
#### Guidance
|
||||
At the highest level, the organization should define an “information security policy” which is approved by top management and which sets out the organization’s approach to managing its information security.
|
||||
At the highest level, the organization should define an "information security policy" which is approved by top management and which sets out the organization's approach to managing its information security.
|
||||
|
||||
The information security policy should take into consideration requirements derived from:
|
||||
|
||||
|
|
@ -45,10 +68,10 @@ j) information classification and handling;
|
|||
k) management of technical vulnerabilities;
|
||||
l) secure development.
|
||||
|
||||
The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization’s information security policy and topic-specific policies and managing information security in response to changes to:
|
||||
The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization's information security policy and topic-specific policies and managing information security in response to changes to:
|
||||
|
||||
a) the organization’s business strategy;
|
||||
b) the organization’s technical environment;
|
||||
a) the organization's business strategy;
|
||||
b) the organization's technical environment;
|
||||
c) regulations, statutes, legislation and contracts;
|
||||
d) information security risks;
|
||||
e) the current and projected information security threat environment;
|
||||
|
|
@ -56,7 +79,7 @@ f) lessons learned from information security events and incidents.
|
|||
|
||||
The review of information security policy and topic-specific policies should take the results of management reviews and audits into account. Review and update of other related policies should be considered when one policy is changed to maintain consistency.
|
||||
|
||||
The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization’s needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others.
|
||||
The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization's needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others.
|
||||
|
||||
If the information security policy or any topic-specific policy is distributed outside the organization, care should be taken not to improperly disclose confidential information.
|
||||
|
||||
|
|
@ -74,4 +97,3 @@ Topic-specific policies can vary across organizations.
|
|||
|
||||
# Related
|
||||
- [[ISO_27002_PE 5.1 Policies for information security]]
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
#iso27002/2022/EN
|
||||
## 5.2 Information security roles and responsibilities
|
||||
|
||||
### Control
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue