iso27diy-corp/Corpus/Standards/ISO27x/legacy/About ISO27DIY Policy Cards.md

About ISO27DIY Policy Cards

Policies are part of the collection of Advised Documents for ISO 27001.

These could have the shape of 'Policy Cards', produced at the end of each session of the 📼 ISO27DIY Video Series.

Because the policies produced at the end of a session need to be expanded and adapted to the organization, there will be a corresponding action in the ISMS planning.

At first they will only mention Goal, Method and Responsibilities (and version info of course). The cards will reference ISMS clauses in the Strategy/Context/Planning phase.

Later, Metrics (to establish effectiveness) and Evaluation (typically referring to review meetings) will be added.

After the Risk and Assets phase – more specifically, after the asset categories have been identifies – Policy Cards will (also) reference Annex A Controls.

Policy Cards are generated from risks identified and controls defined. They are not editable. They can be exported to an (editable) document.

A Policy Card has a fixed format, see ISO27DIY Policy Card template.

ISO 27002:2013 offers the following guidance for A 5.1.1 Policies for information security: “These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an ‘information security awareness, education and training programme’ ”.

Related ISO clauses and controls:

• ISO 27001 A 5.1.1 Policies for information security
• ISO_27001_OT C 5.2 Policy

Related ideas:

• ISO27DIY Recipe for Policy Cards
• BC5701_Training_Tab_03_MS
• Modules, Screens and Content
• 🧰 Resource portal
• Topical InfoSec Kanban’s