1.6 KiB
Example of ISO 27001 mystique
ISO 27001 is a framework, and you cannot successfully implement it by treating the text of the standard as a series of instructions to be followed in the order in which they were printed. If you try that, things will become very confusing very quickly.
For example, the requirement of having an information security policy is first (?) mentioned in Chapter 5.1, "Leadership and commitment", where it says that top management must have it established, together with information security objectives. Then in Chapter 5.2, 'Policy', it states that these objectives form part of the information security policy, referencing forward to Chapter 6.2, "Information security objectives and planning to achieve them", which demands that organizations should set objectives consistent with the policy. Of course there's also a corresponding Control called "Policies for information security" (5.1), which explains that there will be an information security policy at the highest level of the organization, including objectives "or the framework for setting objectives", and further "topic-specific policies as needed", which of course need their own objectives.
Programmers may love this kind of recursiveness when it's in coding exercises.