The Information Security Management System Policy is one of the ket document for an efficient management of information security and to reach adequate level of compliance against ISO 27001.
We have already been talking in general about the ISO 27001:2013 and the related requirements associated to this standard, that is related to ensure security the data handled by the organization.
Currently, with the huge development of digital technologies applied to the medical device sector, the handling of data and in particular personal health information is of extreme importance. Having an efficient information security management system up and running is nowadays a necessity for MedTech companies of the digital sector, where the correct handling of data and the protection of these data against unauthorized use or access is becoming a real business need.
The requirements associated to the Information Security Management System Policy is discussed in the section 4.2.1 of the ISO 27001 version 2013.
Here in this post we are going through the requirements mentioned in the ISO 27001 section 4.2.1 with the specific characteristics that the Information Security Management System Policy need to have.
ISMS Policy and Overall Direction for Information Security Compliance
In the point 1) of the section 4.2.1 it is clearly mentioned that policy needs to establish an overall framework for the establishment of objectives related to information security. Moreover, at the same time, the policy needs provide an overall sense of direction and principles for actions with regard to Information Security.
This is an important point because the ISMS policy shall provide the skeleton based on which the ISMS (Information Security Management System) is built; moreover, based on this policy, clearly objectives shall be drawn on order to measure the efficiency of the management system.
Typically the objectives need to be measurable or, somehow, directly linked to Key Performance Indicators (KPI) that are measurable.
Examples of objectives could be:
- No more than 2 data security breach on one year
- No major non-conformities during audit related to information security topics
- Test business continuity plans yearly.
- No deviations in the access policy.
Identification of Applicable Requirements
The ISMS shall provide a framework for the identification of the applicable legal and regulatory requirements.
Requirements that may be related to information security could be for example GDPR (General Data Protection Regulation) or HIPAA (Health Insurance Portability and Accountability Act) requirements.
A system to keep these regulatory requirements under control shall be implemented in order to properly identify new or updated requirements and include them in the system.
Information Security Risk Assessment
The pillar of ISO 27001 and of any information security management system is the application of risk assessment methodologies to data security.
It might be possible that a risk management process is already implemented within the organization. For example, for a medical device company, it is somehow mandatory to have an implemented approach for the management of risks that is compliant to ISO 14971 version 2019 and based on ISO 24971:2020.
In the ISO 27001 section 4.2.1, point 3, it is clearly mentioned that the information security policy need to face the modalities for the alignment of the risk management context of the organization with the establishment of the Information Security Management System. This means if a risk management process is already implemented, you need to take this in consideration when implementing the risk assessment methodologies for information security.
There are different methodologies that can be used to perform risk assessment for data security; the ISO 27005 version 2018 – Information technology — Security techniques — Information security risk management is the leading ISO standard to apply in order to implement an Information Security Risk Management Process.
We will talk on a different blog post about the ISO 27005 and the modalities for the treatment of risks associated to information security.
Moreover, the standard requires that the information security policy explains the modalities used to evaluate the risk. Once again, this may differ from organization to organization, as there might be a risk management process already in place that may be adapted to the evaluation of risks related to data security.
Finally, the last requirement is that the Information Security Policy is approved by the management. This may be performed by let the management sign the document where the Information Security Policy is documented.
Typically, the management review is the moment where Information Security Policy / Information Security Management System Policy is established for the first time. Subsequently, at each management review, the policy needs to be reviewed for adequacy by the management and any potential change needs to be discussed and reviewed.
Information Security Management System Policy Template
QualityMedDev has published an Information Security Management System Policy Template to support organization to reach compliance towards ISO 27001 and related information security ISO standard.
This document is fully editable in word and it is ready to be downloaded from our shop. It is fully aligned with the requirements mentioned in section 4.2.1 of ISO 27001 version 2013, where the requirements for this policy are well defined.
Conclusions
In conclusion, we have been going through the main requirements associated to the Information Security Policy according to ISO 27001 version 2013. This policy stays at the basis of the Information Security Management System. As discussed in this post, a key point is the risk management process that is necessary to identify and handle risks related to information security.
QualityMedDev Newsletter
QualityMedDev is an online platform focused on Quality & Regulatory topics for medical device business.
Thanks to QualityMedDev newsletter, you will stay updated with the most recent articles published on the website, along with news from the regulatory world, particularly in the context of the new EU MDR and IVDR.
QualityMedDev is one of the largest online platform supporting medical device business for regulatory compliance topics.
If you have any topic for which you would like to have more information or you need template or documentation that is currently not available in our QualityMedDev Shop, do not hesitate to contact us and we will do our best to fulfil your request.
Source: https://www.qualitymeddev.com/2021/09/02/information-security-management-system-policy/
- &
- access
- Application
- articles
- audit
- BEST
- Blog
- breach
- business
- change
- Companies
- company
- compliance
- data
- data protection
- data security
- Development
- digital
- efficiency
- EU
- Face
- First
- first time
- Framework
- General
- General Data Protection Regulation
- Handling
- Health
- health insurance
- HTTPS
- huge
- Identification
- identify
- information
- information security
- information technology
- insurance
- IT
- Key
- leading
- Legal
- Level
- major
- management
- measure
- medical
- medical device
- Navigation
- news
- Newsletter
- online
- order
- performance
- Personal Health
- Pillar
- platform
- plugin
- policy
- Posts
- protection
- quality
- Regulation
- regulatory
- Regulatory Compliance
- Requirements
- review
- Risk
- risk assessment
- risk management
- running
- security
- sense
- stay
- support
- system
- talking
- Technologies
- Technology
- time
- Topics
- treatment
- us
- Website
- within
- WordPress
- world
