Ref.SubjectImplementation tipsPotential metrics
5.1Information securitypolicyThink in terms of an information security policy manual or wikicontaining a coherent and internally consistent suite of policies,standards, procedures and guidelines.Identify review frequency of the information security policy andmethods to disseminate it organization-wide. Review of suitability and adequacy of the information security policy maybe included in management reviews.Policy coverage (
. percentage of sections of ISO/IEC27001/2 for which policies plus associated standards,procedures and guidelines have been specified, written,approved and issued).Extent of policy deployment and adoption across theorganization (measured by Audit, management or ControlSelf Assessment).
6. Organizing information security
6.1Internal organizationMirror the structure and size of other specialist corporatefunctions such as Legal, Risk and Compliance.Percentage of organizational functions/business units for which a comprehensive strategy has been implemented tomaintain information security risks within thresholdsexplicitly accepted by management.Percentage of employees who have (a) been assigned,and (b) formally accepted, information security rôles andresponsibilities.6.2External partiesInventory network connections and significant information flowsto third parties, then risk assess them and review theinformation security controls in place against the requirements.This is bound to be scary, but it's 100% necessary!Consider requiring ISO/IEC 27001 certificates of criticalbusiness partners such as IT outsourcers, providers of Percentage of 3
-party connections that have beenidentified, risk-assessed and deemed secure.
Copyright © 2007, ISO27001security forum
Page 3 of 16