ISO 27001 is an international standard for information security management systems. Some of its policies include:
- Information Security Policy
- Data Protection Policy
- Data Retention Policy
- Asset Management Policy
- Access Control Policy
- Risk Management Policy
- Information Classification and Handling Policy
- Information Security Awareness and Training Policy
- Acceptable Use Policy
- Clear Desk and Clear Screen Policy
- Remote Working Policy
- Business Continuity Policy
- Backup Policy
- Malware and Antivirus Policy
- Change Management Policy
- Third Party Supplier Security Policy
- Continual Improvement Policy
- Logging and Monitoring Policy
- Network Security Management Policy
- Information Transfer Policy
- Secure Development Policy
- Physical and Environmental Security Policy
- Cryptographic Key Management Policy
- Cryptographic Control and Encryption Policy
- Document and Record Policy
Information Security Policy – sets the principles, framework of supporting policies, responsibilities and addresses all programs, data, infrastructure, third parties, users and more. By creating a detailed and effective framework for ISP, companies ensure that their data is protected and security incidents such as data leaks and/or data breaches are prevented.
Data Protection Policy – main goal is to protect and secure all data, as it is a policy dedicated to the use and management of data. Aspects such as legal compliance for data protection, roles and responsibilities in relation to data protection and data protection techniques must be covered by the policy in a company.
Information Classification and Handling Policy – ensures that information is correctly classified and handled based on its classification. It sets the limitations on what an company or individual can do with the information based on its classification, which commonly is separated into three categories: Confidential, Public and Internal.
Network Security Management Policy – covers access to networks, physical network devices, network services, network locations and security of network services. It essentially guards the information in networks and the supporting information facilities.
Information Transfer Policy – ensures that when information is transferred both internally and/or externally that the correct treatment is applied and safeguards the transfer of information by using all types of communication facilities. Covers loss of information, information encryption and data transfer methods.
Physical and Environmental Security Policy – its goals are prevention of unauthorized physical access, interference with the information and information processing facilities of a company. Cabling security, employee and visitor access, network access control and equipment protection are covered.