Inspired by an exchange on the ISO27k Forum yesterday morning, I wrote and published a simple 2-page exemptions policy template for SecAware.
In essence, after explaining what 'exemptions' are, the policy requires that they are authorised after due consideration by management, specifically the relevant Information Owners.
Exemption decisions should also be recorded, hinting at a process and some sort of exemptions log. I'm wondering now whether to write a procedure as well, including a basic log template as a starting point. I'm also contemplating writing something on accountability and responsibility, and perhaps generic incident management and post incident review procedures to accompany the incident management policy.
Click the image for instant access!
No comments:
Post a Comment
The floor is yours ...