Security Policies & Procedures
You will need to have a number of Policies & Procedures in place to comply with ISO27001.
At the end ISO27001 is a standard for an Information Security Management System – and Audit companies still consider documentation the best evidence.
Compleye Online is a tool that represents that management system, embedding evidence, not only for security; we have already features in place for privacy and quality as well. However we cannot capture security, privacy and quality just by adding documents – you will need to proof that live up to the policies and procedures that you have adopted. That evidence are called records and you can add these records in Compleye Online.
However before you can add records, you will need to adopt Policies & Procedures. Mandatory Policy in ISO27001 is: the Security Policy – describing the intentions and ambition (Objectives) you have defined for your ISMS and there are a number of other mandatory topics. We advise you to add in your Security Policy all the Procedures that you will adopt – and review at least yearly.
In a number of sections we refer to certain templates (procedure/policies/checklists or other documents) and during onboarding of DIY Compleye Online, you will receive the Documentation Toolkit with all the templates.
Create in your own Documentation Storage a Compliance folder with all Templates you will adopt and make them available for all your team members – that is a mandatory requirement for ISO27001. You can select what documents you will share with Team members in a subfolder. Once you have defined an approved documents, you can add them also to some of the Compleye Online subsection in feature Procedure/Info – to make them easy accessible for your ISMS Team members when needed.
Below an overview of all Templates in the Documentation Toolkit.
The section Policies & Procedures is still under development – however you can already upload your adopted and approved documentation with an owner.
We have tried to keep the documents as simple and short as possible – under the ISO27001 requirement restrictions. So most of them are no longer than 1- 2 pages.
A good way to start is to assign owners and read the content, customize where needed to your own needs and situation and let them be reviewed by a second person before finally approving them on C-Level.
Make sure that every document has: an owner, a date of approval and a version (number or date) on it. Store it in your own folder and when this section is ready – add to the list.
Make sure you will have a control in place to review the documentation on a yearly base.
More or new templates, checklist can be added to the Toolkit – due to changes in the ISO27001 standard or during certification process with other clients of Compleye. We will then inform you and make those available for you.
| Name of Template | Compleye Online Section | type | |
| 1 | Mandatory ISO27001 Topics | Strategy & Ambition / Organisation & Context (and other topics addressed in wiki and ISO27001) | ppt |
| 2 | Access Management Policy | Security Policies & Procedures | doc |
| 3 | Backup Procedure | Security Policies & Procedures | doc |
| 4 | Business Continuity Assessment Procedure | Risks & Opportunities / Business Continuity Plan | doc |
| 5 | CAPA Outline Procedure | Security Policies & Procedures | doc |
| 6 | Code of Conduct | Security Policies & Procedures | doc |
| 7 | Cookie Policy | Legal & Compliance / GDPR / User Documentation | doc |
| 8 | Cryptography Policy | Security Policies & Procedures | doc |
| 9 | Data Breach Procedure | Security Policies & Procedures | doc |
| 10 | Data Classification Policy | Security Policies & Procedures | doc |
| 11 | Data Processor Policy | Security Policies & Procedures | doc |
| 12 | Data Protection Impact Assessment | Risks & Opportunities / Data Privacy Impact Assessment | doc |
| 13 | Data Retention Procedure | Security Policies & Procedures | doc |
| 14 | Disaster Recovery Plan | Risks & Opportunities / DRP | doc |
| 15 | GDPR Assessment | Risks & Opportunities / GDPR Assessment | xls |
| 16 | Hardware Security Policy | Security Policies & Procedures | doc |
| 17 | HR Checklist | Security Policies & Procedures | doc |
| 18 | Human Resources Policy | Security Policies & Procedures | doc |
| 19 | Improvement Procedure | Security Policies & Procedures | doc |
| 20 | Information Security Communication Policy | Security Policies & Procedures | doc |
| 21 | Intellectual Property Statement | Legal & Compliance / Intellectual Property | doc |
| 22 | Internal Privacy Policy | Security Policies & Procedures | doc |
| 23 | ISRA Procedure | Security Policies & Procedures | doc |
| 24 | ISRA Template | Risks & Opportunities / ISRA | xls |
| 25 | Log and monitoring Policy | Security Policies & Procedures | doc |
| 26 | Offboarding Procedure | Security Policies & Procedures | doc |
| 27 | Onboarding Procedure | Security Policies & Procedures | doc |
| 28 | Open Source Components Policy | Security Policies & Procedures | doc |
| 29 | Password Management Policy_Team Members | Security Policies & Procedures | doc |
| 30 | PENTesting Procedure | Security Policies & Procedures | doc |
| 31 | Privacy Statement_Notice_ExternalUse | Legal & Compliance / GDPR / User Documentation | doc |
| 32 | SDLC Procedure Guidelines | Security Policies & Procedures | doc |
| 33 | Security Policy | Security Policies & Procedures | doc |
| 34 | Staff Attendance Policy | Security Policies & Procedures | doc |
| 35 | Supplier Management Policy | Security Policies & Procedures | doc |
Add new policy
| Field Name | Description | Example |
| Policy name | Select the policy from the drop down list or select other to type the name of the Policy | Privacy Policy |
| Owner | Select a team member who is responsible for updating and reviewing the Policy | {name} |
| Description | free text field to describe content of the policy | end user documentation |
