In line with the fundamental principle of continual improvement that underlies all of the ISO standards we deal with, we have updated the ISO27001 Toolkit to address more areas of the standard, fix the occasional error and provide more examples of how to complete some of the existing forms.
The first of the new documents we have included is a Social Media Policy which sets out guidelines for employees when using the organization’s social media accounts such as Twitter, Facebook and LinkedIn. It covers areas such as making it clear that the person posting the content represents the organization, fact-checking before re-communicating others’ posts and having due regard for varied cultures and the way that messages could be interpreted.
A Procedure for Managing Lost or Stolen Devices has been added to the Toolkit to further address section A.8 of Annex A which deals with asset management.
An important follow-up to information security breaches is learning the lessons from them and closing any gaps that have been exposed within the organization’s defences. To this end, and to address more fully control A.16.1.6 from Annex A, a new form, Lessons Learned Report, has been added.
As part of this revision we have updated a number of documents to provide more content. The Information Security Competence Development Procedure now has a section describing the skills required of a risk owner and the Awareness Training Presentation now has more information about the legal framework outside the UK, including the USA, EU and a selection of other countries.
Good practice advice about passwords from NIST and the UK National Cyber Security Centre (NCSC) has been added to the Access Control Policy (including non-expiring passwords and prevention of use of common passwords such as Password1 and 123456).
The Network Security Policy has been updated to remove references to the now-compromised SSL in favour of the TLS protocol.
We have also updated the Context, Requirements and Scope document to use the commonly- quoted PESTLE method to cover the external issues relevant to the ISMS.
One of the feedback items from our last customer survey was to include more examples of completed forms, so in this release we have included examples for the Supplier Evaluation Questionnaire, Internal Audit Action Plan and Lessons Learned Report.
Lastly, we’d like to thank our customers who have pointed out a number of small errors and omissions which we have fixed in this release. These include a field error, inaccurate document references, the odd heading numbering correction and changes to make the page numbering adjust correctly when the CertiKit information is removed from the front of each document.
As always, we’re very grateful to our customers who have asked us questions and let us know about changes they would like to see. Every CertiKit toolkit is a result of the feedback we get from those that use them in the field, and we try our best to listen hard at all times and make them as useful as possible for our existing and future customers.
The CertiKit Team