I continue perusing the ISO 27001 Sample Toolkit.
I look at a sample policy. There are 3 or 4 bullet points covering the specifics of the policy itself. Two thirds of the document is made up of the same or very similar standard blurb which appears atop and afoot all the other sample policies. Other information includes who the author is and where the document can be found.
Explanations provided with in the sample document templates include ones such as “the Organisation protects it networked services in line with it Access Control Policy from unauthorised Access”. This is exactly the same type of sentence as I took Ray Tricker to task for. Is anyone really any the wiser after a sentence like this? Why do you need to state that the purpose of an Access Control policy is to prevent unauthorised access? Isn’t that just common sense?
Even more scarily these templates have big gaps in them where one is meant to insert text to suit one’s organisation. It strikes me that filling in the blanks is not going to be straightforward. I was hoping more for a “delete the text that doesn’t apply to your organisation” approach. There is no example text provided that one could lift and adapt to fill these gaps.
Hints about what might rightly fill the gaps are not straighforward. In one of them, the Toolkit it advises me to enter “details of appropriate authentication mechanisms…”. I think this could simply be a requirement for a password. The answer, despite all the documented complexity, is probably that straightforward, but the whole thing is so bamboozling I don’t know!
There is a Policies and Procedures Diagram. I am really expecting overload here. As I double click it I am cringing in anticipation of seeing much compexity before me and how mind boggling it is going to be. My cringe turns to broad smile as my PC tells me that it doesn’t have the software to open the document up! I happily move on.
Based on historical entries in my diary