Policy Templates Updated: November 2023

  • Updated

Vanta released updates to a number of Policy Templates in November 2023:

  • 01-ISMS Scope of the ISMS
  • 02-ISMS Information System Management System Policy
  • 03-ISMS Roles, Responsibilities & Authorities
  • 07-ISMS Procedure for Internal Audits
  • 08-ISMS Procedure for Management Review
  • 10-ISMS Information Security Objectives Plan 
  • Access Management Policy
  • Information Security Policy (AUP)
  • Operations Security Policy
  • Risk Management Policy
  • Third-Party Risk Management Policy

Click here for a full view of what has been edited in Vanta's policy templates.

Template Updates 

01-ISMS Scope of the ISMS

  • We added a column to the Interested Parties table to indicate whether or not the requirements of interested parties are addressed by the ISMS. This change was made to satisfy the new Clause 4.2c in the 2022 version of ISO 27001:
  • View an explanatory video here

New ISO 27001 Clause

4.2c The organization shall determine which of these requirements will be addressed through the information security management system.

02-ISMS Information System Management System Policy

03-ISMS Roles, Responsibilities & Authorities

  • We made minor changes to roles and responsibilities and we added language around the responsibility for assessing cloud vendors, which is a new Annex A control: 
  • View an explanatory video here
A.5.23 Purpose: To specify and manage information security for the use of cloud services.
Information security for use of cloud services Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

07-ISMS Procedure for Internal Audits

08-ISMS Procedure for Management Review

10-ISMS Information Security Objectives Plan 

  • We made a small quality improvement to this template related to two changes in Clause 6.2. 
  • See the explanatory video.

These are the new clauses in the 2022 version of ISO 27001.

6.2.d be monitored;

 

6.2.g be available as documented information.

 

  • In addition, we added some template language for Vanta customers to show that you are leveraging Vanta for monitoring your objectives.

Access Management Policy

  • We added more language around the topic of Privileged Access Management. This is a quality improvement not related to change in the standard. 
  • See the explanatory video.

Information Security Policy (AUP)

  • We added more language around the topic of Remote Work Security. This is a quality improvement not related to change in the standard. 
  • See the explanatory video.

Operations Security Policy

  • The policy received the most substantive changes. 
  • First, we added language to the Configuration and Hardening Appendix. This is in support of the new ISO Annex A control:
A.8.9

Purpose: To ensure hardware, software, services, and networks function correctly      with required security settings and configuration is not altered by unauthorized or

incorrect changes.

Configuration management Configurations, including security configurations, of hardware, software, services, and networks shall be established, documented, implemented, monitored, and reviewed.
  • We added additional language to the Change Management section. This was a quality improvement.
  • We added a section for Data Leak Prevention in support of the new ISO control Annex A control:
A.8.12

Purpose: To detect and prevent the unauthorized disclosure and extraction of information by individuals or


systems.

Data leakage prevention Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
  • We added a section for Web Filtering in support of the new ISO Annex A control:
A.8.23

Purpose: To protect systems from being compromised by malware and to prevent access to unauthorized web


resources.

Web filtering Access to external websites shall be managed to reduce exposure to malicious content.
  • We added a section for Threat Intelligence in support of the new ISO Annex A control:
A.5.7

Purpose: To provide awareness of the organization’s threat environment so that the appropriate mitigation


actions can be taken.

Threat intelligence Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Risk Management Policy

  • We made a minor change to this policy to include “Use of Cloud Services” as a category of risk consideration. This change is in support of the new ISO control. We also added a section to discuss Risk Assessment in Project Management.  See the explanatory video.

Third-Party Risk Management Policy

  • We added a section to the policy to address risks associated with Cloud Services providers to support the new ISO 27001 Annex A control (referenced above). See the explanatory video.

Revision:

We added policy support for the new ISO Annex A control, Data Masking into the Operations Security Policy:

 

A.8.11 Purpose: To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory, and contractual requirements.
Data masking Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

 

  • Many companies will not have specific external requirements to implement data masking.  If your organization has implemented data masking controls you must support this with a policy to meet the new Annex A control. For companies who have not implemented a Data Masking program, we recommend that you scope this control out of your ISMS on your Statement of Applicability and remove the language from the policy. See the explanatory video.