What is a policy?

We talk about policies a great deal on subjects like ISO 27001 and GDPR. A policy is a set of principles that are intended to act as a guide to help people make decisions to achieve an outcome.

Both GDPR and ISO 27001 require organisations to ensure the appropriate staff are trained in the information security and data protection policies that are relevant to their job role. ISO 27001 auditors (and potentially an investigating regulatory authority), would want to see evidence that training and awareness in these policies take place on a regular basis.