ISO/IEC 27001 Control 5.1: Policies for information security
Control
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can provide data for building security policies.
Implementation Details
MidPoint reporting can be used to extract information from identity data (identity analytics). Simulation capabilities can be used to predict the effect of proposed policies, especially for topic-specific policies. Reports and dashboards can be used to keep track of application, enforcement and violations of the policies. Policy rules can be used in marking (non-enforcement) mode to evaluate impact of proposed policies, listing all potential violations.
Rationale
MidPoint can provide essential data for definition and maintenance of security policies, such as access control data, current practical policies, list of policy violations and so on.