The original post: /r/cybersecurity by /u/Exact-Salt7504 on 2024-10-11 19:37:26.

Hi there,

I have been tasked with aligning our company’s policies with ISO 27001: 2022.

There is certain control areas where we are not compliant, but would like to put it into policy, to then drive the compliance. We would likely accept this is as an enterprise risk.

Could anyone provide suggestions of the language we could use in our policy to reflect that we are moving towards the implementation of the control && also address the ISO requirement?

My initial thoughts include:

  • The organisation will strive to implement control XYZ…
  • Where feasible, the organisation will implement XYZ…

I would appreciate any feedback (e.g. your experience with how this goes in an audit, and any suggestions around suitable language).