Policy for information security policies (A.5)

On this page you will find the current policy for information security policies. The policy sets the central framework for information security at Aarhus University.


Objective

The objective of AU's policy for information security policies is:

  • to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

Management direction for information security (A.5.1)

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties (A.5.1.1)

The senior management team has approved Aarhus University's information security policy as well as the 14 sub-policies (A.5 – A.18). Together, these policies constitute the minimum requirements for all units at Aarhus University.

Aarhus University's information security policy is publicly available at AU.dk, and any additional information security material will be made available to relevant stakeholders.

Relevant information security material must be available in Danish and English.

The policies for information security shall be reviewed at planned intervals or if signifikant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Aarhus University's information security policy must be reviewed annually. The additional information security policies will be reviewed when necessary.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A. 5.1.1 Policies:
    • The senior management team has approved Aarhus University's information security policy, which together with 14 subjacent policies (A.5- A.18 is being prepared). Together, these policies constitute minimum requirements that cannot be deviated from and that apply for all units at Aarhus University.
  • Re. A.5.1.2 Review of policies:
    • Refer to the central information security management system (ISMS) at Aarhus University.  

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:    

  • How does the management team ensure that policies and rules are communicated to employees and relevant external parties?
  • Do the key minimum requirements need to be supplemented with local initiatives/policies? 
  • How does the management team ensure and document an annual review of information security policies?