With cyber security affecting businesses worldwide, it is important that all organisations have a policy in place to state and record their commitment to protecting the information that they handle.
We have collated some information from Alan Calder’s Nine Steps to Success: An ISO 27001 Implementation Overview and IT Governance: An international guide to data security and ISO 27001/ISO 27002 to help you produce your own information security policy.
First, what is an information security policy?
Your information security policy is the driving force for the requirements of your ISMS (information security management system): it sets out the board’s policy on, and requirements in respect of, information security.
It should be a short document (we think no more than a couple of pages of A4), but it has to capture board requirements and organisational reality, while meeting the requirements of the ISO 27001 standard if you’re looking to achieve certification.
From a practical point of view, it is worth keeping the policy statement as simple, comprehensive and as broad as possible to allow managers adequate freedom to respond to changing business and security circumstances.
Consider your shareholders
The policy statement will also require all employees in the organisation to participate, and may require participation from customers, suppliers, shareholders and other third parties. In thinking through the security policy, the board will need to consider how it will affect these constituents and/or audiences, and the benefits and disadvantages that the business will experience as a result of this. It is a good idea to start thinking these issues through before you commence the detailed process of designing and deploying your ISMS.
Compiling your information security policy
Compiling your information security policy is not always as straightforward as it seems, especially in large or complex organisations, and the final policy may have to reflect the final risk assessment and the Statement of Applicability.
The policy must:
- Set objectives or include a framework for setting its objectives, and establish the overall sense of direction;
- Take into account all relevant business, legal, regulatory and contractual security requirements;
- Embellish the strategic context for within which the ISMS will be established;
- Understand the criteria for the evaluation of risk and the structure of the risk assessment.
The key questions that the initial policy statement must succinctly answer:
Who? – The board and management have to be completely behind and committed to the ISMS. The policy statement must therefore be issued under their authority, and there should be clear evidence (in the form of written minutes) that the policy was debated and agreed.
Where? – Those parts of the organisation to which the policy is going to apply need to be clearly identified (corporate, divisional, management or geographic location).
What? – The statement that the board and management “are committed to preserving the confidentiality, integrity and availability of information” is at the heart of a security policy and an ISMS.
Why? – For the protection of information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise ROI.
Getting help with your information security policy
If you’re unsure what your policy should look like, or need help with any other parts of documenting your ISMS, then take a look at the ISO 27001 ISMS Documentation toolkit.
Developed by ISO 27001 experts, and used by over 2,000 clients worldwide, this toolkit contains a complete set of pre-written, ISO 27001-compliant templates to meet your mandatory and supporting documentation requirements. See the full contents list of the toolkit here.
Proven to save you time and money, this toolkit will provide you with a framework for consistent, ISO 27001-compliant ISMS documentation that can be easily customised and tailored to your business’s needs and objectives.