Information security policies

Policy pyramid Policies are the mechanism through which management formally defines and places various information security obligations on workers including themselves and sometimes third parties.

While most organizations have something in place, few have truly effective information security policies. Do any of these seven issues look vaguely familiar to you?

  1. Limited scope
  2. Poor quality
  3. Inconsistencies
  4. Lack of awareness
  5. Lack of accountability
  6. Lack of compliance
  7. Lack of process

Read about these commonplace policy issues in the security policy FAQ.

There has to be a better way! If that litany of policy issues rings true, we recommend an altogether more professional approach, reflecting the policy pyramid shown here.

Corporate information security policy

In just 5 pages, our Corporate Information Security Policy at the peak of the pyramid lays out 7 guiding principles (broadly-applicable information security design principles) plus 35 succinct axioms (succinct policy statements derived from the controls in annex A of ISO/IEC 27001). The policy is a vehicle for senior management to give the corporation overall, high-level guidance on how its information risks are to be managed.

Topic-based information security policy templates

To cover the full breadth of information risk, security and related matters, we offer a coherent suite of model information security policies covering more than 60 topics:

NB topical policies listing

NIST SP800-35 calls these ‘issue-specific’ policies. Since they were all written and maintained by the same professional author, they consistently adopt the same formal and yet readable style.  A happy customer told us, “We really like how easily your policies read - simple and concise.”

Corporate security standards

We don’t sell corporate security standards because the details vary so much between organizations that generic documents would be of limited value. However, if you are struggling, ask us about helping you develop your own corporate security standards on a consultancy basis.

Information security procedures, guidelines and other awareness materials

Formal policies clarify information security obligations making them enforceable, but employees still have to know what they are expected to do, how to do it, and who to turn to for help if they are struggling. Simply publishing or mandating the policies and expecting people to read, understand and comply with them is a common but naive approach. Aside from the policies, we offer procedures, guidelines, briefings, seminar presentations and a wealth of other materials through the NoticeBored security awareness subscription service. These are designed to inform, engage and motivate employees and thereby achieve compliance - and then some (mere compliance is not the ultimate goal: security is there to protect, support and enable the business).

Price

A suite of more than 60 topic-based policy templates plus the overarching corporate security policy costs just US$750. If you don’t need them all, they are US$25 each. When you subscribe to the NoticeBored security awareness service, all the policies are provided free of charge as a welcome gift, along with the Information Security 101 orientation module. Please contact us for consultancy rates and further options such as training or a license to use the NoticeBored materials to offer content to your clients.

How to purchase

Contact us for a tax invoice and license agreement. We ask you to enter into a perpetual license governing your use of the materials in order to give you the freedom to adapt and use them for your organization while protecting our intellectual property. Please settle the invoice through PayPal using your credit card, or by international bank transfer.

Note: New Zealand-based customers will be charged GST in addition to the price shown. Export sales are sales-tax-free.
Contact us for a quote if you would prefer to pay in another major currency.

Home > Policies >

Copyright © 2017 IsecT Ltd.