Model Corporate
Information Security
Policy

Written and published by IsecT Ltd.

5 pages
supplied as an unlocked and
fully-customizable Microsoft Word file

Price: ^US$50*

Introduction

The Corporate Information Security Policy is a generic model or template focusing on two high-level policy abstractions not often documented as such:

• The guiding security principles are very broad architectural statements or directives that are intended to ensure that the organization’s information security controls meet its business and compliance needs. 
• The security axioms are traceable to globally-accepted good security practices outlined in Annex A of ISO/IEC 27001 and explained in more detail in ISO/IEC 27002.  Employees, consultants, advisors, IT and certification auditors, and others who know ISO27k should be on familiar territory straight away.

In just 5 pages, the model policy provides:

• A summary explaining the policy pyramid structure;
• An introduction briefly setting the scene;
• 7 generic and very broadly applicable information security security principles, sitting right at the peak of the policy pyramid;
• 39 security axioms, definitive policy statements derived directly from the 39 control objectives in ISO/IEC 27002, linking between lower level policy statements and controls and the top level principles;
• Policy compliance responsibilities;
• References to the supporting Information Security Policy Manual plus Topic-based Information Security Policies, standards, procedures and guidelines;
• Contacts for readers to find out more about the policies.

Intended audience

Although the Corporate Information Security Policy applies to all employees and can be read by anyone, it is written in a formal style typical of policy statements by senior management.  It is succinct enough for senior managers to review, discuss and approve without needing to delve into the nitty-gritty of the Information Security Policy Manual.  Whether or not you decide to circulate it to all employees, you should definitely make it readily available to everyone, potentially including business partners, regulators or other stakeholders who have an interest in the organization’s stance on information security.  The policy is generic enough not to disclose any trade secrets!

Purpose and utility

The Corporate Information Security Policy is the place where management formally declares and imposes information security responsibilities on employees and third parties (such as contractors).  This is of course an important governance activity.  In ISO27k terms, it is the ‘overarching information security policy’. 

The fact that the security axioms are traceable to control objectives laid out in ISO/IEC 27001 and ISO/IEC 27002 makes it particularly useful if you are building and implementing an Information Security Management System using the ISO27k international security standards.

Despite its rather formal language, the Corporate Information Security Policy supports and may be used within general information security awareness and training.  The Information Security Policy Manual expands on the controls in more detail for security professionals, while the Topic-based Information Security Policies, information security standards, procedures and guidelines normally refer to applicable policies, axioms and/or principles as appropriate, giving them the weight of management’s mandate.  These less-formal, lower-level documents, along with the monthly stream of briefings, procedures, guidelines, presentations and other awareness materials delivered through our NoticeBored subscription service, are more easily understood by a general audience.

How to purchase the corporate policy

Email us for the license agreement and an invoice for ^US$50*.  We ask you to sign and return a perpetual license governing your use of the materials in order to protect our intellectual property.  You are welcome to settle the invoice through PayPal using your credit card, or by international bank transfer. 

We will send you the corporate policy shortly after receiving both your payment and the signed license.

Please note: you can save well over ^US$100* by purchasing the Corporate Information Security Policy plus the Information Security Policy Manual and the Topic-based Information Security Policies together as a complete set.  As an incentive to subscribe to the NoticeBored security awareness service, the complete policy set is provided free of charge to NoticeBored subscribers.  Please contact us for details.

* plus GST (sales tax) for New Zealand customers

Copyright © 2013  IsecT Ltd.