Written and published by IsecT Ltd.
supplied as an unlocked and
fully-customizable Microsoft Word file
The Corporate Information Security Policy is a generic model or template focusing on two high-level policy abstractions not often documented as such:
In just 5 pages, the model policy provides:
A summary explaining the policy pyramid structure;
An introduction briefly setting the scene;
7 generic and very broadly applicable information security security principles, sitting right at the peak of the policy pyramid;
39 security axioms, definitive policy statements derived directly from the 39 control objectives in ISO/IEC 27002, linking between lower level policy statements and controls
and the top level principles;
Policy compliance responsibilities;
Contacts for readers to find out more about the policies.
Although the Corporate Information Security Policy applies to all employees and can be read by anyone, it is written in a formal style typical of policy statements by senior management. It is succinct enough for senior
managers to review, discuss and approve without needing to delve into the nitty-gritty of the Information Security Policy Manual. Whether or not you decide to circulate it to all employees, you should definitely
make it readily available to everyone, potentially including business partners, regulators or other stakeholders who have an interest in the organization’s stance on information security. The policy is generic
enough not to disclose any trade secrets!
Purpose and utility
The Corporate Information Security Policy is the place where management formally declares and imposes information security responsibilities on employees and third parties (such as contractors). This is of course
an important governance activity. In ISO27k terms, it is the ‘overarching information security policy’.
The fact that the security axioms are traceable to control objectives laid out in ISO/IEC 27001 and ISO/IEC 27002 makes it particularly useful if you are building and implementing an Information Security Management
System using the ISO27k international security standards.
Despite its rather formal language, the Corporate Information Security Policy supports and may be used within general information security awareness and training. The Information Security Policy Manual expands
on the controls in more detail for security professionals, while the Topic-based Information Security Policies,
information security standards, procedures and guidelines normally refer to applicable policies, axioms and/or
principles as appropriate, giving them the weight of management’s mandate. These less-formal, lower-level documents, along with the monthly stream of briefings, procedures, guidelines, presentations and other
awareness materials delivered through our NoticeBored subscription service, are more easily understood by a general audience.
How to purchase the corporate policy
Email us for the license agreement and an invoice for US$50*. We ask you to sign and return a perpetual
license governing your use of the materials in order to protect our intellectual property. You are welcome to settle the invoice through PayPal using your credit card, or by international bank transfer.
We will send you the corporate policy shortly after receiving both your payment and the signed license.
Please note: you can save well over US$100* by purchasing the Corporate Information Security Policy plus the Information Security Policy Manual and the Topic-based Information Security Policies together as a complete set. As an incentive to subscribe to the NoticeBored security awareness service, the complete
policy set is provided free of charge to NoticeBored subscribers. Please contact us for details.
* plus GST (sales tax) for New Zealand customers