Information Security
Policy Manual

Written and published by IsecT Ltd.

~118 pages
supplied as a Microsoft Word file

Price US$295

 Adobe Acrobat PDF sample

Background

Policies are a fundamental starting point for any information security management system. They provide a structured agenda for senior management to consider and discuss important aspects of information security , and lay down ‘the rules’ that employees are expected to follow.

Many organizations with an information security management function already have security policies although they are often disjointed and incomplete. Worse, they are usually confined to IT security, covering primarily technical issues such as password criteria and antivirus controls. Worse still, they typically sit on some dusty shelf and are only referred to in specific circumstances, such as when disciplinary action is planned against an employee who shares their password or disables the antivirus software.

As security has evolved, various people in various departments have written and published policies to suit their immediate needs. Is is not uncommon to find a variety of security-related policies scattered around the organization, some on the intranet (often in several different places at once) and others embedded in employment contracts, employee handbooks, union rulebooks, printed on the back of staff/visitor passes,  and so on. There is no version control to speak of, and no ‘policy lifecycle’ with regular management review and re-approval activities. 

The lack of coordination and defined ownership of security policies causes a lack of coherence. Often there are direct contradictions between policies, requirements that cannot legally be enforced and their formats and styles vary widely. They don’t even share a common vocabulary! These problems are magnified further in large organizations, especially multinational groups with distributed governance.

Policy compliance, then, is a hit-and-miss affair. Even within IT Department, IT security policies are applied inconsistently on different systems with no formal processes in place to manage (consider and authorize or forbid) policy exceptions. Policy compliance activities tend to be very basic, often little more than sporadic audits and occasional reminders to employees shortly before the auditors arrive or following security incidents linked to policy noncompliance.

We recommend an altogether more professional approach ...

IsecT’s information security policy manual

Over the course of several years and consultancy assignments with a broad range of clients, we have gradually built an information security policy manual based around ISO/IEC 27002 (originally known as BS 7799 and then ISO/IEC 17799), the international standard Code of Practice for Information Security Management. We used ISO/IEC 27002 because it provides a coherent structure and is reasonably comprehensive, promoting literally hundreds of specific information security controls.

Our manual contains a full set of 39 “axioms”, that is high level information security policy statements derived directly from the 39 control objectives in the ISO/IEC standard, supported by a comprehensive suite of detailed policy statements reflecting common implementations of information security best practices identified in the standard. The structure follows the standard very closely, even down to the numbering of sections and subsections, making cross referencing and ISO/IEC 27001 certification that much easier.

See a sample

Download the contents page and a sample section from the manual as an Adobe Acrobat PDF file to see for yourself.  [The contents page numbering is broken in the PDF since most of the actual pages have been deleted from the sample manual. Sorry.] Please contact us if you need to evaluate the Word/RTF version.

What the policy manual gives you

The policy manual is like a good map for a hill walker: it lays out the terrain, shows all the key features and shows you the best routes. 

We appreciate that a well-written, comprehensive and consistent information security policy manual is not an end in itself, but it’s certainly a great start for your Information Security Management System (ISMS).  The policy manual provides both the broad security principles defining your overall approach to information security and a wide range of specific security controls to put those principles into practice. We don’t underestimate the effort required to implement the policy manual but ISO/IEC 27002 is widely accepted to be an excellent basis for a sound ISMS.

Even though the policy statements will need to be customized to suit your organization’s specific information security and legal requirements, this is much easier, quicker and cheaper than writing a complete information security policy manual from scratch. We have invested literally hundreds of hours of painstaking work in writing and maintaining the generic manual. You need only spend some small change from your budget and a little of your valuable time to have your own professionally written, high-quality, coherent, comprehensive and ISO/IEC 27001-aligned policy manual ready to go.

Policy manual FAQ

Q: I am compiling an information security policy for our organization. The information security policy must reflect the organization’s specific information security risks and requirements, so what use is a generic policy manual to us?

A: The generic policy manual provides a starting point - a reasonably comprehensive suite of controls matching the best practice advice embodied in ISO/IEC 27002. It is up to you to review and where necessary customize and adapt the manual. If your organization decides that, for example, the contingency planning controls are out of scope of your ISMS (perhaps because there is a separate department in charge of business continuity planning), you can chop out the controls or even the whole section. If for whatever reason the organization has chosen to continue using triple-DES instead of moving to AES, you may need to check that the policy statements around encryption allow for this. Unfortunately, we can’t do this for you!

The real point it that it is much quicker and easier to adapt and cut down good quality material than to write the entire thing from scratch. We have spent literally hundreds of man-hours writing and refining the manual over the years. You get the benefit of all that work for just US$295 - just a few man-hours at typical rates.

Q: The information security policy seems rather lengthy at 118 pages, covering the whole of ISO/IEC 27002.  Surely you wouldn’t expect us to circulate all 118 pages to everyone in the organization?

A: True, we would not anticipate giving the complete manual to everyone in the company. It is far too formalized and lengthy, and few employees would have enough interest or time to read and understand it. In short, there is no value in doing this and we don't recommend it. 

The full policy manual is better suited as an internal reference document primarily for the information security management function, laying out guidance on the full range of controls that they need to design, implement and maintain. The comprehensive coverage of information security (not just IT security, remember) is a key strength of ISO/IEC 27002.

The policy manual should be supported by a suite of information security ‘acceptable use policies’, procedures, standards and guidelines, explaining how the controls are to be implemented throughout the organization in accordance with the policy requirements. The policy manual cites common procedures, standards and guidelines throughout, and references them all towards the front. Those are the things that end users should be given, where appropriate and relevant to their needs (e.g. technical security standards for the folks in IT, guidelines on end user stuff for end users ...). We do not supply them as part of the policy manual for two simple reasons: (1) the policy manual would be even longer than it already is; and (2) the implementation details are far more likely to vary between organizations than the generic principles, axioms and policy statements in the manual. We can however help though the NoticeBored service - more below.

Q: As I understand it, an information security policy that applies and is circulated to all employees should be high-level, understandable by all employees and yet relatively short and concise. How does your policy manual fit the brief?

The policy manual has 39 "axioms" matching one-for-one the 39 "control objectives" in ISO/IEC 27002.  These are identified consistently throughout the manual in shaded boxes and are brought together into the appendix, along with a handful of "security principles" which are at an even higher level (things like 'defense in depth'). The appendix is just a few pages long. The idea is that this appendix (not the entire manual!) should be reviewed and approved by senior management. It is somewhat abstract and high level, and yet relates exactly to the detailed controls listed in the full manual, and is traceable to ISO/IEC 27002. It would be fascinating to hear any arguments by management around the axioms, whether they disapprove of any or feel there are gaps - either way it would be an interesting discussion for sure!

Once approved, the appendix could also be circulated to all employees although this is not normally necessary nor advisable. It is generally more appropriate to make it available, usually on the corporate intranet, as a definitive source to be referenced by the supporting policies, standards, guidelines etc. In this way, the specific guidance to employees on matters such as password length can be linked directly to the policy mandated by senior management and, by the way, to the advice in ISO/IEC 27002.

Even though the appendix is just a few pages long, it contains too much seemingly irrelevant information for most employees to digest. They are better off with 'acceptable use policies' and guidelines covering the things that affect them directly (passwords, malware, clear desk etc.), being careful not to overwhelm them with so much information that they turn off completely. The NoticeBored induction module is specifically designed to provide basic guidance to new employees without too much detail. The monthly NoticeBored security awareness materials then fill-in the gaps, reminding people of the basics and exploring individual topics in a bit more depth.

Q: Is your information security policy manual the same as an ‘information security policy document’ (ISO/IEC 27002 section 5.1.1) or an ‘ISMS policy’ (ISO/IEC 27001 section 4.2.1b)?

An ‘information security policy document’ (A) is a requirement of both ISO/IEC 27002 and ISO/IEC 27001.  It is necessary for the organization’s ISMS to be certified compliant with ISO/IEC 27001. Furthermore, it is best practice and is common among organizations that take information security seriously. Since it sets the framework for the ISMS as a whole, it is essential in practice to avoid the ISMS being fragmented, disorganized and generally ineffective. Without it, there will most likely be duplication and gaps in the ISMS, leaving serious control weaknesses and hence inadequately managed information security risks.

Unfortunately the ‘ISMS policy’ (B) noted in ISO/IEC 27001 is not explicitly defined in the standard but in our experience this is generally interpreted to mean a governance document laying out the basis and rationale for the management system, plus the management structure.

Our information security policy manual incorporates both (A) and (B), plus more besides:

A) The appendix to the policy manual draws out the high level principles and axioms which form an ideal ‘information security policy document’ for the organization. The appendix is concise enough to be readable, yet specific enough to relate to the detailed manual and other supporting documents, plus the ISO/IEC standards from which it was derived. 

B) Section 6 of the manual reflects ISO/IEC 27002 section 6 on ‘organizing information security’, outlining a typical governance structure for information security management, with key roles and responsibilities plus reporting lines and management review processes. Admittedly, this section is likely to need customization to suit your organization’s department/function names and remits but again we provide a starting point for your consideration as an ‘ISMS policy’.

The manual incorporates a lot more specific guidance, interpreting those high level principles and axioms into language that information security and other professionals can understand and clarifying the roles and responsibilities such that they can undertake the actual ISMS implementation.

Q. What about information security policies that are targeted to specific departments or employees, or cover particular types of IT use? Are they part of the manual?

A. No. These are sometimes known as as ‘acceptable use policies’ and are typically worded more like guidelines than formal policies in order to be readable by ordinary people. While they are not provided as part of the policy manual, we are continually writing and releasing 'acceptable use policies' every month through the NoticeBored security awareness service. A good number are already written and are available through the back catalog. Plain-speaking security guidelines, briefings, presentations and other creative awareness materials are also useful to support the policies: this is where the NoticeBored service really comes into its own.

Q. Do you maintain the manual?

A. Yes ... and no. We do maintain the template from which we create policy manuals for our customers, updating it from time to time to reflect new standards (such as ISO/IEC 27005). The glossary section gets updated quote often too. However, we do not actually send out updated policy manuals to everyone who has previously purchased it from us, mostly because we anticipate buyers customizing the manual to suit their specific circumstances and of course we have no knowledge of those customizations. However, any customer who wants the updated template is welcome to contact us about purchasing the latest version at a 50% discount off the list price.

We will probably be making more extensive changes in the next year or two as ISO/IEC 27002 is being revised. Watch this space for details.

What is not in the manual

The generic policy manual is not legal advice. While common legal and regulatory compliance issues relating to information security are outlined in section 15, your specific compliance obligations are not explicitly described.

The manual does not include the text of either ISO/IEC 27001 or ISO/IEC 27002. The ISO/IEC standards are available directly from ISO, the national standards bodies (e.g. ANSI sells “INCITS” PDFs for just US$30 each, a genuine bargain!) and from other resellers.

How to purchase the manual

The manual itself is supplied as a fully editable Microsoft Word (Rich Text Format) file ready to customize and adapt to your specific requirements. As such, we ask you first to sign and return a license agreement governing your use of the manual in order to protect our intellectual property (we are information security professionals after all!). Please email us for the license agreement and invoice. You are welcome to settle our invoice by PayPal using your credit card, or by direct bank transfer. Official purchase orders are fine too just so long as they acknowledge the license agreement. At a push, we’ll even accept folding money.

What next?

Please bear in mind that simply having an information security policy manual (even one as good as this!) is not in itself sufficient to make you secure. Implementing the security policies and securing your organization is down to you.

We can help you, of course, to raise awareness of information security and inform your fellow employees about their obligations, and we encourage you to visit ISO27001security.com for implementation guidance on the ISO/IEC 27000-series standards.