Policies are the foundation for information security through which management formally defines and places various information security obligations on employees and certain third parties.  While most organizations have something in place, few have truly effective information security policies.  Do any of these seven issues look familiar?

1. Limited scope;
2. Poor quality;
3. Inconsistencies;
4. Lack of awareness;
5. Lack of accountability;
6. Lack of compliance;
7. Lack of process. 

Read more about these commonplace policy issues in the security policy FAQ.

There has to be a better way

If that litany of issues rings true, we recommend an altogether more professional approach.  Let’s break down the policy pyramid layer-by-layer:

Corporate infosec policy

In just 5 pages, the Corporate Information Security Policy at the peak of the pyramid lays out 7 guiding principles (broadly-applicable information security design principles) plus 39 succinct axioms (succinct policy statements derived from the controls in annex A of ISO/IEC 27001).  The policy is a vehicle for senior management to give the corporation overall, high-level guidance on how its information security risks are to be managed.

Infosec policy manual

The Information Security Policy Manual expands the principles and axioms into a much more detailed set of good practice information security controls based on ISO/IEC 27002.  The manual is over 100 pages in length, including an extensive hyperlinked glossary of terms.  It is likely to be of most value to the Information Security Department and others with a professional interest in information security, in other words people who need specific, detailed security guidance.  Although it is clearly detailed and quite technical in nature, it is designed to be generic, vendor-neutral and applicable to any organization.

Topical infosec policy templates

If you are looking for information security policies on specific subjects (such as cloud computing or BYOD), we offer a suite of Topic-based Information Security Policies covering more than 40 aspects of information security in about 3 pages each.  These are written in a formal but readable style for all employees. 

Infosec standards

Our security policies and other materials build upon the ISO/IEC 27000 series (“ISO27k”) standards, following their structure and expanding on the good security practices they recommend.

Obviously enough, aligning and cross-referencing your security policies directly with ISO27k is ideal if you are planning to be certified compliant with ISO/IEC 27001.  Even if you are not going down that route, ISO27k is fast becoming the most widely recognized and credible information security management framework, especially in the global setting.  Business partners, auditors and regulators will all welcome the assurance that comes from adopting such well-respected international standards.

Infosec procedures and guidelines

Formal policies clarify information security obligations making them enforceable, but employees still have to know what they are expected to do, how to do it, and who to turn to for help if they are struggling.  Simply publishing or mandating the policies and expecting people to read, understand and comply with them is a very naive approach.  Aside from the policies, we deliver numerous procedures, guidelines, briefings, seminar presentations and a wealth of other materials through the NoticeBored security awareness subscription service.  These are designed to inform, engage and motivate employees and thereby achieve compliance. 

[By the way, as an incentive to subscribe to the NoticeBored security awareness service, the complete policy set is provided free of charge to NoticeBored subscribers.  Please contact us for details.]

A complete policy set

Although the policy materials are sold separately as discrete products, they were in fact designed and built from the ground up as a complete set that complement, support and cross-reference each other.  We offer a special price to encourage you to take advantage of the integration: buy the policy set (corporate policy, policy manual and topical policy templates) for a special discounted package price of just US$650*, saving US$140* off the price if bought individually.

All our policy materials were written by the same author, a qualified information security professional with extensive experience of writing effective security policies and related awareness materials, and a perfectionist by nature.  This gives them a coherence in both form and content often lacking in policies written separately by different people. 

Using the policies

The policies are supplied as fully-editable Microsoft Word template documents using headings and other styles consistently, making it simple to adopt your house style.

As you will see from the sample policies, they are generic: you will undoubtedly need to customize them to address particular risks, identify unique controls or reference particular laws, regulations and other compliance obligations.  We’ve done all we possibly can to give you a great starting point, saving you an immense amount of work compared to either starting from scratch or reworking the usual hodge-podge of policy stuff that has accumulated over the years.

What next?

While you browse our security policy FAQ and think about how you will use the policies, contact us for a tax invoice and license agreement.

* plus GST (sales tax) for New Zealand customers

Copyright © 2013  IsecT Ltd.