Information security policies

Infosec policy pyramidPolicies are the mechanism through which management formally defines and places various information security obligations on workers including themselves and sometimes third parties.  They are related to other obligations, requirements and expectations, ranging from laws and regulations to ethics.

While most organizations have something in place, few have truly effective information security policies.

 

Do these policy issues seem curiously familiar to you?

  1. Limited scope e.g. cybersecurity only
  2. Poor quality (badly written, hard to read)
  3. Internal and external inconsistencies
  4. Little awareness
  5. Limited accountability
  6. Insufficient compliance
  7. Inadequate/missing policy management process

Find out more in the security policy FAQ.

 

There has to be a better way! If that litany of policy issues rings true, we recommend an altogether more professional approach, based around the policy pyramid structure shown here.

Corporate information security policy

In just 5 pages, our Corporate Information Security Policy at the peak of the pyramid lays out 7 guiding principles (broadly-applicable information security design principles) plus 35 axioms (succinct policy statements derived from the controls in annex A of ISO/IEC 27001). The policy is a vehicle for senior management to give the corporation overall, high-level guidance on how its information risks are to be managed.

Topic-based information security policy templates

Supporting and expanding on the Corporate Information Security Policy, we offer a full suite of generic policy templates covering the full breadth of information risk, security and related matters:

Infosec policy suite

 

NIST SP800-35 calls most of these ‘issue-specific policies’. Since they were all written and maintained by the same professional author, they consistently adopt the same formal yet readable style.  A happy customer told us, “We really like how easily your policies read - simple and concise.”

They are supplied as MS Word documents that you review and if necessary adapt to suit your needs. It all depends on your situation, specifically your information risks.  You may not need the entire set of policies right now but if many or most of those topics are relevant to your organization, it is well worth considering the whole suite, especially if your existing policies are, let’s say, a little shabby, a bit rough-and-ready.

We can also help you develop and document the policy management processes you’ll use to review and customize the templates: get in touch for details of our consultancy services.  What can we do for you?

Shop for policies onlineHow to purchase


Visit our eShop SecAware.com to purchase and download the policies instantly

Buy them individually at a great price, or as deeply discounted suite - your choice.

Home > Policies >

Copyright © 2019 IsecT Ltd.