Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Information Security Policy Manual

   

IsecT infosec policy manual cover 300

 

Information Security
Policy Manual

 

Written and published by IsecT Ltd.

 

~160 pages icon Word
supplied as a fully-customizable
Microsoft Word file

 

Price: US$395*

 

PDF requires Acrobat Reader to open Adobe Acrobat PDF sampler
extracted from the January 2011 version.
Customers automatically receive the latest version at the time of ordering.

 

Introduction

Since first coming across BS 7799 in the mid-1990s, we have adopted and, in a modest way, contributed to the ongoing development of the ISO/IEC 27000-series information security standards (“ISO27k”).  In parallel, we have gradually developed and refined a comprehensive policy manual based on ISO/IEC 27002, the international standard Code of Practice for Information Security Management.  ISO/IEC 27002 provides an excellent framework, recommending literally hundreds of specific information security controls addressing 39 stated objectives.  It makes a great baseline.

Basing your security policies on the ISO27k standards makes them coherent, comprehensive and traceable to globally-accepted good security practices.  It is an elegant structure that, of course, is directly relevant if your Information Security Management System follows ISO/IEC 27001 and incorporates the controls outlined in Annex A.

Intended audience

The policy manual is primarily aimed at information security managers, along with other governance, risk, security, control and assurance professionals.  It lays out a swathe of information security controls supporting high-level principles and axioms, in a plain-speaking no-nonsense style.  More than that, it helps the professionals figure out what those requirements should be.  The policy manual interprets in a fairly specific way the information security controls recommended in loose terms by ISO/IEC 27002.  For completeness and traceability, it includes the higher-level information security principles from the accompanying Corporate Information Security Policy, and expands upon the axioms.

What the policy manual gives you

Policy pyramidThe policy manual is a core document for the Information Security Management System, providing quite detailed guidance for your Information Security Management function. 

The manual follows ISO/IEC 27002 very closely in structure, even down to using the same numbering of sections and subsections, making cross referencing for certification a breeze.  IT auditors, certification auditors, employees, consultants, advisors and others who are familiar with ISO27k (including any business partners, regulators  or authorities to whom you might disclose your security policies) would recognize the structure, terminology and context immediately.

The manual is supplied as a Microsoft Word document.  As you will see from the sample, it incorporates hyperlinked contents and cross-references (including an extensive hyperlinked glossary of information security terms), making it easy to navigate and use on a computer, but the layout is also suitable for printing and circulating on paper if you prefer.  It uses Word headings and styles consistently, making it straightforward to adopt your unique house style if you don’t like ours.

I would be completely stuffed

What is not in the manual

The policy manual is not legal advice.  While common legal and regulatory compliance issues relating to information security are outlined in general terms section 15, your compliance obligations are not explicitly described.  We have no knowledge, for example, of your contractual obligations towards security, or the privacy and other laws in your country.

The manual does not include or incorporate the actual ISO27k standards.  They can be purchased from ISO, from your national standards body or from other resellers, but not from us.

The policy manual is not tailored to your organization’s specific security or risk management requirements.  It is a generic template, albeit a reasonably comprehensive and well-written one,  that you need to consider carefully and customize.  We haven’t analyzed your unique risks, although hopefully you have.  You will probably need to adapt the wording in places and maybe insert additional policies and controls to suit your requirements.   That said, starting with a good quality generic manual saves you a lot of time and effort compared to designing and documenting all of your policies and controls from scratch.

The manual does not include detailed technical security standards giving explicit security configuration settings for particular IT systems, applications or devices.  The specifics tend to vary between organizations and, of course, between different platforms.  They would normally be described within your technical security standards, citing higher-level policy requirements in the policy manual and/or the Corporate Information Security Policy

Discrete policies on particular information security topics such as malware, cloud computing or business continuity that are of concern to general employees are also not part of the manual ... although we do now sell a set of New product released Nov 2011 Topic-based Information Security Policies separately.  A few commonplace ones are cited in the manual, along with security standards and guidelines that are almost universal.  Of course you are free to change the references and add plenty more if you have them.  If you need more help to fill in the gaps, the NoticeBored security awareness subscription service delivers a stream of plain-speaking security guidelines, briefings, presentations and other creative awareness materials covering a fresh security topic every month, all written by the same author and hence broadly aligned with and supporting the policy manual.

Customer endorsement

Download a sample

Review the contents and a few other pages extracted from the manual as an icon PDF Adobe Acrobat PDF to see what it’s like.  Talk it over with your managers and peers.

I attempted writing an infosec policy manual

How to purchase the policy manual

Email us for the license agreement and an invoice for US$395*.  We ask you to sign and return a perpetual license governing your use of the materials in order to protect our intellectual property.  You are welcome to settle the invoice through PayPal using your credit card, or by international bank transfer. 

We will send you the policy manual shortly after receiving both your payment and the signed license.

Please note: you can save well over US$100* by purchasing the Corporate Information Security Policy, the Information Security Policy Manual and the Topic-based Information Security Policies together as a complete set.  As an incentive to subscribe to the NoticeBored security awareness service, the complete policy set is provided free of charge to NoticeBored subscribers.  Please contact us for details.

Another customer endorsement

* plus GST (sales tax) for New Zealand customers
HomePolicies > Infosec Policy Manual >

Copyright © 2012  IsecT Ltd.