Policies are the foundation for information security through which management formally defines and places various information security obligations on employees and certain third parties.  While most modern organizations have something in place, few have truly effective information security policies.  See if you recognize any of these seven commonplace policy issues: limited scope; poor quality; inconsistencies; lack of awareness; lack of accountability; lack of compliance; lack of process.  [Read more about these seven issues in our policy FAQ.]

A better way

If that litany of issues rings true, we recommend an altogether more professional approach.

We offer a generic Corporate Information Security Policy, an Information Security Policy Manual and an accompanying set of Topic Based Information Security Policies based on the ISO/IEC 27000 standards for information security.  The beauty of building on the ISO/IEC standards is that they provide a coherent and comprehensive structure encompassing internationally-recognized good security practices.

In just 5 pages, our Corporate Information Security Policy explains 7 guiding principles (broadly-applicable information security design principles) plus 39 succinct axioms (high-level policy statements derived from and traceable to the 39 control objectives in ISO/IEC 27002).  The corporate policy is aimed primarily at senior management.

 Our Information Security Policy Manual repeats the principles and axioms for reference, expanding them into a more comprehensive and detailed set of information security policy statements, along with a hyperlinked glossary of terms.  The manual is aimed at the Information Security Department and others with a professional interest in information security.

By popular request, we have now introduced a set of more than 40 Topic-based Information Security Policies.  These policies cover a broad range of information security topics in about three pages each, and are aimed at general employees.  You will see from the policy pyramid that they fall between our more formalized ISO27k-based policy manual and the lower level security standards, procedures and guidelines.

All the materials were written by the same author, a qualified information security professional with extensive experience of writing effective security policies and related awareness materials, and a perfectionist by nature.  This gives them a coherence in both style and content often lacking in policies written separately by different people. 

We hope you will agree that this is an elegant structure.  It directly aligns with and supports an ISO/IEC 27001-certifiable Information Security Management System should you choose to take that route at some point.  The ability to trace your security policies to global security standards is bound to impress the auditors.  Trust me, I’m an auditor.

A complete policy set

Although we offer the security policy materials separately as discrete products, they were in fact designed and built from the ground up as a complete set that complements, supports and cross-references each other.  We offer a special price to encourage you to take advantage of the integration: buy the complete policy set for a special discounted package price of just US$650*, saving US$140* off the price if bought individually.

The policy set makes the information security obligations on employees clear, implementable and enforceable, specifying requirements in a plain-speaking no-nonsense style.  More than that, it helps management figure out what those obligations should be, and guides information security professionals on the implementation of international security standards and good security practices. 

The policy set is provided in the form of fully-editable Microsoft Word documents.  These are generic, general-purpose models or templates, albeit reasonably comprehensive and well-written ones, that you need to customize for your situation.  We haven’t done the risk analysis so we don’t know about your specific requirements for information security controls.  You probably know about certain specific controls that must be covered in your policy to address significant risks or satisfy particular compliance obligations but, for the most part, a generic policy based on international standards provides a pragmatic set of controls that are generally applicable.  Building a foundation on good information security practices saves you a lot of time and effort designing and documenting all of the controls individually.

What next?

Check out the Corporate Information Security Policy, the Information Security Policy Manual and the Topic-based Information Security Policies.  Browse through the policy FAQ and by all means get in touch: tell us what you really really want and we’ll see what we can do for you.

Contact us for a tax invoice and license agreement.

Please bear in mind that simply having an information security policy set (even one as good as this!) is not in itself sufficient to make you secure.  A well-written, comprehensive, consistent and ISO27k-aligned information security policy set makes a great start but implementing the policies effectively, dealing with those issues we outlined earlier, and ultimately securing your organization’s information assets, is down to you.  There’s only so much we can do to help, I’m afraid.  NoticeBored, our information security awareness service, is geared to motivating people and turning thoughts into actions.

PS  As an incentive to subscribe to the NoticeBored security awareness service, the complete policy set is provided free of charge to NoticeBored subscribers.  Please contact us for details.

* plus GST (sales tax) for New Zealand customers

Copyright © 2012  IsecT Ltd.