 |
|
||||||||||||||
|
|||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|||
|
Information Security
|
 |
Our manual contains a full set of 39 “axioms”, that is high level information security policy statements derived directly from the 39 control objectives in the ISO/IEC standard, supported by a comprehensive suite of detailed policy statements reflecting common implementations of information security best practices identified in the standard. The structure follows the standard very closely, even down to the numbering of sections and subsections, making ISO/IEC 27001 certification that much easier.
See a sample
Download the contents page and a sample section from the manual as an 
Adobe Acrobat PDF file to see for yourself.
The contents page numbering is broken in the PDF since most of the actual pages have been deleted from the sample manual. Please contact us if you need to evaluate the 
Word/RTF version.
 |
What the policy manual gives you
Our policy manual is like a good map for a hill walker: it lays out the terrain, shows all the key features and shows you the best routes.
We appreciate that a well-written, comprehensive and consistent information security policy manual is not an end in itself, but it’s certainly a great start for your Information Security Management System (ISMS). The policy manual provides both the broad security principles defining your overall approach to information security, and a range of specific security controls to put those principles into practice. We don’t underestimate the effort required to implement the policy manual but ISO/IEC 27002 is widely accepted to be an excellent basis for a sound ISMS.
Even though the policy statements will need to be customized to suit your organization’s specific information security and legal requirements, this is much easier, quicker and cheaper than writing a complete information security policy manual from scratch. We have invested literally hundreds of hours of painstaking work in writing and maintaining the generic manual. You need only spend some small change from your budget and a little of your valuable time to have your own professionally written, high-quality, coherent, comprehensive and ISO/IEC 27001-aligned policy manual ready to go.
Policy manual FAQ 
Q: I am compiling an information security policy for our organization. The information security policy must reflect the organization’s specific information security risks and requirements, so what use is a generic policy manual to us?
A: The generic policy manual provides a starting point - a reasonably comprehensive suite of controls matching the best practice advice embodied in ISO/IEC 27002. It is up to you to review and where necessary customize and adapt the manual. If your organization decides that, for example, the contingency planning controls are out of scope of your ISMS (perhaps because there is a separate department in charge of business continuity planning), you can chop out the controls or even the whole section. If for whatever reason the organization has chosen to continue using triple-DES instead of moving to AES, you may need to check that the policy statements around encryption allow for this. Unfortunately, we can’t do this for you!
The real point it that it is much quicker and easier to adapt and cut down good quality material than to write the entire thing from scratch. We have spent literally hundreds of man-hours writing and refining the manual over the years. You get the benefit of all that work for just US$295 - just a few man-hours at typical rates.
Q: The information security policy seems rather lengthy at 118 pages, covering the whole of ISO/IEC 27002. Surely you wouldn’t expect us to circulate all 118 pages to everyone in the organization?
A: True, we would not anticipate giving the complete manual to everyone in the company. It is far too formalized and lengthy, and few employees would have enough interest or time to read and understand it. In short, there is no value in doing this and we don't recommend it.
The full policy manual is better suited as an internal reference document primarily for the information security management function, laying out guidance on the full range of controls that they need to design, implement and maintain. The comprehensive coverage of information security (not just IT security, remember) is a key strength of ISO/IEC 27002.
The policy manual should be supported by a suite of information security procedures, standards and guidelines, explaining how the controls are to be implemented throughout the organization in accordance with the policy requirements. The policy manual cites common procedures, standards and guidelines throughout, and references them all towards the front. Those are the things that end users should be given, where appropriate and relevant to their needs (e.g. technical security standards for the folks in IT, guidelines on end user stuff for end users ...). We do not supply them as part of the policy manual for two simple reasons: (1) the policy manual would be even longer than it already is; and (2) the implementation details are far more likely to vary between organizations than the generic principles, axioms and policy statements in the manual. We can however help though the NoticeBored service - more below.
Q: As I understand it, an information security policy that applies and is circulated to all employees should be high-level, understandable by all employees and yet relatively short and concise. How does your policy manual fit the brief?
The policy manual has 39 "axioms" matching one-for-one the 39 "control objectives" in ISO/IEC 27002. These are identified throughout the manual in boxes, and are brought together into the appendix, along with a handful of "security principles" which are at an even higher level (things like 'defense in depth'). The appendix is just a few pages long. The idea is that this appendix (not the entire manual!) should be reviewed and approved by senior management. It is somewhat abstract and high level, and yet relates exactly to the detailed controls listed in the full manual, and is traceable to ISO/IEC 27002. It would be fascinating to hear any arguments by management around the axioms, whether they disapprove of any or feel there are gaps - either way it would be an interesting discussion for sure!
Once approved, the appendix could also be circulated to all employees although this is not normally necessary nor advisable. It is generally more appropriate to make it available, usually on the corporate intranet, as a definitive source to be referenced by the supporting policies, standards, guidelines etc. In this way, the specific guidance to employees on matters such as password length can be linked directly to the policy mandated by senior management and, by the way, to the advice in ISO/IEC 27002.
Even though the appendix is just a few pages long, it contains too much seemingly irrelevant information for most employees to digest. They are better off with 'acceptable use policies' and guidelines covering the things that affect them directly (passwords, malware, clear desk etc.), being careful not to overwhelm them with so much information that they turn off completely. The NoticeBored induction module is specifically designed to provide basic guidance to new employees without too much detail. The monthly NoticeBored security awareness materials then fill-in the gaps, reminding people of the basics and exploring individual topics in a bit more depth.
Q: Is your information security policy manual the same as an ‘information security policy document’ (ISO/IEC 27002 section 5.1.1) or an ‘ISMS policy’ (ISO/IEC 27001 section 4.2.1b)?
An ‘information security policy document’ (A) is a requirement of both ISO/IEC 27002 and ISO/IEC 27001. It is necessary for the organization’s ISMS to be certified compliant with ISO/IEC 27001. Furthermore, it is best practice and is common among organizations that take information security seriously. Since it sets the framework for the ISMS as a whole, it is essential in practice to avoid the ISMS being fragmented, disorganized and generally ineffective. Without it, there will most likely be duplication and gaps in the ISMS, leaving serious control weaknesses and hence inadequately managed information security risks.
Unfortunately the ‘ISMS policy’ (B) noted in ISO/IEC 27001 is not explicitly defined in the standard but in our experience this is generally interpreted to mean a governance document laying out the basis and rationale for the management system, plus the management structure.
Our information security policy manual incorporates both (A) and (B), plus more besides:
A) The appendix to the policy manual draws out the high level principles and axioms which form an ideal ‘information security policy document’ for the organization. The appendix is concise enough to be readable, yet specific enough to relate to the detailed manual and other supporting documents, plus the ISO/IEC standards.
B) Section 6 of the manual reflects ISO/IEC 27002 section 6 on ‘organizing information security’, outlining a typical governance structure for information security management, with key roles and responsibilities plus reporting lines and management review processes. Admittedly, this section is likely to need customization to suit your organization’s department/function names and remits but again we provide a starting point for your consideration as an ‘ISMS policy’.
The manual incorporates a lot more specific guidance, interpreting those high level principles and axioms into language that information security and other professionals can understand and clarifying the roles and responsibilities such that they can undertake the actual ISMS implementation.
Q. What about information security policies that are targeted to specific departments or employees, or cover particular types of IT use? Are they part of the manual?
A. No. These are sometimes known as as ‘acceptable use policies’ and are typically worded more like guidelines than formal policies in order to be readable by ordinary people. While they are not provided as part of the policy manual, we are continually writing and releasing 'acceptable use policies' every month through the NoticeBored security awareness service. A good number are already written and are available through the back catalog. Plain-speaking security guidelines, briefings and other awareness materials are also useful to support the policies: this is where the NoticeBored service really comes into its own.
How to purchase the manual
The manual itself is supplied as a fully editable Microsoft Word (Rich Text Format) file ready to customize and adapt to your specific requirements. As such, we ask you to sign and return a license agreement governing your use of the manual in order to protect our intellectual property (we are information security professionals after all!). Please email us for the license agreement and invoice. You are welcome to settle our invoice by PayPal using your credit card, or by direct bank transfer. Official purchase orders are fine too just so long as they acknowledge the license agreement. We’ll even take cash (at your risk getting it to us!).
What next?
Please bear in mind that simply having an information security policy manual (even one as good as ours!) is not in itself sufficient to make you secure.
 |
We can help you, of course, to raise awareness of information security and inform your fellow employees about their obligations, and we encourage you to visit ISO27001security.com for implementation guidance on the ISO/IEC 27000-series standards.
Note: the manual does not include the text of either ISO/IEC 27001 or ISO/IEC 27002. The ISO/IEC standards are available directly from ISO, the national standards bodies (e.g. ANSI sells PDFs for just US$30 each, a genuine bargain!) and other resellers.
|
|
|