Click the banner for the site map of NoticeBored.com, the information security awareness service
Information security policies

Click here to download the sample

Information Security
Policy Manual

 

Written and published by IsecT Ltd.

 

~132 pages icon Word
supplied as a fully-customizable
Microsoft Word file

 

Price: US$396 for new customers

FREE for NoticeBored subscribers

 

PDF requires Acrobat Reader to open Adobe Acrobat PDF sample

 

 

Background

Policies are a fundamental starting point for any information security management system.  They provide a structured agenda for senior management to consider and discuss important aspects of information security and lay down The Rules that employees are expected to follow.

Matthew Putvinski quote re importance of policies

Many organizations with an information security management function already have security policies although they are often disjointed and incomplete.  Worse, they are usually confined to IT security, covering primarily technical issues such as password criteria and antivirus controls.  Worse still, they typically sit on some dusty shelf and are only referred to in specific circumstances, such as when disciplinary action is planned against an employee who shares their password or disables the antivirus software. 

As security has evolved, various people in various departments have written and published policies to suit their immediate needs.  Is is not uncommon to find a variety of security-related policies scattered around the organization, some on the intranet (often in several different places at once, in various states of decay) and others embedded in employment contracts, employee handbooks, union rulebooks, printed on the back of staff/visitor passes  and so on.  There is generally no version control to speak of and no structured policy lifecycle with regular management review and re-approval activities. 

The lack of coordination and defined ownership of security policies causes a lack of coherence.  It is rare to find policies that clearly state who owns them, who is responsible for updating them, and who has authorized or mandated them.  Often there are direct contradictions between policies, requirements that cannot legally be enforced and their formats and styles vary widely.  Some are printed and circulated on paper, others on the intranet or email system.  Most don’t even share a common vocabulary!  These problems are magnified further in large organizations, especially multinational groups with distributed governance.

Policy compliance in such a situation is a hit-and-miss affair.  Even within IT Department, IT security policies may be applied inconsistently on different systems with no formal processes in place to manage (consider and authorize or forbid) policy exceptions.  Policy compliance activities tend to be very basic, often little more than sporadic audits and occasional reminders to employees shortly before the auditors arrive or following security incidents linked to policy noncompliance. 

We recommend an altogether more professional approach ...

IsecT’s information security policy manual

During more than two decades’ employment and consultancy assignments with a broad range of clients, we have gradually built and refined an information security policy manual based around ISO/IEC 27002, the international standard Code of Practice for Information Security Management.  We used ISO/IEC 27002 (originally known as BS 7799 and then ISO/IEC 17799) because it provides a coherent and reasonably comprehensive structure, promoting literally hundreds of specific information security controls.

Extended policy pyramidThe manual covers the top 3 layers of an expanded policy pyramid, shown here.  In addition to a suite of typical policy statements based around the controls suggested/recommended in ISO/IEC 27002, the manual covers two higher level abstractions not often documented as such:

  • “Guiding principles” - seven generic and broadly applicable information security security design principles, sitting right at the peak of the expanded pyramid.
  • “Policy axioms” - these comprise 39 high level policy statements derived directly from the 39 control objectives in ISO/IEC 27002 and the control statements in Annex A of ISO/IEC 27001, linking the lower level policy statements and controls through to the top level principles.

The principles and axioms are copied through from the body to a short appendix which is succinct enough for senior management to review, discuss and approve separately from the rest of the manual (although of course they are welcome to see the whole nine yards if they wish).  The appendix can also be used for general security awareness and training purposes.

The beauty of building the manual around ISO/IEC 27002 is that it is coherent, comprehensive and traceable to globally-accepted good security practices.  It is an elegant structure that, of course, fits directly into an ISO/IEC 27001 certifiable ISMS.  The manual follows the standard very closely in structure, even down to using the same numbering of sections and subsections, making cross referencing and certification a breeze.  IT auditors, certification auditors, employees, consultants, advisors and others who are familiar with ISO27k (including perhaps business partners with whom you might share the policy manual) would recognize the structure, terminology and context immediately.

What the policy manual gives you

The IsecT policy manual makes the information security obligations on employees clear and enforceable.  It lays out the requirements in a plain-speaking no-nonsense style.  More than that, it helps management figure out what those obligations should be, using the ISO standards and accumulated good practices as a sound basis.

Enforceability is an important aspect in its own right.  Policies that are simply not enforced for some reason are merely worthless, whereas those that are truly unenforceable are truly a liability.  Management believes they have the risks covered while in reality they do not.  Badly-written, disjointed and inconsistent policies are literally worse than useless.

Our policy manual is a template, albeit a reasonably comprehensive and well-written one,  that you need to customize.  We don’t know about your requirements for information security controls.  We haven’t done the risk analysis.  Hopefully you have.  You probably know about certain controls that must be covered in your policy to address specific risks, but for the remainder of the risks, a generic policy manual based on the ISO standards provides a pragmatic set of controls that are generally applicable.  This approach saves you a lot of time designing and documenting all of the controls individually.

The manual is supplied as a Microsoft Word document.  As you will see from the sample, it incorporates hyperlinked contents and cross-references, making it easier to navigate and use on a computer, but the layout is also suitable for printing and circulating on paper if you prefer.  It uses headings and styles consistently, so it is relatively straightforward to adopt your unique house style if you don’t like ours.

I would be completely stuffed

Policy manual FAQ

Q:  I am compiling an information security policy for our organization. The information security policy must reflect the organization’s specific information security risks and requirements, so what use is a generic policy manual to us?

A: Like the international standards on which it is based, the manual is generic and needs to be tailored to some extent for each organization.  It incorporates generally accepted and commonly implemented security policies and controls, based on the wide range of options in ISO/IEC 27002 plus, in some parts, others that are not (yet!) in the ISO/IEC standard (e.g. it suggests additional controls around fire, water and lightning protection for the typical computer suite, such as remote-reading temperature alarms).  The generic policy manual provides a starting point.  It is up to you to review and where necessary customize and adapt the manual.  If your organization decides that, for example, the contingency planning controls are out of scope of your ISMS (perhaps because there is a separate department in charge of business continuity planning), you can chop out the controls or even the whole section.  If for whatever reason the organization has chosen to continue using triple-DES instead of moving to AES, you may need to check that the policy statements around encryption allow for this to be specified in your encryption standards/guidelines.  Unfortunately, we can’t do that for you!

Customizing the manual is much easier, quicker and cheaper than writing one from scratch.  We have invested literally hundreds of hours of painstaking work in writing and maintaining the manual.  You need only spend some small change from your budget and a little of your valuable time to have your own professionally written, high-quality, coherent, comprehensive and ISO/IEC 27001 and 27002-aligned policy manual ready to go.

 

Q: The information security policy seems rather lengthy at around 132 pages, covering the whole of ISO/IEC 27002.   Surely you wouldn’t expect us to circulate all 132 pages to everyone in the organization?

A: True, we would not anticipate giving the complete manual to everyone in the company.  It is far too formalized and lengthy, and few employees would have enough interest or time to read and understand it.  In short, there is no value in doing this and we certainly don't recommend it. 

The full policy manual is better suited as an internal reference document primarily for the information security management function, laying out guidance on the full range of controls that they need to design, implement and maintain.  The comprehensive coverage of information security (not just IT security, remember) is a key strength of ISO/IEC 27002.

The top two layers of the policy pyramid shown above (i.e. the principles and axioms) are suitable for circulation to everyone if you wish, but more likely just to management. 

The policy manual should be supported by a suite of information security ‘acceptable use policies’, procedures, standards and guidelines, explaining how the controls are to be implemented throughout the organization in accordance with the policy requirements.  The policy manual cites common procedures, standards and guidelines throughout, and references them all towards the front.  Those are the things that end users should be given, where appropriate and relevant to their needs (e.g. technical security standards for the folks in IT, guidelines on end user stuff for end users ...).  We do not supply them as part of the policy manual for two simple reasons: (1) the policy manual would be even longer than it already is; and (2) the implementation details are far more likely to vary between organizations than the generic principles, axioms and policy statements in the manual.  We can however help though the NoticeBored service - more below.

 

Q:  As I understand it, an information security policy that applies and is circulated to all employees should be high-level, understandable by all employees and yet relatively short and concise.  How does your policy manual fit the brief?

A:  Since the appendix containing just the principles and axioms is less than three pages long, it is eminently suitable for circulation, review and approval by managers.  It is somewhat abstract, technology-neutral and high level, and yet relates exactly to the detailed controls listed in the full manual, and is traceable to ISO/IEC 27002.  It would be fascinating to hear any arguments by management around the axioms and principles, whether they disapprove of any or feel there are gaps - either way it would be an interesting discussion for sure!

Once approved, the appendix could actually be circulated to all employees although this is not normally necessary nor advisable.  It is generally more appropriate to make it available, usually on the corporate intranet, as a definitive source to be referenced by the supporting policies, standards, guidelines etc.  In this way, the specific standards or guidance to employees on matters such as password length can be linked directly to the policy mandated by senior management and, by the way, to the advice in ISO/IEC 27002.

Even though the appendix is just a few pages, it is still hard for most employees to digest.  They are generally better off with 'acceptable use policies' and guidelines covering the things that affect them directly (passwords, malware, clear desk etc.), being careful not to overwhelm them with so much information that they turn off completely.  Our Information Security 101 module is specifically designed to provide basic guidance to new employees without too much detail.  The monthly NoticeBored security awareness materials then fill-in the gaps, reminding people of the basics and exploring individual topics in a bit more depth on a rolling monthly basis.

 

Q: Is your information security policy manual the same as an ‘information security policy document’ (ISO/IEC 27002 section 5.1.1) or an ‘ISMS policy’ (ISO/IEC 27001 section 4.2.1b)?

A:  An ‘information security policy document’ (A) is a requirement of both ISO/IEC 27002 and ISO/IEC 27001.  It is necessary for the organization’s ISMS to be certified compliant with ISO/IEC 27001.  Furthermore, it is best practice and is common among organizations that take information security seriously .  Since it sets the framework for the ISMS as a whole, it is essential in practice to avoid the ISMS being fragmented, disorganized and generally ineffective.  Without it, there will most likely be duplication and gaps in the ISMS, leaving serious control weaknesses and hence inadequately managed information security risks.

Unfortunately the ‘ISMS policy’ (B) noted in ISO/IEC 27001 is not explicitly defined in the standard but in our experience this is generally interpreted to mean a governance document laying out the basis and rationale for the management system, plus the management structure.

Our information security policy manual incorporates both (A) and (B), plus more besides:

    A) The appendix to the policy manual draws out the high level principles and axioms which form an ideal ‘information security policy document’ for the organization.  The appendix is concise enough to be readable, yet specific enough to relate to the detailed manual and other supporting documents, plus the ISO/IEC standards from which it was derived. 

    B) Section 6 of the manual reflects ISO/IEC 27002 section 6 on ‘organizing information security’,  outlining a typical governance structure for information security management, with key roles and responsibilities plus reporting lines and management review processes.  Admittedly, this section is likely to need customization to suit your organization’s department/function names and remits but again we provide a starting point for your consideration as an ‘ISMS policy’.

The manual incorporates a lot more specific guidance, interpreting those high level principles and axioms into language that information security and other professionals can understand and clarifying the roles and responsibilities such that they can undertake the actual ISMS implementation.

 

Q:  Do you maintain the manual?

A:  Yes ... and no.  The manual has evolved over many years and is now reasonably stable.  We do maintain the template from which we create policy manuals for customers, updating it from time to time to reflect new standards (such as ISO/IEC 27000).  The glossary section also gets updated quite often.  Everyone who buys the policy manual from us receives the very latest version available at the time of purchase. 

We do not send out updated policy manuals to previous customers, however, mostly because we anticipate buyers customizing the manual to suit their specific circumstances and of course we have no knowledge of those customizations.  We could potentially offer an update and customization service but it would cost much more than US$295 I’m afraid.  If that’s a concern for you, talk to us.

We will no doubt be making more extensive changes in the next year or two as both ISO/IEC 27002 and ISO/IEC 27001 are being substantially revised by the responsible ISO/IEC committee.  Watch this space for details.  Since we contribute to that committee, we do at least have the advantage of forewarning.

What is not in the manual

The generic policy manual is not legal advice.  While common legal and regulatory compliance issues relating to information security are outlined in section 15, your specific compliance obligations are not explicitly described.  We have no knowledge, for example, of your contractual obligations towards security.

The manual does not include the ISO/IEC standards themselves.  The ISO/IEC standards are available directly from ISO, the national standards bodies (e.g. ANSI sells “INCITS” PDFs for the bargain price of just US$30 each) and from other resellers.  ISO/IEC 27000 is free, by the way.

Information security policies that are targeted to specific departments or employees, or cover particular types of IT use, are not part of the manual.  These are sometimes known as as ‘acceptable use policies’ and are typically worded more like guidelines than formal policies in order to be readable by ordinary people.  While they are not provided as part of the policy manual, we are continually writing and releasing 'acceptable use policies' every month through the NoticeBored security awareness service.  A good number are already written and are available through the back catalog.  Plain-speaking security guidelines, briefings, presentations and other creative awareness materials are also useful to support the policies: this is where NoticeBored really comes into its own.

The manual does not include explicit security configuration details for particular systems, applications or devices.  The specific details tend to vary between organizations and, of course, between different technical platforms.  These settings would normally be described within security standards, one layer further down the policy pyramid, and would reference the generic requirements in the policy manual.  Likewise, security procedures and guidelines are not provided but again these would normally reference the policies.  The manual does call out a small number of standards, policies and guidelines that are almost universal and you are free to change the references and add plenty more if you have them.

Download a free sample

Review the contents page and some sample sections extracted from the manual as an icon PDF Adobe Acrobat PDF file to find out what you will be getting.  Talk it over with your managers and peers.  By all means have a go at writing your own from scratch: ours took several years to write and refine.  If you can do it for less than $295, then hats off to you.

Customer endorsement

How to purchase the manual

The manual itself is supplied as a fully editable and unlocked Microsoft Word file ready to customize and adapt to your specific requirements.  We ask you first to sign and return a license agreement governing your use of the manual in order to protect our intellectual property (we are information security professionals after all!), and to pay for the manual.  Please email us for the license agreement and invoice.  You are welcome to settle our invoice by PayPal using your credit card, or by direct bank transfer.  Official purchase orders are fine too just so long as they acknowledge the license agreement.  At a push, we’ll even accept folding money.  We will email you the policy manual within a few short hours of receiving both the payment and the signed license agreement, and that’s a promise.
Another customer endorsement

What next?

Please bear in mind that simply having an information security policy manual (even one as good as this!) is not in itself sufficient to make you secure.  Implementing the security policies and securing your organization is down to you.

We appreciate that a well-written, comprehensive and consistent information security policy manual is not an end in itself but it’s certainly a great start for your Information Security Management System (ISMS).  The policy manual provides both the broad security principles defining your overall approach to information security and a wide range of specific security controls to put those principles into practice.  We don’t underestimate the effort required to implement the policy manual but ISO/IEC 27002 is widely accepted to be an excellent basis for a sound ISMS, and NoticeBored, our information security awareness service, is geared to making the policies work for your organization.  Security awareness is the oil that slips the policies quietly into place.

As an incentive to take up a NoticeBored subscription having licensed the policy manual, we will discount your first year’s NoticeBored subscription by US$396, in other words the policy manual is free for current NoticeBored subscribers.

Quote from Larry Ponemon of the Ponemon Institute

We support customers by email, telephone and through our websites.  We urge you to visit ISO27001security.com for implementation guidance on the ISO/IEC 27000-series (“ISO27k”) standards, including a free ISO27k Toolkit.   If you want to discuss your proposed approach to implementing the ISO/IEC 27000 series standards, or get some tips on policies, awareness and all that, just let us know and we’d be pleased to help.  If your needs are more involved, talk to us about bespoke consultancy options and rates, including our virtual consulting service.

NB home > NB policies >

Copyright © 2010  IsecT Ltd.