What should be in my Information Security Policy
What should I Include in my Information Security Policy, you say. The purpose of the information security policy, as required by ISO 27001, is often misunderstood, and it‘s quite common for inexperienced information security managers to think they need to detail everything about their information security management system in this one document. To clear this up immediately, this is not required by ISO 27001, and a good information security policy is likely to be concise document. So, let’s see what we do, in fact, need to do.
What is the Purpose of the Information Security Policy?
The primary purpose of the information security policy is for your organisation’s senior management to define clear, high-level information security objectives for the organisation. It is often the case that, executives know that security is important and how it would help the organisation, but are not necessarily familiar with all the details of how it should be implemented. If this is the case, you will need to provide expert assistance when identifying these high-level goals.
To be effective in establishing the primary objectives, a document should be created that both management and staff can easily understand, which can be used as a high-level guide to control all elements of the Information Security Management System (ISMS). It should also detail who is responsible for the ISMS, and what to expect from it.
What should the High Level Policy Contain?
ISO 27001 is not prescriptive about the detail of the policy contents, but the following elements are required:
It should reflect the needs of the organisation. You can’t just copy the policy, wholesale, from a large bank if you are a small IT company as its unlikely to be a good fit.It needs to create a framework for setting the company’s information security objectives. This means that the policy needs to define how the objectives are proposed, how they are approved, and how they are, subsequently, reviewed.
It should outline senior management’s commitment to the ISMS, and to its continual improvement. There is often a statement to this effect within the policy.
It should be communicated within the company and also, where appropriate, to other interested parties such as customers and stakeholders. It is a good idea for the policy to identify who is responsible for communication relating to the ISMS.
A document owner should be identified who should ensure that the policy is regularly reviewed and updated. Typically, annually or following a significant change.It should be possible to achieve the above in a concise form in a relatively short document. The main body of the ISMS can be detailed in separate policy documents which can focus specific requirements. In an ISO 27001 compliant ISMS typical examples of specific policy areas could include: Access Control Policy, Information Classification Policy, Acceptable Use Policy, Password Policy etc.
Other Elements Typically Included in the Information Security Policy Document?
The following topics can often also be found in the Information Security Policy Document. This is more often the case for smaller companies than for larger ones. Larger companies more typically, document them separately, although this is not always the case.
The ISMS Scope – the physical locations, people and business systems to which the ISMS applies.
Responsibilities within the ISMS – this typically details the division of responsibilities for executive oversight, day-to-day operations and coordination, risk assessment, incident management, internal audits and other responsibilities as required.
Measurement – this details who is responsible for measuring whether the information security objectives have been achieved, and how this is reported.
We hope that this article helps you to move ahead with your Information Security Policy. If you require further assistance with policy creation or any other aspect of ISO 27001 implementation, please feel free to get in touch.