What is an Information Security Policy?
As cyber security affects businesses worldwide, it’s highly important that organisations ensure that they have a policy in place which states and records their commitment to protecting any information that they handle as a result of their practices.
The information security policy that an organisation creates is the driving force of your organisation’s ISMS (Information Security Management System). It sets out the board’s policy and requirements in terms of information security.
It only needs to be a short document but has to be in line with the organisation’s values, and then if you are aiming to achieve ISO 27001 certification, it also needs to meet the requirements of the ISO 27001 standard. This document should be kept as simple as possible, and also as broad as possible to, therefore, allow management the ability to respond to the changing business and security circumstances.
The policy statement should require all staff to participate, whilst also considering the participation of all other stakeholders who have access to the organisation’s information and systems. When considering security policy, the board needs to consider how it will affect the business’s stakeholders, plus the benefits and disadvantages that the business will experience as a result of this.
What is the purpose of a security policy?
- GDPR mandates it
- Savvy customers will undoubtedly request it
- It’s usually required for tender submissions
- It demonstrates to all stakeholders that senior management is committed to information security
- It forms the cornerstone of any good Information Security Management System (ISMS) and is a requirement for ISO 27001, under Sect. 5.2.
Who should write your information security policy?
It must be the senior management who set the high-level policy and they should be seen to lead both in what they say and what they do.
Simply adopting a template approach will not work. It requires their commitment and authority to implement the security controls needed to protect the organisations information and to ensure that periodic reviews take place to monitor the effectiveness against stated objectives.
How to compile your information security policy
The process of compiling your information security policy is not always as straightforward as it seems, especially in larger organisations.
The policy must:
- Set objectives, and establish an overall sense of direction.
- Understand the criteria for the evaluation of risk.
- Take into account all relevant requirements.
- Define the strategic context for which the ISMS will be established.
The key questions that the initial policy statement must answer:
Who? – The board and management have to be completely behind and committed to the ISMS.
Where? – The parts of the organisation to which the policy is going to apply need to be clearly identified.
What? – The statement that the board and management “are committed to preserving the confidentiality, integrity, and availability of information” is at the heart of the ISMS.
Why? – For the protection of information from a wide range of threats, to minimise damage and maximise RoI.
What should an information security policy include?
There are many elements of information security policy.
This is where the organisation sets out its aim of the policy and why it plans to do it.
The organisation defines as to what the policy will cover, for example, the networks, locations, users, suppliers, etc.
The organisation creates well-defined objectives concerning security and strategy on which management have reached an agreement.
Access Control Policy
Here the organisation defines who within the organisation will be restricted to access certain business information.
Approach to data protection
These are the activities that are taken within the organisation such as use of a firewall, encryption and appropriate updates. The duties and responsibilities of the employees needs to be included in this policy.
It is also important for the information security policy to include reference to the relevant legislation or certification that the company is working within or towards, such as the ISO 27001 certification.
Other things that an information security policy might include:
There are some other things that might be included in an information security policy. These include things such as Remote Work procedures, Consequences for non-compliance, Disciplinary Actions, the Physical Security Security of IT, and Terminated Employees procedures. There may be some other things that are included in the information security policy, however, these may vary depending on your organisation, its activities and needs etc.
The benefits of following ISO 27001 to implement an information security plan:
1. ISO 27001 requires you to identify your information risks, evaluate and then mitigate them with the controls laid out within your ISMS. This will improve your information security posture and whilst it doesn’t eliminate the possibility of a breach, it reduces the likelihood of occurrence and gives you processes to follow in the event of one.
2. The assurance that a UKAS accredited certification will give to customers, regulators and other stakeholders.
3.It’s the internationally recognised best practise ISMS standard and gives you a framework to follow for managing all information assets, not just personal data for GDPR.
4. Many of the mandatory requirements of GDPR are addressed by ISO 27001 so you are already a big step towards implementing it when addressing compliance.
5. 1Put the other way round, if you are already aligned to the ISO 27001 standard, you are also a big way forward in achieving GDPR compliance.
How does ISMS.online help with your Information Security Policy and plan?
ISMS.online provides all the evidence behind the information security policies working in practice and includes a template information security policy for organisations to easily adopt or adapt to meet their own requirements.
The ISMS.online platform includes an approach to risk management and provides the tools for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS following the ISO 27001 standard.
Optionally, you can also benefit from the ISO 27001 Virtual Coach that offers expert guidance on this and each of the ISO 27001 requirements and controls.