Information Security Policy
What is Information Security Policy?
As cyber security affects businesses worldwide, it’s highly important that organisations ensure that they have a policy in place which states and records their commitment to protecting any information that they handle as a result of their practices.
The information security policy that an organisation creates is the driving force of your organisation’s ISMS (Information Security Management System). It sets out the board’s policy and requirements in terms of information security.
It only needs to be a short document but has to be in line with the organisation’s values, and then if you are aiming to achieve ISO 27001 certification, it also needs to meet the requirements of the ISO 27001 standard.
This document should be kept as simple as possible, and also as broad as possible to, therefore, allow management the ability to respond to the changing business and security circumstances.
The policy statement should require all staff to participate, whilst also considering the participation of all other stakeholders who have access to the organisation’s information and systems. When considering security policy, the board needs to consider how it will affect the business’s stakeholders, plus the benefits and disadvantages that the business will experience as a result of this.
Why have an information security policy?
- GDPR mandates it
- Savvy customers will undoubtedly request it
- It’s usually required for tender submissions
- It demonstrates to all stakeholders that senior management is committed to information security
- It forms the cornerstone of any good Information Security Management System (ISMS) and is a requirement for ISO 27001, under Sect. 5.2.
Who should write your information security policy?
It must be the senior management who set the high-level policy and they should be seen to lead both in what they say and what they do.
Simply adopting a template approach will not work. It requires their commitment and authority to implement the security controls needed to protect the organisations information and to ensure that periodic reviews take place to monitor the effectiveness against stated objectives.
How to compile your information security policy
The process of compiling your information security policy is not always as straightforward as it seems, especially in larger organisations.
The policy must:
- Set objectives, and establish an overall sense of direction.
- Understand the criteria for the evaluation of risk.
- Take into account all relevant requirements.
- Define the strategic context for which the ISMS will be established.
The key questions that the initial policy statement must answer:
Who? – The board and management have to be completely behind and committed to the ISMS.
Where? – The parts of the organisation to which the policy is going to apply need to be clearly identified.
What? – The statement that the board and management “are committed to preserving the confidentiality, integrity, and availability of information” is at the heart of the ISMS.
Why? – For the protection of information from a wide range of threats, to minimise damage and maximise RoI.
What should be included in the information security policy?
There are many elements of information security policy. The first of these being the Purpose. This is where the organisation sets out its aim of the policy and why it plans to do it. The next element included in the information security policy is the Scope. This is where the organisation defines as to what the policy will cover, for example, the networks, locations, users, suppliers, etc. Then, there are the Information Security objectives. This is where the organisation creates well-defined objectives concerning security and strategy on which management have reached an agreement. Then, there is the Access Control Policy, here the organisation defines who within the organisation will be restricted to access certain business information. The information security policy should also define as to how the organisation is going to protect its data, e.g. through the use of a firewall, encryption, appropriate updates, etc. The duties and responsibilities of the employees needs to be included in this policy. It is also important for this policy to include the appropriate reference to the relevant legislation, e.g. if you are doing the ISO 27001 standard certification, then you will need to make sure that you are referencing this appropriately, as required.
Other things that an information security policy might include
There are some other things that might be included in an information security policy. These include things such as Remote Work procedures, Consequences for non-compliance, Disciplinary Actions, the Physical Security Security of IT, and Terminated Employees procedures. There may be some other things that are included in the information security policy, however, these may vary depending on your organisation, its activities and needs etc.
The benefits of following ISO 27001 to implement an information security plan:
- ISO 27001 requires you to identify your information risks, evaluate and then mitigate them with the controls laid out within your ISMS. This will improve your information security posture and whilst it doesn’t eliminate the possibility of a breach, it reduces the likelihood of occurrence and gives you processes to follow in the event of one.
- The assurance that a UKAS accredited certification will give to customers, regulators and other stakeholders.
- It’s the internationally recognised best practise ISMS standard and gives you a framework to follow for managing all information assets, not just personal data for GDPR.
- Many of the mandatory requirements of GDPR are addressed by ISO 27001 so you are already a big step towards implementing it when addressing compliance.
- Put the other way round, if you are already aligned to the ISO 27001 standard, you are also a big way forward in achieving GDPR compliance.
How does ISMS.online help with your Information Security Policy and plan?
ISMS.online provides all the evidence behind the information security policies working in practice and includes a template information security policy for organisations to easily adopt or adapt to meet their own requirements.
The ISMS.online platform includes an approach to risk management and provides the tools for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS following the ISO 27001 standard.
Optionally, you can also benefit from the ISO 27001 Virtual Coach that offers expert guidance on this and each of the ISO 27001 requirements and controls.