The Importance of an Information Security Policy
Information Security is a state that all organisations and individuals should aspire to. Here we take a deeper look into what InfoSec is about and what measures are needed to achieve it.
Why have an information security policy?
- GDPR mandates it
- Savvy customers will request it
- It’s usually required for tender submissions
- It demonstrates to all stakeholders that senior management is committed to information security
- It forms the cornerstone of any good Information Security Management System (ISMS) and is a requirement, under Sect. 5.2, for ISO 27001 certification
What should it include?
1. The organisation’s objectives for security
- To align the organisations business goals with information security requirements whilst taking into account the internal and external issues affecting the organisation and the requirements of interested parties.
- To protect the organisation’s information assets, including IP, business information and any staff, customer or suppliers’ Personally Identifiable Information (PII) by safeguarding its confidentiality, integrity and availability.
- To establish responsibility and accountability for Information Security in the organisation.
- To encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of Information Security incidents.
- To ensure that the organisation is able to continue its commercial activities in the event of significant Information Security incidents.
- To meet the compliance requirements of applicable legislation such as GDPR.
2. The agreed management strategy for securing information
To meet the objectives laid out in the Information Security Policy needs a plan.
This can be complex to define and is why following established frameworks for information security management, such as ISO 27001, are useful. They give structure to your ISMS, and you can set about defining the controls you will put in place to mitigate your information security risks.
Who should write your information security policy?
It must be the senior management who set the high-level policy, the objectives and the direction of travel for the ISMS. They must be seen to lead both in what they say and what they do.
Simply adopting a template approach will not work. It requires their commitment and authority to implement the controls that will be required and to ensure that periodic reviews take place to ensure the effectiveness of the ISMS against stated objectives.
The benefits of following ISO 27001 to implement your information security plan
- ISO 27001 requires you to identify your information risks, evaluate and then mitigate them with the controls laid out within your ISMS. This will improve your information security posture and whilst it doesn’t eliminate the possibility of a breach, it reduces the likelihood of occurrence and gives you processes to follow in the event of one.
- The assurance that a UKAS accredited certification will give to customers, regulators and other stakeholders
- It’s the internationally recognised best practice ISMS standard and gives you a framework to follow for managing all information assets, not just PII for GDPR
- Many of the mandatory requirements of GDPR are addressed by ISO 27001 so you are already a big step towards implementing it when addressing compliance
- Put the other way round, if you are already aligned to the ISO 27001 standard, you are also a big way forward in achieving GDPR compliance.
Confidentiality, Integrity and Availability
Confidentiality, integrity and availability (CIA) is a practice that that is designed to help you create information security policies.
The definition of confidentiality is to protect information and ensure that it is not seen by any unauthorised persons. In relation to information security, we would consider such information to include things like bank details, trade secrets, personal phone numbers.
Integrity relates to ensuring that any information cannot be modified by unauthorised persons. This could include a financial transfer being intercepted and redirected to another bank account.
If a website is struck by a denial of service attack (DDoS) visitors are prevented from accessing any information on it. If the website is an e-commerce site or an online banking site, this could cost both consumer and owner a great deal of money.