What is an Information Security Policy?
Information security (infosec) refers to policies, processes, and tools designed and deployed to protect sensitive business information and data assets from unauthorised access. There are three core aspects of information security: confidentiality, integrity, and availability. This is known as the CIA triad.
The principles of CIA triad safeguard three key objectives
- Confidentiality: Access to data assets must be limited to authorised individuals only
- Integrity: Maintaining IT systems, ensuring they remain reliable and fit for purpose
- Availability: Ensuring authorised users have access to relevant information or policies when necessary
Infosec policies establish a list of rules for employees and other stakeholders (e.g. suppliers) to follow where appropriate. This includes, but is not limited to:
- Access control
- Acceptable use
- Clear desk & clear screen
- Data protection
- Data classification
- Mobile devices
Information security responsibilities and goals
It’s the responsibility of the assigned Chief Information Security Officer (CISO) or Information Security Manager (ISM) within an organisation to ensure that all employees and systems conform with the rules set out in the information security policies.
Before a company implements any infosec policies, it needs to define the goals of both the organisation and policy. Any inconsistencies in an infosec framework can make the information security policy ineffective. Information security policies must be regularly reviewed and altered by an organisation. These alterations must reflect any changing in that organisation’s risks, working practices, and new technologies, to name a few.
This can be accomplished by the organisation adopting, adapting and adding to their existing policy documentation or information security management system (ISMS). This allows information security policies to be kept up to date, remain comprehensive, consistent and practical.
Understanding information security policies
By nature, infosec policies are designed to reduce organisational risk. Information security policies can be as specific or broad as needed. However, most organisations aim to implement policies aligned to recognised standards and legislation such as ISO 27001, NIST Cybersecurity Framework and the California Consumer Privacy Act (CCPA).
An organisation’s management or leadership must approve any information security policies before they are implemented. The policy itself should align with any strategic business needs, legislation and regulations as well as compliance with laws and directives such as the EU’s GDPR. Information security is an always-evolving process. As changes occur within an organisation, any information security policies in place will also need to be updated. The same is true as infosec standards are updated with revised guidance/direction, legislation is amended or when new cybersecurity threats emerge.
The importance of information security policies
Well-established infosec policies let all stakeholders and employees understand the organisation’s information security framework. The key questions that a policy must answer are:
- Who? – Determine the people responsible for the policies
- Where? – Identify the parts of the organisation that the policies apply to
- What? – Decide on the specific information that is being protected in the policies
- Why? – Establish the purpose of implementing the policies
These policies also show how organisational risk can be mitigated. These include helping to:
- Protect against fraud
- Protect against data breaches
- Protect industry secrets that could help competitors
- Protect digital assets and intellectual property
- Protect the brand from reputational damage
- Protect against financial regulatory penalties
- Ensure business continuity
- Demonstrate robustness
Establishing a framework for policies is important for your information security. A framework allows you to take action to enforce conformity. For an information security policy to be successful, they will need to be updated in response to any changes in:
- Your business
- Emerging threats
- Results from prior incidents
- Stakeholders’ requirements
- Changes in the law
- Changes in technology
Off-the-shelf information security policies are widely available. However, one size does not fit all. Different organisations and industries have different standards and regulatory requirements. The CISO must consider their organisation’s legal obligations when creating or adopting information security policies. If an organisation only deals with public data, it will have a completely different set of regulatory requirements to that of a government agency or limited company.
ISO 27001 information security policy
When an organisation commits to gaining ISO 27001 certification, it will need to set out guidelines for its information security policies. This is done by creating a top-level information security policy.
The information security policy an organisation creates is the driving force of that organisation’s ISMS (information security management system). It sets out the Board’s policy and requirements in terms of information security. It only needs to be a short document but must be in line with the organisation’s values. When aiming to achieve ISO 27001 certification, the ISMS also needs to meet the requirements of the standard.
The policy statement should require all staff to participate, while also considering the participation of all other outside stakeholders who have access to the organisation’s information and systems. When considering security policy, the Board needs to consider how it will affect the business’s stakeholders, plus the benefits and disadvantages that the business will experience as a result of this.
The benefits of following ISO 27001 to implement information security policies:
ISO 27001 requires you to identify your information risks, evaluate and then reduce them to an acceptable level through the use of the controls laid out within your ISMS. This will improve your information security posture, and while it doesn’t eliminate the possibility of a breach, it reduces the likelihood of occurrence and/or the impact of a breach and gives you processes to follow in the event of one.
A UKAS accredited ISO 27001 certification will give customers, regulators and other stakeholders assurance that you are managing information security effectively. It’s the internationally recognised best practice ISMS standard and gives you a framework to follow for managing all information assets, not just personal data for GDPR.
Many of the mandatory requirements of GDPR are addressed by ISO 27001, so you are already a big step towards implementing it when addressing compliance. Put another way; if you’re already aligned to the ISO 27001 standard, you are also a significant way forward in achieving GDPR compliance.
All information security policies must cover:
Purpose: This is where the organisation sets out its aim of the policy and how it plans to do it.
Scope: The organisation defines what the policy will cover, such as networks, locations, users, and suppliers.
Security objectives: The organisation creates well-defined objectives concerning security and strategy on which management have reached an agreement.
Legislation: It is also important for the information security policy to include references to the relevant legislation or certification that the company is working within or towards, such as the ISO 27001 certification.
Other things might be included in information security policies. However, these may vary depending on your organisation, its activities and needs etc. For a complete list of ISO 27001 annexes and policies, please click here.
What should a set of information security policies cover?
There are many elements of information security policy. A CISO will need to determine the scope of their information security policies. These include, but are not limited to:
- Security programmes and appropriate usage
- Network security
- Data security
- Security of physical assets
- Business continuity and disaster recovery
- Access controls and security awareness
- Risk assessment and analysis
- Incident response and management
Why use an ISMS to manage your information security policies?
ISMS.online provides all the evidence behind the information security policies working in practice and includes a template top-level information security policy for organisations to adopt, adapt or add to meet their requirements quickly and easily.
The ISMS.online platform includes an approach to risk management. It provides the tools for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS following the ISO 27001 standard. Optionally, you can also benefit from the ISO 27001 Virtual Coach that offers expert guidance for each of the ISO 27001 requirements and controls.