When setting up or improving the security within an organization, the highest level of management will have to make a statement towards all employees that managing the security risks is very important to the organization. An Information Security Policy is a high level description on how the security within an organization is setup and approved by management. It helps the organization is understanding the need for security, who is responsible and how to comply to the security measures.
As shown in the image below, an Information Security Policy should support the more detailed policy documents which support the business units. These detailed tactical level policies are sometimes called Standards or directives and support the processes and guidelines at operational level.
In most cases, only the strategic level documents are approved by management, while other documents are approved by the security team or business unit themselves. Even if the Information Security Policy is a strategic level document, it sets the boundries for all other documents and procedures, so its always a good that all employees are aware of this document.
How
When you search on the internet for Information Security Policy you will find a lot of information. But each website provides you with somewhat different information giving you the feeling not being sure you’re on the right path. So, what does a framework like ISO27001 requires? Let see…
In my opinion a good Information Security Policy should include the following topics:
- Definition of Information Security
Make sure that every employee knows what information security is and why it is important for them. - Scope
Explain that this policy is relevant for the whole organization, or which part of the organization. - Objectives
What are your targets? For example: prevent unauthorized access to customer data - Prinicples
A set of basic rules which is relevant to your scope and support your objectives - Commitment
Make sure that higher management approves the Information Security Policy and mention this here. This statement shows to the organization that you have management support - Roles and responsibilities
At a high level, which roles are required to support this Information Security Policy. - Exceptions
When the organization is not able to follow the policies, procedures or guidelines, you need a process in place where you can manage any exceptions. - Supported documents
Make a lists of other policies where more detailed information is available per subject.
Risks
When creating an Information Security Policy be aware that this is a high level strategic document. The main pitfall is that you will go in too much detail. The problem with too much detail in this policy is that for every change, you will need to get management approval. As management is at most organization very busy and don’t have a lot of time available, you might notice that getting approval takes a long time.
Limiting the Information Security Policy to only the required information prevents management from micro-management. What this means is that management is troubled with operational issues, which should be management by operational management. If this is the case at your organization, you can help prevent this by creating a correct level document.
Example Policy Content
An example Information Security Policy can be downloaded below. note that this is just an example policy and specific adjustments might be needed before you can use it within your own organization.
