What makes a good security policy?

We recently launched the InfoSaaS set of information security documentation, to help our customers design, implement and operate an appropriate set of policies, procedures and related content which helps to deliver an effective Information Security Management System. The ISO27001 standard specifies a range of documentation and records needed to demonstrate compliance with specific clauses and requirements within the standard, but it does not provide a comprehensive list of ALL the documentation you may need to address YOUR organization’s specific security needs. As an aside, that’s where our documentation content helps by providing an appropriate range of clear and concise content – all suitable for adapting to the individual needs of your Company and the sector it operates within.

As information security consultants, we are regularly asked to assess an organisation’s documentation for suitability – normally a week or two before the external auditor with the clipboard arrives and starts to ask questions! This brings us to the burning issue of the week – is it better to have one information security policy that covers everything, or a framework of separate, focused content? Let’s pause a moment to look at some of the characteristics of a “good” security policy:

  • Is the information security policy usable by your organisation – are its requirements able to be properly identified and are they achievable?
  • Does it address the specific requirements detailed within the ISO27001 standard, as applicable to your organisation?
  • Is it written in a clear, readable format, that can be understood by all levels of personnel?
  • Is it version controlled, identifiable, and properly approved before being issued?
  • Does it ensure your employees are delivering the right information security activities?
  • Does it provide a suitable framework to protect your company and its data?

We have seen some fantastic all-in-one information security policies, many of which are galloping merrily north of 50+ pages (!) which attempt to cover every aspect of information security in one go. Whilst this format may work for some organisations, we would  observe the following challenges:

  • How many of your employees would actually read a document of this length?
  • For such large amounts of policy statements, are they expected to remember them all?
  • If in-life changes are needed to just one small section, the whole document would then need to be re-issued to the whole of your organisation.
  • Is this really the best format for rapid employee access, when they are looking for specific guidance?

It’s not too hard to spot that the InfoSaaS preferred and recommended approach is a high level information security policy, which includes the following:

  • The policy objectives – why has it been written, what is it designed to achieve?
  • The policy scope – what activities/functions/assets are in and out of scope of the policy?
  • The policy statements – initially a commitment to information security and to follow the requirements specified within the current ISO27001 standard
  • A set of of focused statements, declaring the high level intention on a specific security matter, and then linking to a separate, specific policy document on each subject …
  • Clear ISMS roles and responsibilities – who is responsible for delivering each activity
  • Formal document control, with reviewer and approval sign off, version history etc.

This approach goes a long way to help address the four challenges noted above. Specifically, we will be looking to implement a number of “second tier” security documents for, as an example:

  • access control policy
  • acceptable use policy
  • business continuity policy
  • anti-virus policy
  • asset management policy
  • supply chain management policy
  • social media usage policy
  • information security training policy
  • security incident management policy
  • data erasure/deletion policy
  • etc etc.

Documentation doesn’t need to be daunting. Take a look at our documentation packs, which have been written drawing upon more than 20+ years’ experience, and which allow for organisations of all types to edit and customise content to meet their own specific needs. And all within a much more time efficient window than creating your own security documentation from scratch. As always, feel free to get in touch with InfoSaaS if you have any questions.