As information security consultants, we are regularly asked to assess an organisation’s documentation for suitability – normally a week or two before the external auditor with the clipboard arrives and starts to ask questions! This brings us to the burning issue of the week – is it better to have one information security policy that covers everything, or a framework of separate, focused content? Let’s pause a moment to look at some of the characteristics of a “good” security policy:
- Is the information security policy usable by your organisation – are its requirements able to be properly identified and are they achievable?
- Does it address the specific requirements detailed within the ISO27001 standard, as applicable to your organisation?
- Is it written in a clear, readable format, that can be understood by all levels of personnel?
- Is it version controlled, identifiable, and properly approved before being issued?
- Does it ensure your employees are delivering the right information security activities?
- Does it provide a suitable framework to protect your company and its data?
We have seen some fantastic all-in-one information security policies, many of which are galloping merrily north of 50+ pages (!) which attempt to cover every aspect of information security in one go. Whilst this format may work for some organisations, we would observe the following challenges:
- How many of your employees would actually read a document of this length?
- For such large amounts of policy statements, are they expected to remember them all?
- If in-life changes are needed to just one small section, the whole document would then need to be re-issued to the whole of your organisation.
- Is this really the best format for rapid employee access, when they are looking for specific guidance?
It’s not too hard to spot that the InfoSaaS preferred and recommended approach is a high level information security policy, which includes the following:
- The policy objectives – why has it been written, what is it designed to achieve?
- The policy scope – what activities/functions/assets are in and out of scope of the policy?
- The policy statements – initially a commitment to information security and to follow the requirements specified within the current ISO27001 standard
- A set of of focused statements, declaring the high level intention on a specific security matter, and then linking to a separate, specific policy document on each subject …
- Clear ISMS roles and responsibilities – who is responsible for delivering each activity
- Formal document control, with reviewer and approval sign off, version history etc.
This approach goes a long way to help address the four challenges noted above. Specifically, we will be looking to implement a number of “second tier” security documents for, as an example:
- access control policy
- acceptable use policy
- business continuity policy
- anti-virus policy
- asset management policy
- supply chain management policy
- social media usage policy
- information security training policy
- security incident management policy
- data erasure/deletion policy
- etc etc.
Documentation doesn’t need to be daunting. Take a look at our documentation packs, which have been written drawing upon more than 20+ years’ experience, and which allow for organisations of all types to edit and customise content to meet their own specific needs. And all within a much more time efficient window than creating your own security documentation from scratch. As always, feel free to get in touch with InfoSaaS if you have any questions.