Information
security policy is a set of policies issued by an organization to ensure that
all information technology users within the domain of the organization or its
networks comply with rules and guidelines related to the security of the
information stored digitally at any point in the network or within the
organization's boundaries of authority. Every organization needs to protect its
data and also control how it should be distributed both within and without the
organizational boundaries. This may mean that information may have to be
encrypted, authorized through a third party or institution and may have
restrictions placed on its distribution with reference to a classification
system laid out in the information security policy.
The policy
needs to be adapted to the organization – this means you cannot simply copy the
policy from a large manufacturing company and use it in a small IT company.
It needs to
define the framework for setting information security objectives – basically,
the policy needs to define how the objectives are proposed, how they are
approved, and how they are reviewed.
The policy
must show the commitment of top management to fulfill the requirements of all
interested parties, and to continually improve the ISMS – this is normally done
through a kind of a statement within the policy.
The policy
must be communicated within the company, but also – where appropriate – to
interested parties; best practice is to define who is responsible for such
communication, and then that person is responsible for doing it continuously.
The policy
must be regularly reviewed – an owner of a policy should be defined, and this
person is responsible for keeping the policy up to date.
The main purpose of the policy is that the top management defines what it wants to achieve with information security.The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS – they don’t need to know the details of, say, risk assessment, but they do need to know who is responsible for the ISMS, and what to expect from it. The Information Security Policy should actually serve as a main link between your top management and your information security activities, especially because ISO 27001 requires the management to ensure that ISMS and its objectives are compatible with the strategic direction of the company.There are a couple of inputs you have to take into account when writing the policy:
Top
management intentions with information security – the best thing would be to
schedule an interview with your CEO and go through all the elements of the
policy; you might send him an email a couple of days before the meeting, so
that he has time to think about it.
Legislation
and contractual requirements – your policy should reflect those.
Existing
system for setting objectives – if such system exists, you should refer to it.
User questions & answers