Information security (infosec) refers to policies, processes, and tools designed and deployed to protect sensitive business information and data assets from unauthorised access. There are three core aspects of information security: confidentiality, integrity, and availability. This is known as the CIA triad.
Information security (infosec) refers to policies, processes, and tools designed and deployed to protect sensitive business information and data assets from unauthorised access. There are three core aspects of information security: confidentiality, integrity, and availability. This is known as the CIA triad.
Infosec policies establish a list of rules for employees and other stakeholders (e.g. suppliers) to follow where appropriate. This includes, but is not limited to:
A tailored hands-on session based on your needs and goals
There is almost no difference between a robust set of infosec policies that are not adhered to, and not having any infosec policies at all. Businesses and organisations need their employees to understand what is required of them. All employees will need to demonstrate their awareness and compliance with the relevant information security policies.
It’s the responsibility of the assigned Chief Information Security Officer (CISO) or Information Security Manager (ISM) within an organisation to ensure that all employees and systems conform with the rules set out in the information security policies.
Before a company implements any infosec policies, it needs to define the goals of both the organisation and policy. Any inconsistencies in an infosec framework can make the information security policy ineffective. Information security policies must be regularly reviewed and altered by an organisation. These alterations must reflect any changing in that organisation’s risks, working practices, and new technologies, to name a few.
This can be accomplished by the organisation adopting, adapting and adding to their existing policy documentation or information security management system (ISMS). This allows information security policies to be kept up to date, remain comprehensive, consistent and practical.
Well-established infosec policies let all stakeholders and employees understand the organisation’s information security framework. The key questions that a policy must answer are:
These policies also show how organisational risk can be mitigated. These include helping to:
Establishing a framework for policies is important for your information security. A framework allows you to take action to enforce conformity. For an information security policy to be successful, they will need to be updated in response to any changes in:
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Off-the-shelf information security policies are widely available. However, one size does not fit all. Different organisations and industries have different standards and regulatory requirements. The CISO must consider their organisation’s legal obligations when creating or adopting information security policies. If an organisation only deals with public data, it will have a completely different set of regulatory requirements to that of a government agency or limited company.
When an organisation commits to gaining ISO 27001 certification, it will need to set out guidelines for its information security policies. This is done by creating a top-level information security policy.
The information security policy an organisation creates is the driving force of that organisation’s ISMS (information security management system). It sets out the Board’s policy and requirements in terms of information security. It only needs to be a short document but must be in line with the organisation’s values. When aiming to achieve ISO 27001 certification, the ISMS also needs to meet the requirements of the standard.
The policy statement should require all staff to participate, while also considering the participation of all other outside stakeholders who have access to the organisation’s information and systems. When considering security policy, the Board needs to consider how it will affect the business’s stakeholders, plus the benefits and disadvantages that the business will experience as a result of this.
ISO 27001 requires you to identify your information risks, evaluate and then reduce them to an acceptable level through the use of the controls laid out within your ISMS. This will improve your information security posture, and while it doesn’t eliminate the possibility of a breach, it reduces the likelihood of occurrence and/or the impact of a breach and gives you processes to follow in the event of one.
A UKAS accredited ISO 27001 certification will give customers, regulators and other stakeholders assurance that you are managing information security effectively. It’s the internationally recognised best practice ISMS standard and gives you a framework to follow for managing all information assets, not just personal data for GDPR.
Many of the mandatory requirements of GDPR are addressed by ISO 27001, so you are already a big step towards implementing it when addressing compliance. Put another way; if you’re already aligned to the ISO 27001 standard, you are also a significant way forward in achieving GDPR compliance.
Purpose: This is where the organisation sets out its aim of the policy and how it plans to do it.
Scope: The organisation defines what the policy will cover, such as networks, locations, users, and suppliers.
Security objectives: The organisation creates well-defined objectives concerning security and strategy on which management have reached an agreement.
Legislation: It is also important for the information security policy to include references to the relevant legislation or certification that the company is working within or towards, such as the ISO 27001 certification.
Other things might be included in information security policies. However, these may vary depending on your organisation, its activities and needs etc. For a complete list of ISO 27001 annexes and policies, please click here.
Download your free guide to fast and sustainable certification
We just need a few details so that we can email you your guide to achieving ISO 27001 first-time
Download your free guide now and if you have any questions at all then Book a Demo or Contact Us. We’ll be happy to help.
100% of our users achieve ISO 27001 certification first time
There are many elements of information security policy.
A CISO will need to determine the scope of their information security policies. These include, but are not limited to:
ISMS.online provides all the evidence behind the information security policies working in practice and includes a template top-level information security policy for organisations to adopt, adapt or add to meet their requirements quickly and easily.
The ISMS.online platform includes an approach to risk management. It provides the tools for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS following the ISO 27001 standard. Optionally, you can also benefit from the ISO 27001 Virtual Coach that offers expert guidance for each of the ISO 27001 requirements and controls.