Information Security Policy Development

Information security policies are the foundation of an effective information security governance, risk and compliance strategy. As such, they must be based upon a well-defined strategy that clearly reflects the business’s risk appetite, tolerance and capacity for a breach. Security policies are risk-driven and must recognise that while they cannot prevent a breach, they most certainly help to identify, minimise and manage the risk of a breach.

They must be clear, concise and written in plain language so that they are easily understood by all affected parties. Because of their importance, these policies must be properly created, accepted and validated by the board and senior management before being communicated throughout the business.

Good policies are not easily produced. They must specify requirements, defines the roles and responsibilities in the business, and outline expected behaviours in various situations. They also need to satisfy internal and external compliance and audit requirements and so require a clear framework.

A policy framework serves to define different types of documents and their contents. They can be simple or complex depending on the business. Although, a business may have a stand-alone cybersecurity policy, it should be part of a principal information security policy framework.

Good clear policies are essential in the best of times – in uncertain times, they are critical. Risk Crew can also help you create your “work from home” policies to ensure your staff protect your information assets when working remotely.

A typical information security documentation framework is comprised of policies, standards, procedures and guidelines that include:

Policies

Provide required and prohibited activities and behaviours

Standards

Provide interpretation of policies in specific situations

Procedures

Provide details on how to comply with policies and standards

Guidelines

Provide general guidance for what to do in certain circumstances

Establish Detailed Policies

These will include:

Risk Management
Access Control
Personnel Security Systems Acquisition, Development & Maintenance
Work From Home Security Standards
Asset Management
Communications & Operations
Security Incident Response
Business Continuity & Disaster Recovery
Vendor Management
Compliance Management

Align with Controls

Once written, policies need to be aligned to controls implemented to enforce them. Objectives should be established for each control along with the evidence they should produce to verify their effectiveness and how this should be tested. This policy-to-control mapping is critical to ensure the effective implementation of your policies.

Review and Update

Finally, policies must be continually reviewed and updated to ensure that they keep pace with the business’ commercial objectives and risk appetite. Policies must address the dynamic cyber threat and compliance landscapes. They must also consider the everchanging information assets and people, process and technology used by the business to attain these objectives. These are considerable challenges and require considerable expertise.

Why Choose Risk Crew

Risk Crew are industry leaders in designing and delivering effective information security risk management policies.

Our experienced information security governance, risk and compliance consultants implement proven assessment methodologies for measuring and documenting the effectiveness of your business’ ISMS. All our consultants are thoroughly vetted and subject to in-depth professional, criminal and credit records checks.

When you choose Risk Crew, you’re electing to work with qualified experts.

Best Practice

Risk Crew follows best practices including ISO 27001, PCI, Data Protection Act 2018 and the GDPR

Accredited

ISO 27001 and Cyber Essentials Plus certified

Certified

Consultants hold CISA, CRISC, CISM and CXS certifications

Experienced Practitioners

Risk Crew has over 30 years of practical knowledge

Risk Crew can help you with your specific information security risk management policy development, implementation and maintenance requirements.

Our policy services are customised to your specific business needs. Templates won’t do. Whether you are starting from scratch, need a simple refresh to meet a compliance requirement or a deep dive to strengthen and re-energise your strategy, we can take you to the next level.

Find out how Risk Crew can help you meet your organization development information security risk management policies today.

Frequently Asked Questions

Are individual policies necessary for specific compliance requirements?

No. Best practice recommends that policies or controls required for Payment Card Industry, Data Security Standards (PCI DSS) or Data Protection (DPA) 2018 compliance should be included in baseline documentation and integrated into the overall policy framework documentation implementing the business’ information security management system (ISMS).

Who should “own” information security policies?

In a perfect world, a designated Information Security Risk Manager would “own” the responsibility for keeping security policies current and applicable. The Board owns the responsibility for identifying the information assets that require protection and articulating the risk appetite to be reflected in the policies and Senior Management owns the responsibility for defining the strategy and ensuring the resources required (i.e. an Information Security Risk Manager) to implement it.

How often should information security policies be updated?

Information security policies should be updated at least annually and/or after a significant change to business systems processing, storing or transmitting information assets.

Information Security Policies