Creating an Information Security Policy – begin with the three principles in mind.
Where do you begin with creating your Information Security Management System?
A key document to begin with is the Information Security Policy. This provides a focus and commitment to Information Security, in particular Confidentiality, Integrity and Availability (CIA).
Many people think of Information Security from the point of view of keeping information confidential. However, ISO 27001 is based on three principles – Confidentiality, Integrity, Availability (CIA). Many often overlook integrity and availability.
Integrity is quite simply about the accuracy of information. What happens when an email containing sensitive data is accidently sent to the wrong person? What happens when shared data on a server gets overridden accidently? What happens when someone uses the wrong form or document from a shared server? These are all key considerations when considering how data is handled in your organisation.
Availabilty is the principle that is most overlooked, yet one may argue is the most critical. If your systems and data are not available, how could this impact your business? It may be due to IT systems/Servers being down, access rights denied or simply that company/client information is stored in someone’s head/personal phone or on the desktop on their laptop – so in effect it is useless to the business because it’s not accessible.
How to create your Information Security Policy…
An Information Security Policy does not need to be a huge document. Typically, it is a one-page (A4) document – it needs to be succinct, and to the point, after all, a Policy is a statement of intent from the leadership team, so it should not include lots of procedures.
There is guidance within the standard which stipulates that the Policy should be:-
- Aligned with your Information Security objectives
- Compatible with the purpose and strategic direction of the organisation;
- Includes a commitment to satisfy applicable requirements related to information security i.e. legal requirements, ISO 27001 requirements and your stakeholder requirements.
- Includes a commitment to continual improvement of the information security management system.
The Information Security Policy then needs to be communicated to employees – this can be done via email (with a link to the document and location) and possibly having it displayed in a common area i.e. in Reception so that it is visible to employees and other stakeholders. The Policy also needs to be made available to other interested parties i.e. IT Managed Service Provider, clients.
And click HERE for further information on how we can help you with ISO 27001.
To help out the ISO Show: