Anyone who has actually written company policies would probably agree that it is far from easy. There's quite an art to developing a form of words that simultaneously describes “the rules” clearly and unambiguously, applies to a variety of situations, and convinces staff to comply with the policy. Furthermore, simply publishing policies is not by itself sufficient to ensure compliance. IsecT can help you prepare a coherent strategy to address these typical questions:

• Which IT and information security issues do we need to cover?
• What about policies, standards, guidelines and all that - what do we actually need and what do these names mean anyway?
• How do standards like ISO/IEC 27002 and legislation such as Privacy/Data Protection, SOX, HIPAA, PIPEDA, FISMA and FoIA relate to our internal policies?
• To whom should they apply? How do we cover third parties?
• Should management “approve” them, and if so who and how, exactly?
• What’s the best way to publish and promote them to employees?
• What can we do to achieve and manage compliance?
• What’s the best way to manage changes to the policies?
• Who should be accountable and responsible for information security, and how should we structure the function?

Drawing on our own experience, coupled with internationally recognised good practice such as ISO/IEC 27002 and Web resources, IsecT can help you design an overall structural framework for your information security policies and then populate it with high quality, plain English documents of various types. The structure is important as it determines the scope. An overarching policy (containing generic guiding principles and axioms) is important to demonstrate senior management support for information security. Lower level policies, standards and guidelines fill-in the details and clarify the organization’s control objectives plus mandatory and recommended controls.

Contact IsecT if you need a comprehensive information security policy manual.  Our generic policy manual reflects the current version of international standard ISO/IEC 27002 and is available to purchase now for less than US$300. It comprises the most formal parts of a typical policy structure with 7 high level guiding principles, 39 axioms and over 100 pages of detailed security policy statements reflecting state of the art security practices. We can also help you create the supporting information security standards, guidelines and procedures to complete your security documentation set.

In conjunction with senior corporate management, IT management and various functions such as information security, HR and physical security, our related information security awareness service goes beyond simply delivering the documents and intranet web pages to helping you implement them throughout your organization. Call us to find out more.

Copyright © 2008 IsecT Ltd.