An Information Security Policy is at the centre of the information security program at an organization. It is also an important requirement for ISO 20071 certification.
Sometimes, companies spend a lot of time to include all the details about information security right from the high-level strategy to granular information on best practices to be adopted by the users. On the other hand, some companies treat this document just as a mandatory requirement they need to fulfil and use readymade templates to fill in the information and be done with it.
Both these approaches are wrong and will not add any value to the company’s information security program.
The purpose of an information security policy is to serve as an aid for the top management to control the company’s Information Security Management System (ISMS) effectively. It should help them to enforce information security and also share the security measures with clients, auditors, and partners.
Some companies make the policy too exhaustive including a wide range of potential issues and use cases. Such a policy will be too impractical to actually implement. Also, a very detailed policy that runs into 50 or more pages will not be useful to refer to for operational purposes.
Similarly, a policy created just as a formality will not capture the strategic view of information security. It will end up just being another document created for the sake of audit and will not really be of any use.
In order for policy documents to be informational as well as practical, ISO 27001 defines two levels of documents.
This high-level policy should ideally be between 2 to 5 pages.
Please note that the information in the detailed policy will depend on the Risk Assessment Report which will determine which controls need to be implemented. The detailed policy is longer than the high-level policy and should be around 10 pages long. If it is much longer, it might again pose the same problem of being unusable on account of being too lengthy.
Is it really worth it to spend a lot of time creating the Information Security Policy? The answer is yes.
As mentioned above, a policy document created just for the sake of audit will not be useful. But creating a well-written document will make it easy for you to control the company’s ISMS.
Here are the important elements of an Information Security Policy.
Below are the tips to write an effective Information Security Policy.
A well-drafted and updated Information Security Policy will certainly be a valuable document for any company. Even if you are not able to immediately quantify the benefits, you will certainly see a drop in security risks and a well-managed ISMS in due time. You can read more about the ISO 20071 certification in The Complete Guide to ISO 27001. If you are preparing for your first audit, read through the 9 Steps to Prepare for Your First ISO 27001 Audit.
To see how an integrated content library and automation simplifies ISO 27001 implementation, get n touch with our team and take a free tour of the 6clicks platform.