Branimir Valentic After years in IT Service Management (ITSM), now I know that the first Information Security Policy that came into my hands was – a miss. It was more like a small book. That document (I wouldn’t even call it a “policy”) contained all that was relevant for information security management. Did I read it? No, at least, not much of it. After many years dealing with policies, processes, and ITSM in general, I know that documents need to be fit for purpose. Policies are not lengthy documents.
In the case of an Information Security Policy, such document needs to give a general approach and direction for information security management. Let’s see how ITIL and ISO 20000 tackle this topic so you can use the requirements (section 6.6, in the case of ISO 20000 implementation) and/or recommendations (in the case of ITIL implementation) to build a strong foundation for information security management.
What is the purpose?
The Information Security Policy can be seen as the driver of all information security activities. Based on the requirements set in the policy, the company will implement and maintain information security controls in order to preserve the confidentiality, integrity, and availability of information assets of the company (see the article If anything shouldn’t be taken for granted… it’s Information Security Management to learn more).
The Information Security Policy is high-level (meaning, no details) or top-level policy. That means that this policy will provide general guidelines and direction for how to approach information security inside the organization, or in the SMS (if you are implementing ISO 20000).
That fact opens the following consideration – information security has to cover a broad scope and a large number of topics (e.g., access to the system/premise, communication security, security of people, etc.), and the Information Security Policy doesn’t go deep into details. How do you regulate all the needed areas of information security? Well, this is why the Information Security Policy is called a “top-level” policy – based on it, the organization will create other, more detailed policies (e.g., Access control policy, Information classification policy, Password policy, etc.).
How about the content?
Neither ISO 20000 nor ITIL are very prescriptive (in details) about the content of the Information Security Policy. But, there are some requirements that need to be addressed by the policy:
Responsibility – The Information Security Policy is the responsibility of the management accountable for the SMS or IT Service Management (ITSM) in the company. Although ISO 20000 requires that “management with appropriate authority approve” the policy, that shouldn’t be some operative guy (e.g., network administrator), but rather someone from high (or top) management. That’s because the Information Security Policy has company-wide reach and, in order to implement it, you need a strong sponsor.
Requirements and obligations – All relevant statutory and regulatory requirements and contractual obligations must be taken into consideration while creating the policy. Also, don’t forget to consider service requirements that can affect the policy.
Risks – Management of information security risks is at the core of information security management. Therefore, management of risks needs to be defined and conducted (e.g., risk methodology, criteria for acceptable/non-acceptable risks, etc.). The policy must define intervals for information security risk assessment.
Audit – The policy must ensure that internal audits are performed regularly (e.g., defining interval and plan for audits, responsibility to appoint auditor, where to save results, etc.). Once the internal audit is conducted, the Information Security Policy must ensure that results, particularly nonconformities and opportunities for improvements, are identified and acted upon (e.g., by defining where to record them, who is responsible, etc.).
The Information Security Policy is important for all employees of the company, but also for all other parties involved in service management. These are your suppliers, customers, and sub-contractors. So, it’s advisable to define, in the policy, who the users of the policy are (i.e., for whom it is intended), as well as who communicates the policy, and how. But, be careful. If there are customer- or supplier-specific aspects that the policy needs to address, then you need to define these in the policy, and apply them in the SMS.
Figure 1. Example of the content of the Information Security Policy
For the benefit of the company
As you could see, the Information Security Policy doesn’t go into processes and related activities or technology. It includes mechanisms that (top) management needs in order to be sure that information security is managed. Therefore, management needs to be involved in the creation of the policy, and for that, they need to understand it.
Avoid a lengthy document (no one reads them, anyway), make it easy to understand, and align it with corporate goals – and you’ve taken the first step in the right direction. Continue making small steps (specific information security policies),and that will get you to the end of the road.
To help you establish good security practices within your company, try this online Security Awareness Training.
