{"id":7912,"date":"2017-12-06T19:44:41","date_gmt":"2017-12-06T19:44:41","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/20000academy\/?p=7912"},"modified":"2024-12-12T13:43:38","modified_gmt":"2024-12-12T13:43:38","slug":"what-is-the-information-security-policy-according-to-itil-iso-20000","status":"publish","type":"post","link":"https:\/\/advisera.com\/20000academy\/blog\/2017\/12\/06\/what-is-the-information-security-policy-according-to-itil-iso-20000\/","title":{"rendered":"What is the Information Security Policy according to ITIL\/ISO 20000?"},"content":{"rendered":"<p>After years in IT Service Management (ITSM), now I know that the first Information Security Policy that came into my hands was \u2013 a miss. It was more like a small book. That document (I wouldn\u2019t even call it a \u201cpolicy\u201d) contained all that was relevant for information security management. Did I read it? No, at least, not much of it. After many years dealing with policies, processes, and ITSM in general, I know that documents need to be fit for purpose. Policies are not lengthy documents.<\/p>\n<p>In the case of an Information Security Policy, such document needs to give a general approach and direction for information security management. Let\u2019s see how <a href=\"https:\/\/advisera.com\/20000academy\/what-is-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">ITIL<\/a> and <a href=\"https:\/\/advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a> tackle this topic so you can use the requirements (section 6.6, in the case of ISO 20000 implementation) and\/or recommendations (in the case of ITIL implementation) to build a strong foundation for information security management.<\/p>\n<h2>What is the purpose?<\/h2>\n<p>The <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&#038;doc=information-security-management-policy\" target=\"_blank\" rel=\"noopener\">Information Security Policy<\/a> can be seen as the driver of all information security activities. Based on the requirements set in the policy, the company will implement and maintain information security controls in order to preserve the confidentiality, integrity, and availability of information assets of the company (see the article <a href=\"https:\/\/advisera.com\/20000academy\/blog\/2014\/04\/01\/anything-shouldnt-taken-granted-information-security-management\/\" target=\"_blank\" rel=\"noopener noreferrer\">If anything shouldn\u2019t be taken for granted\u2026 it\u2019s Information Security Management<\/a>\u00a0to learn more).<\/p>\n<p>The Information Security Policy is high-level (meaning, no details) or top-level policy. That means that this policy will provide general guidelines and direction for how to approach information security inside the organization, or in the SMS (if you are implementing ISO 20000).<\/p>\n<p>That fact opens the following consideration \u2013 information security has to cover a broad scope and a large number of topics (e.g., access to the system\/premise, communication security, security of people, etc.), and the Information Security Policy doesn\u2019t go deep into details. How do you regulate all the needed areas of information security? Well, this is why the Information Security Policy is called a \u201ctop-level\u201d policy \u2013 based on it, the organization will create other, more detailed policies (e.g., <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=access-control-policy\" target=\"_blank\" rel=\"noopener\">Access control policy<\/a>, <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=information-classification-policy\" target=\"_blank\" rel=\"noopener\">Information classification policy<\/a>, <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&#038;doc=password-policy\" target=\"_blank\" rel=\"noopener\">Password policy<\/a>, etc.).<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>How about the content?<\/h2>\n<p>Neither ISO 20000 nor ITIL are very prescriptive (in details) about the content of the Information Security Policy. But, there are some requirements that need to be addressed by the policy:<\/p>\n<p><strong>Responsibility<\/strong> \u2013 The Information Security Policy is the responsibility of the management accountable for the\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/documentation\/sms-plan\/\" target=\"_blank\" rel=\"noopener noreferrer\">SMS<\/a> or IT Service Management (ITSM) in the company. Although ISO 20000 requires that \u201c<em>management with appropriate authority approve<\/em>\u201d the policy, that shouldn\u2019t be some operative guy (e.g., network administrator), but rather someone from high (or top) management. That\u2019s because the Information Security Policy has company-wide reach and, in order to implement it, you need a strong sponsor.<\/p>\n<p><strong>Requirements and obligations<\/strong> \u2013 All relevant statutory and regulatory requirements and contractual obligations must be taken into consideration while creating the policy. Also, don\u2019t forget to consider service requirements that can affect the policy.<\/p>\n<p><strong>Risks<\/strong> \u2013 Management of information security risks is at the core of information security management. Therefore, management of risks needs to be defined and conducted (e.g., risk methodology, criteria for acceptable\/non-acceptable risks, etc.). The policy must define intervals for information security risk assessment.<\/p>\n<p><strong>Audit<\/strong> \u2013 The policy must ensure that internal audits are performed regularly (e.g., defining interval and plan for audits, responsibility to appoint auditor, where to save results, etc.). Once the <a href=\"https:\/\/advisera.com\/20000academy\/documentation\/annual-internal-audit-program-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">internal audit<\/a> is conducted, the Information Security Policy must ensure that results, particularly nonconformities and opportunities for improvements, are identified and acted upon (e.g., by defining where to record them, who is responsible, etc.).<\/p>\n<p>The\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/documentation\/information-security-management-policy-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">Information Security Policy<\/a> is important for all employees of the company, but also for all other parties involved in service management. These are your suppliers, customers, and sub-contractors. So, it\u2019s advisable to define, in the policy, who the users of the policy are (i.e., for whom it is intended), as well as who communicates the policy, and how. But, be careful. If there are customer- or supplier-specific aspects that the policy needs to address, then you need to define these in the policy, and apply them in the SMS.<\/p>\n<p style=\"text-align: center\"><img decoding=\"async\" class=\"aligncenter wp-image-7915 size-full\" src=\"\/wp-content\/uploads\/\/sites\/6\/2017\/12\/Information_Security_Policy_TOC.png\" alt=\"Content of the Information Security Policy\" width=\"421\" height=\"244\" srcset=\"\/wp-content\/uploads\/sites\/6\/2017\/12\/Information_Security_Policy_TOC.png 421w, \/wp-content\/uploads\/sites\/6\/2017\/12\/Information_Security_Policy_TOC-300x174.png 300w\" sizes=\"(max-width: 421px) 100vw, 421px\" \/><em>Figure 1. Example of the content of the Information Security Policy<\/em><\/p>\n<h2>For the benefit of the company<\/h2>\n<p>As you could see, the Information Security Policy doesn\u2019t go into processes and related activities or technology. It includes mechanisms that (top) management needs in order to be sure that information security is managed. Therefore, management needs to be involved in the creation of the policy, and for that, they need to understand it.<\/p>\n<p>Avoid a lengthy document (no one reads them, anyway), make it easy to understand, and align it with corporate goals \u2013 and you\u2019ve taken the first step in the right direction. Continue making small steps (specific information security policies),and that will get you to the end of the road.<\/p>\n<p><em>To implement ISO 20000 easily and efficiently, use our<\/em> <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 20000 Documentation Toolkit<\/a> <em>that provides step-by-step guidance for full ISO 20000 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>After years in IT Service Management (ITSM), now I know that the first Information Security Policy that came into my hands was \u2013 a miss. It was more like a small book. That document (I wouldn\u2019t even call it a \u201cpolicy\u201d) contained all that was relevant for information security management. Did I read it? No, &#8230;<\/p>\n","protected":false},"author":32,"featured_media":7913,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[609,608,366,344],"class_list":["post-7912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-information-security-management","tag-information-security-policy","tag-iso-20000","tag-itil"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/7912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/comments?post=7912"}],"version-history":[{"count":1,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/7912\/revisions"}],"predecessor-version":[{"id":17933,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/7912\/revisions\/17933"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media\/7913"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media?parent=7912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/categories?post=7912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/tags?post=7912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}