Policy is the equivalent of a corporate mission, since without a mission there is no corporate project. So, without a policy, information security management has no objective and, unfortunately, little chance of success.

Politics – Photo by Marco Oriolesi on Unsplash

An information security policy is therefore a set of rules, procedures and practices designed to protect an organization’s sensitive data and IT systems.

We could replace the word “policy” by “objective”, “wish” or “vision”, since this is a statement by senior management to determine the direction in which all the organization’s efforts will be directed.

The stated aim of an information security policy is to guarantee the confidentiality, integrity and availability of data and systems, minimize security risks and ensure compliance with the organization’s laws and regulations.

The creation of an information security policy is a shared responsibility between the organization’s information systems managers and senior executives. They must work together to achieve the objectives of protecting sensitive data and IT systems.

Clause 5.2 of ISO27001 is in line with its Annex A. Annex Awhich defines the various security controls to be implemented to achieve information security objectives.

Safety objective

Once the guiding principles or policy vision statement has been established, the organization must set out the objectives it wishes to achieve.

An information security objective is the specific, high-level goal that an organization sets itself to protect its sensitive data and IT systems. Information security objectives can include :

  1. Confidentiality: ensuring that sensitive data is protected against unauthorized access and disclosure.
  2. Integrity: ensuring that data is accurate, reliable and not altered intentionally or accidentally.
  3. Availability: ensuring that data and IT systems are accessible to authorized people when they need them.
  4. Regulatory compliance: ensuring that information security policies comply with current laws and regulations, such as Bill 25(Personal information in the private sector) in Quebec, or the RGPD in Europe.
  5. Disaster recovery: ensuring that data and IT systems can be recovered quickly in the event of a disaster, such as fire, flood or computer attack.

Information security objectives may vary according to the specific needs of the organization and the industry in which it operates.

Clearly defined information security objectives are important for guiding the implementation of effective security measures, and for subsequent evaluation of information security performance.

We’ll take a closer look at the definition of information security objectives in the section on clause clause 6.2 of ISO27001.

Type of document, policy, directive, norm and standard

There are many different types of document. Policies, guidelines, norms and standards are all documents that define information security expectations for a company or organization. However, they may have different functions and different levels of formality.

So for an organization there are several levels of documents that may be needed to operate effectively within the information security framework.

  1. Policy defines the information security expectations of a company or organization. Policies are generally drawn up by information security or IT managers, and must be ***approved ***and implemented by the organization’s of the organization.
  2. Guidelines can provide instructions on the specific measures to be taken to protect sensitive data and IT systems, as well as on employees’ security responsibilities.
  3. A standard is a document drawn up by a standards organization, describing performance criteria for a certain activity or technology. Standards can define information security expectations for a specific industry or sector of activity, e.g. ISO 27001, NIST CSF, PCIDSS or CMMC.
  4. A standard is a document describing the performance criteria required for a product, process or service. Standards can include minimum or desired information security requirements for IT products or cloud services, for example.
  5. An operating procedure is a document describing the steps to be taken to perform a specific task in a consistent and reliable manner. In the field of information security, an operational procedure may describe the steps to be taken to ensure the security of data and computer systems.

In a nutshell,*** policies define information security expectations for a company or ***expectations for a company or organization, guidelines give instructions on the steps to be taken to achieve these expectations, norms define expectations for a specific industry or sector of activity, and standards define the performance criteria required for products, processes or services.

For a small organization, there are usually only 3 levels: management information security policy, information systems guidelines and operational procedures.

However, for larger organizations, other types of document may be required, such as..:

  • Framing: Is a set of practices or procedures for limiting hazards, threats or risks to items in the organization.
  • Positioning: Represents management’s desired position for a portion of the organization on a defined topic, such as whether the organization favors a type of technology, procedure or not.
  • Opinion: Represents a group’s opinion on a subject, with a view to formulating a future position. It is possible to have several opinions on the same subject, from several different groups. These opinions have a rationality that helps in the decision-making process.
  • Guide: Document to assist in the choice of different configurations for a solution or implementation.
  • Solution architecture: Document describing a chosen solution, the risks and the protective measures to be added or implemented.
  • Technical architecture: document describing the technical and practical implementation of a solution.

Different documents have different roles in the organization. For example, policy documents are created and approved by members of the executive to provide guidance on how the organization should operate.

Subsequently, procedure or directive documents are created with guidelines, but they tend to be more specific and describe the steps to be followed in operations. They are usually approved only by the manager or team leader.

Choosing the right type of document

Each type of document has its own purpose and place in the organization, so that it is more efficient and in control of its mission.

For example, choosing the type of document depends on the following factors

  • Level of distribution, either the whole organization or a small group
  • Level of approval required for implementation
  • Technical details of the document
  • Target audience
  • and finally its objective

In terms of responsibility and authority, we keep in mind that policy documents constitute the highest level of guidance in an organization, and serve as the basis for all other operational documents.

Policy documents must be subject to regular formal reviewed on a regular basis to ensure that they are consistent with the organization’s mission and objectives.

Regular review ensures that the safety policy remains aligned with the organization’s values and vision.

To ensure that the document is followed and implemented correctly within the organization, procedure documents must specify who is responsible for implementing them, and what authority these people have.

By understanding the different roles, responsibilities and powers of each type of document, organizations can use them effectively to achieve their goals and objectives. This supports an efficient and effective organization by establishing a clear framework for decision-making and operations.

The key is to ensure that each document serves its purpose and is used in accordance with the organization’s mission, vision and values.

Creating and maintaining documents is critical to an organization’s success, as it provides clear guidance on operations, decision-making, roles and responsibilities. By understanding their purpose, roles and authority within the organization, organizations can ensure that they remain efficient and healthy.

It’s important to remember that documents shouldn’t remain static, and managers should review them regularly and update or improve them as necessary. In this way, the organization allows itself to continually improve.

Document structure

When creating documentation of any kind, it’s important to think about who the documentation is intended for and what purpose it will serve.

But the most important point at this stage is whether there is a particular format or language suitable for the organization, e.g. a policy that is too broad for a small organization is not appropriate and will lead the ISMS project to failure.

We’ll look at the details of creating and maintaining documentation in more detail in our review of clause 7.5 of ISO27001.

More specifically, clause 7.5.2 addresses the subject of document creation in greater depth, notably by covering document layouts and nomenclature.

Success criteria

In order to determine whether we have complied with clause 5.2 of ISO27001, here are a few questions an auditor might ask:

  • How and when was the policy communicated throughout the organization?
  • Where is it placed so that teams can access it as needed?
  • Is there a commitment to continuous improvement?
  • What are the objectives to be achieved by the ISMS and are they included in the policy?

I invite you to click on “Follow” to continue learning more about the field of information security.