Call us on: 08455 280038

Information Security Policies

Information Security Policies, ISO27001

Information Security Policies

We were asked to draft a set of security policies for a client that would help them achieve compliance with industry standard security practices.

As they were starting from the ground up, we suggested starting with a security framework document that laid out their approach to Information Security and linked to the various policies and procedures that would be developed later.

Although the client had no immediate ambitions of achieving formal ISO certification, we were able to demonstrate that the ISO/IEC 27000 Family of Information Security Standards was as good a place as any to start. Formerly known as BS7799, the ISO standard has become the ‘de-facto’ standard for information security.

Part of the remit was to enable the client to respond to periodic security audit questionnaires received from both potential and existing customers. The questions tended to be highly technical in nature, and without a security specialist on site, it was proving difficult for our client to know how best to respond to the questions. The majority of such audit questions we have seen tend to be based on ISO and to a lesser extent COBIT. So we based our framework on ISO and mapped each chapter directly to the ISO 27002 controls headings:

  • Security Policy
  • Organisation of Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

Each section was further broken down into sub-sections with policy wording addressing each control requirement within the standard.

References to supporting documentation such as policies, procedures and standards provided opportunity to drill down into the detail of each control.

In the end, the framework document ran to almost 100 pages. It felt a bit ‘heavy’, but at the end of the day, it’s a single document that pulls together all the Information Security policies into one master document. The alternative of having dozens if not hundreds of individual documents to maintain, each potentially written by different people and stored in different locations seems a nightmare.

I know what I would prefer!

If you would like any advice or assistance drafting your security policies, give us a call on 08455 280038 and will be happy to help.


1 Comment
  1. Awesome blog article.Thanks Again. Cool.

Leave a Reply

Login Form

Recent Reviews