How to Write the First Policy in an ISMS (Information Security Management System)
Let’s start with the basics.
What is an ISMS?
ISMS stands for “information security management system.” An ISMS is a documented management system that consists of a set of security controls that protect the confidentiality, availability, and integrity of assets from threats and vulnerabilities. If you follow a framework like ISO 27000 you can utilize that framework as the basis for your ISMS. ISO 27000 is not the only framework available, but it is widely accepted in the world.
What is an information security policy?
An information security policy establishes an organization’s aims and objectives on various security concerns.
For example, a password policy might outline rules for creating passwords or how long passwords are to be kept before requiring a change.
Unlike processes and procedures, policies do not include instructions on how to perform the work that they are requiring.
Instead, they acknowledge which risks the organization intends to address and broadly explains the method that will be used.
What an information security policy should contain.
Those looking to create an information security policy should review ISO 27001, the international standard for information security management.
Although the Standard doesn’t list specific issues that must be covered in an information security policy (it understands that every business has its own challenges and policy requirements), it provides a framework that you can build around.
If you follow ISO 27001’s guidance, your information security policy will:
- Provide information security direction for your organization.
- Include information security objectives.
- Include information on how you will meet business, contractual, legal or regulatory requirements.
- Contain a commitment to continually improve your ISMS (information security management system).
Information security policy template.
Documenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address important issues. Create a template and use it to create all the remaining policies. It should use most if not all the headings below.
- Title
- Purpose
- Scope
- Responsibility
- Applicable
- Policy
- Dictionary (Terms)
- Enforcement
- References (Standards)
- Authors
- Change Management Block
What policies should you create?
Your policies will depend on the needs of your organization, so each organization will have different policies. There are some risks that are so common that they are practically universal. For example, you will almost certainly need policies on:
Remote access
If you give employees the opportunity to work from home or on the road – or if give them the option of checking their work emails in their spare time you will need a remote access policy.
The remote access policy will address the vulnerabilities that occur when employees are not protected by the organization’s internal physical and network security provisions.
an employee working at Starbucks needs to be aware of exposing sensitive information to someone peering over their shoulder. And to not just connect to the open hotspot.
Password management
Practically every organization gives its employees user accounts that give them access to sensitive information.
But unless employees secure these accounts with strong passwords, hackers will be able to crack them in minutes. Organizations must mitigate this risk by creating rules to control acceptable passwords.
Your password policy should acknowledge the risks that come with poor credential habits and establish means of mitigating the risk of password breaches.
Acceptable use
Organizations have generally come to accept that employees will occasionally check their personal email or Facebook feed.
This policy is key to spelling out what is allowed and what is not on the corporate network.
Most corporations that I help have anywhere from 20 – 50 total policies when they are finished, this number is dependent on the size, complexity and maturity of the organization.