Information Security Policy

An Information Security Policy is regarded an essential document for good Information Security Management. ISO 27002 (ISO17799) identifies the objective of a policy as a management guidance with clarity.

A starting point for an information security policy can be the sections of ISO 27002:

-Security Organization
-Asset Classification and Control
-Personnel Security
-Physical and Environmental Security
-Communications and Operations Management
-Access Control
-System Development and Maintenance
-Business Continuity Management
-Compliance

Depending on the nature of business and the size of the organisation it is likely that security policies need to be developed for various purposes. Examples of other policies where at least part of it can be considered a security policy are e-mail policy, user IT policy and backup policy.

A security policy should be written in a way such that it does not need to be updated or changed regularly. It should however be reviewed regularly to ensure that it is not outdated for any reason.

Security policies are supported by Standards and Guidelines. These documents can be updated on a more frequent basis. Standards are, just like policies, mandatory for the organisation to follow, while guidelines are vouluntary but can be implemented to ensure policy compliance. The level of details contained in these documents also increases the lower in the hierarch we get.

Links

The SANS security policy project contains lots of usefull infomration on writing security policies, access the page here.