Create the foundation of an Information Security Management System by detailing the objectives of information security within a policy that outlines the principles, processes and controls that your Company will maintain.
Whether large or small, this high-level policy is key since it is primarily aimed at ensuring senior management agree with and maintain control over information security practices and that they are aligned with the Company’s strategic objectives.
Implementing this high-level policy allows SME’s to add more detailed policies for selected areas of information security (InfoSec) which become applicable over time. It is unlikely that you will need all 20+ InfoSec policies when you first launch but as you grow and risks change you can expand the scope of your InfoSec programme.
Delivering shorter, more specific policies to those who need them means they are more likely to be followed and therefore achieve their goal of reducing risks. The traditional all empassing 60 page InfoSec policies inevitably become a hard to manage, tick box exercise.
The policy includes sections on:
- The aims and objectives of InfoSec for your organisation.
- Maintenance of an asset register
- Information Security controls
- Business Continuity
- Information Security Training