Create the foundation of an Information Security Management System by detailing the objectives of information security within a policy that outlines the principles, processes and controls that your Company will maintain.
Whether large or small, this high-level policy is key since it is primarily aimed at ensuring senior management agrees with and maintains control over information security practices and that they are aligned with the Company’s strategic objectives.
Implementing this high-level policy allows SME’s to add more detailed policies for selected areas of information security (InfoSec) which become applicable over time. It is unlikely that you will need all 20+ InfoSec policies when you first launch but as you grow and risks change you can expand the scope of your InfoSec program.
Delivering shorter, more specific policies to those who need them means they are more likely to be followed and therefore achieve their goal of reducing risks. Traditional all-encompassing 60 page InfoSec policies are difficult to digest and keep up to date.
The policy includes sections on:
- The aims and objectives of InfoSec for your organisation.
- Maintenance of an asset register
- Information Security controls
- Business Continuity
- Information Security Training