The first part of our series discusses the category Management direction for information security in the Information security policies clause . There are 2 controls in this category and they deal with having written, accessible and reviewed information security policies.
5.1.1. POLICIES FOR INFORMATION SECURITY.
Organizations should have written documents, detailing their security policies, standards, guidelines and procedures, and these should be readily accessible to staff and other relevant parties. There are two “levels” of documents you should keep. The first level is the Information security policy which gives a high-level view of our security objectives. It displays the reasoning for our security policies and how they tie into your organization’s goals. It describes the security we have and shows that senior management supports the organizations security initiatives, which can be very important for gaining employee support and compliance. These policy provides direction for an organization with regards to security, and it may reference regulations, legislation and other lower level organization policies. It should also provide guidance on how deviations to policy requirements are handled by management.
The second “level” includes lower level policies that are simple, easy to understand and highly specific. They may describe Acceptable Use of IT systems and resources, how identity and access is managed and how the organization treats personally identifiable information(PII). There can be many policies but they need to be specific in their focus and simple to understand of all employees. Your organization can have dozens of policies if needed, but there are some specifically recommended by ISO in these controls.
These recommends policies are:
- Access control,
- Information classification,
- Physical and environmental security,
- Acceptable use of resources,
- Clear desk and clear screen,
- Information transfer,
- Mobile devices and teleworking,
- Restrictions on software installation and use,
- Protection from malware,
- Management of technical vulnerabilities,
- Cryptographic controls,
- Communications security,
- Privacy and protection of personally identifiable information,
- Supplier relationships.
5.1.2. REVIEW OF POLICIES FOR INFORMATION SECURITY.
Like all parts of security, policies should not be static, they should follow a life cycle of continuous improvement. The organization and the environment in which the organization operates is fluid and subject to change. To reflect this there should be a process in place for regular reviews of the policies. Again, this is not because there may be errors in your latest draft, but because security as a landscape is constantly shifting. With new laws, such as the General Data Protection Regulation and Network and Information Systems Directive in the European Union, being introduced and past laws like the EU-US Safe harbour agreement being invalidated, our policies should be reviewed on at least an annual basis to make sure they are still fit for purpose. This will not only keep your organization safe from a regulatory perspective but for changes to the security landscape too, such as incorporating the introduction of new technologies such as IoT and wearables devices into our security plans, allowing our policies to evolve over time to best protect the organization and to ensure best practices can be adhered to and updated.