I assume that you mean how to write a security policy. One of the key controls in ISO 27001, a technology-neutral information security standard, is having an organisational security policy endorsed by senior management. In my experience, if you want to get senior management to sign something that the whole organisation can see, it's best to keep it short! It should cover the organisation's commitment to security, including who is responsible for infosec tasks. The security policy should also provide a pointer to more detailed documentation and guidance, and cover the key security requirements that the organisation is going to meet, like the Data Protection Act, for example.
Beyond that, policy documentation is very specific to the organisation. I do not believe that one set of documentation fits all organisations, but the security policies and procedures need to fit the organisation's culture if they are going to have any effect.
However you decide to frame the security policy template, here are key questions that you need to consider:
- What are your security objectives, and how do you measure them?
- What types of information do you handle, and how do the different types of information need to be protected?
- How do you assess risks and select security controls?
- How do you manage and report incidents, and learn from them?
- Who is responsible for security?
- What is acceptable employee use for Internet, email and other communication channels?
More tips and information security policy templates
This was first published in October 2009