{"id":4419,"date":"2017-10-05T09:07:48","date_gmt":"2017-10-05T08:07:48","guid":{"rendered":"https:\/\/cybersmart.com\/?p=4419"},"modified":"2020-11-27T15:40:17","modified_gmt":"2020-11-27T15:40:17","slug":"cyber-security-policies-101-info-sec-policy","status":"publish","type":"post","link":"https:\/\/cybersmart.com\/blog\/cyber-security-policies-101-info-sec-policy\/","title":{"rendered":"Cyber security policies 101 – information security policy"},"content":{"rendered":"

Cybersecurity and data protection can seem overwhelming. There’s a glut of advice on the internet, but it’s difficult to know where to start.\u00a0At CyberSmart<\/a>, we believe cybersecurity should be accessible and easy for everyone. So we’ve compiled a series of useful policies and procedures to help you find your way through the cyber-compliance jungle. This time, we’re looking at how to set up an information security policy.<\/p>\n

<\/p>\n

We know policies aren’t exciting and few people enjoy reading or writing them.\u00a0 However, they are crucial for building a strong information security management system (ISMS). At CyberSmart we see them as guidelines to know what we can, should or shouldn’t do.<\/p>\n

A few key points before we look at the information security policy:<\/p>\n

1. Policies don\u2019t have to be long or wordy
\n2. You don’t need to have 100s of policies, some can be combined, and others omitted
\n3. Policies should say what you do, and then you should do what you say – in other words, policies should reflect the state of the ISMS
\n4. Policies should be as unique as your business. Don’t just download a template and change the name. Think about every paragraph and how it can be applied to your business.
\n5. Policies should reflect your company culture and someone should have clear ownership.<\/p>\n

Information Security Policy<\/h3>\n

Purpose: To lay the foundation for the information security management system (ISMS); It should cover people, process and technology at a high level. Sometimes it can be seen as a collection or summary of all the other policies a company may have rolled out.<\/p>\n

General: The information security policy might look something like this<\/a>. Its purpose is to define the management, personnel and technology structure of the ISMS.<\/p>\n

A crucial part of this policy is to answer questions around responsibility. \u201cWho is the single point of contact responsible for information security\u201d Is it the CEO or the IT manager or do you need to appoint someone? Also, it is important to define the scope of the policy, i.e. the policy could be applicable for the entire HQ in London or maybe just a few departments at another office.<\/p>\n

A. Purpose & Policy Aims<\/p>\n

B. Scope<\/p>\n

C.Information Security Responsibilities<\/p>\n

D. Legislation<\/p>\n

E. Policy Framework<\/p>\n