Why is an information security policy so important?

Information security is all about protecting your organisation’s information, whether digitally or in hard copy. ISO 27000 – which defines the key terms of ISO 27001, the international standard for information security management – defines information security as the “preservation of confidentiality, integrity and availability of information”. After all, information has to be available to authorised persons, not disclosed to unauthorised persons, and accurate and complete for it to be useful and secure.

An information security policy is a crucial document for any organisation and its information security arrangements. The policy should be a short and simple document: a couple of pages that capture the organisation’s context – including stakeholders’ requirements – to bring it in line with ISO 27001. Keeping it simple will also allow for more flexibility to change it as the organisation’s needs and requirements evolve.

The information security policy should:

  • Include a framework for setting its objectives;
  • Establish the sense of direction for your objectives;
  • Consider all relevant business, legal, regulatory and contractual requirements;
  • Be in line with your organisation’s overall strategic goals; and
  • Understand the criteria for the evaluation of risk and its structure.

Your information security policy can also be a good document to share externally. Stakeholders – including customers and partners – will welcome the reassurance that their information is treated with respect and secure. It can also be a good document to show regulators, particularly if it features your SoA (Statement of Applicability) – an ISO 27001 requirement that provides information about the exact controls in place. The introduction of the GDPR (General Data Protection Regulation), which applies to all organisations that process EU residents’ personal data, makes the policy and SoA even more crucial.

How Vigilant Software can help

Stay secure with our risk assessment software tool vsRisk Standalone. Fully aligned with ISO 27001, vsRisk Standalone helps you deliver fast, accurate and hassle-free risk assessments.

It eliminates the need to use spreadsheets, which are prone to user input errors and can be difficult to set up and maintain. With vsRisk Standalone, you can produce consistent, robust and reliable risk assessments year after year.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.