Skip to content

Policies

What is a policy?

Policies are a set of rules and guidelines that is put in place to govern operations and protect assets. It's important to have already determined the objective before start writing a new policy. A reason for a new policy might be because of a change in regulations, industry standards or identified risk.

What should a good policy include?

Objective

The objective needs to be determined. When the purpose of the policy is clear it is important to gather information and conduct research on the subject matter of the policy. There are a number of ways to find the current best practices, laws, and, regulations to find items to address. ISO 27002:2022 is a good source of information to start with. To get detailed information that specifically fits each organization it is very common to hire a consultant experienced in information security. It is inevitable to seek legal counsel to be sure that a policy that addresses any legal risk complies with laws and regulations. Organizations with little appetite for fines should consider this.

Policy statement

Based on the organization's research and analysis, a policy statement is written which lays out the organization's intentions or objectives of the policy, and what it seeks to accomplish.

Audience

It's important to keep in mind that there should be a specific audience whom this policy is made for. It does not have to be documented in the policy but it could help the reader understand the context. The policy should be published and always available for the audience and relevant stakeholders.

Roles and responsibilities

It is most common for a policy to address a group of people, but sometimes a specific action mentioned in the policy is the responsibility of a specific group (such as a department) or individual/role. If this is the case, it needs to be clearly stated who is responsible for doing what the organization deems necessary. In cases where a certain act is the responsibility of a certain role, it is usually okay to state that it may be outsourced within the organization if needed.

What else?

Based on research and analysis the organization will gather statements, or a set of rules, that helps the organization meet the objective. These rules must be written in a clear manner and in plain English (or any other language). The document needs to have version control (what was changed, who changed it, and, when).

Then what?

After a presentation on the policy to the relevant stakeholders, it should go through an official approval process where someone with clear authority to do so approves it. This might be the CEO, some other C-level or a senior manager. The document must be scheduled for review on a regular basis and when a big change happens that might affect the objective of the policy. This is to ensure that it is still relevant and effective for the organization's context.

Processes

In my mind processes are formal documents with sets of actions on how to do things securely and without putting the organization in any danger. It will support the employee in meeting the requirements of the organization's policies. These documents follow the same document control process that the organization has for its policies.

Procedures / Guidelines

Procedures are much less formal and might change more often than processes. Usually, the document control process does not affect procedures. To the untrained eye, they might look like a process but in my mind it is similar to user guides. It is really just a document stating the official way to do a certain act.

Examples of common documents

  • Information Security Policy (High-level policy on how the organization manages information security)
  • Access Control Policy (How the organization manages risk for access to information)
  • Risk assessment process (How to assess and mitigate risk)
  • Backup review procedure (Ensure that the organization is backup up necessary information)