top of page
  • Writer's picturevitormaleite

Managing Information Security Policies

Updated: May 5

Definition and Structure

To ensure we're on the same page, let's consider the definition that an Information Security Policy (ISP) is nothing more than 'a formal document that outlines guidelines and instructions regarding information security within an organization.' Therefore, by analogy, it's as if it were the 'rules of a game':"

And if these "rules" should be directly aligned with the organization's business objectives and needs, as well as current laws and regulations, they naturally require the continuous support of top management or the executive body. However, one should not forget to consider technological, physical, legal, procedural, and human aspects.

Managing Policies

After their creation and structuring, the policy is implemented within the company but needs to be continuously managed, and this is where best practices come into play to make it happen. So, don't forget to:

  1. Review policies annually or when there are changes in the business: If your policy remains only on paper and does not reflect your business, it will become useless. Therefore, review it at least once a year or when changes occur in your business.

  2. Keep policies in a centralized location: This will allow all relevant stakeholders, whether they are employees, service providers, or third parties, to know where to turn if they have questions about any established policy.

  3. Communicate with stakeholders about the changes made: The methods used to make users aware of established policies are diverse and should use both traditional and non-traditional channels, such as posters, desktop wallpapers, email tips, plays, lectures, brochures, videos, intranet posts, instructor-led sessions, award sessions, and more. The idea is to ensure that users are aware of the existence of information security threats, can recognize them, and react to them correctly and as expected.

  4. Use clear and concise language: To ensure that the general rules described in the ISP are clearly understood by its readers, it should be simple and understandable for all company employees. Therefore, documents that are not well-written are usually not understood. Thus, if users are able to read the ISP document without misinterpretations or confusion, it means it was well-written.

  5. Maintain a revision history: Having a history in your policies is essential, as it ensures that you won't lose traceability of information, such as who created the document, when it was created and approved, who approved it, and in which version it is located. Bringing what is written in the policies into practice is the key point, and managing the mentioned aspects will certainly ensure an effective implementation of your information security program."

Putting what is written in the policies into practice is the key, and managing the mentioned aspects will undoubtedly ensure effective execution of your information security program.

2 views0 comments


bottom of page