ISO 27001: 2022 - The Importance of the Information Security Policy for the ISMS
Jessica Doering

October 14, 2024

~

3

 minutes reading time

What is an information security policy?

Yes, every person who is involved in information security or cybersecurity can tell you a thing or two about it and it is absolutely not a new insight! 

"Neither the hardware nor the software, but the people are the weakest part of any company's security measures."

Perfect processes are developed for weeks, investments are made in the latest technology... and then there's the employee who accidentally passes on data to third parties or simply doesn't have the "time or desire" for security awareness training.

"ISO 27001 distant"- employees often don't really know about the importance of security measures in their company. Even worse, they don't take it seriously or simply don't know how to deal with it. According to the motto, I won't cause anything serious ... classic situation!

And to address this day-to-day condition, information security policies must be among the most important elements of an organization's protection.

Policies provide the framework for an organization's overall approach to information security, with each policy targeting specific practices and business areas (ISO 27001 Clause 5.2).

What is the purpose of an information security policy?

First, the facts: 

  • The information security policy gives a comprehensive overview of the organization's requirements. It also sets the parameters of information security risk assessment, including the organization's risk acceptance criteria (ISO 27001 Clause 6.1.2 Information security risk assessment process).
  • Information security strategies are the result of risk assessments that identify vulnerabilities and select protective measures.
  • Every policy addresses a risk or group of risks and defines the organization's approach to mitigating them.

Take the threat of phishing scams, for example. Here, the policy should clarify what phishing is and tell employees who to contact if they have become a victim of a phishing scam. Or even just suspect that they have become a victim. 

Yes, phishing still exists. It’s a form of fraud in which an attacker poses as a legitimate organization or person in emails or other forms of communication. Surprisingly, enough planet residents still click on a link that usually screams scam by its very appearance. WHY fellows why?

So, the policy states whether phishing is covered in employee training and when those courses take place. Most companies offer an e-learning course to raise employee awareness. In this case, the link to this mandatory training must be included in the policy.

What should be considered in an information security policy?

First and foremost: These policies must include relevant information about the organization and its practices.

What elements should you include as starting positions:

1. Scope of the information security policy

The scope of an information security policy should cover the information, where it resides, and who has access to it. Where information may reside: in programs, systems, facilities, and other infrastructure. 

2. The information security policy statement

The policy statement is part of the policy that explains the organization's approach to information security. It describes the environment in which the organization operates, the laws and regulations to which it is bound independently of the ISMS, and the category of information with which it works. Here it must also be clear to what extent the organization takes the security of information and information systems seriously. So please do not joke around. The office dog does not have to undergo the same security training as the accountant. 

3. Objectives of the information security policy

To verify that the ISMS is working properly, objectives must be set! This ensures that the ISMS functions effectively and in accordance with laws, regulations and also contracts.

These goals should be as measurable as possible! Individual assessments, possibly even under bias, lead to inaccurate reports. This happens faster than you think, especially with organizations that demand higher investments in information security and therefore view it negatively, or even those that claim that existing measures are effective and no further action is needed.

These are probably also the employees who still believe when they click on the link in the crazy colorful email that they have won the vacuum cleaner from the world's leading appliance manufacturer based in Montana. WOW. That's not true, by the way. What is true, however, is that there are Phishing threats in Montana too.

Therefore, no matter where organizations are headquartered, they should follow the three basic principles of ISO 27001: Confidentiality, Integrity and Availability.

Which objectives you choose depends on your industry.

And: Businesses grow over time. That's why it's important to keep them in mind. If you come across a particular objective, update it accordingly. And as you grow, you can't avoid including new areas! Remember that!

Specific Information Security Policies

In addition to your general information security policy, you should also include documentation on specific topics. 

Hmm, so what specific topics should you keep documentation on? While documentation depends on the type of organization and the risks you have identified, a policy on the following items is something every organization should have:

1. Access Control

Mandatory, companies must create policies for access controls. This ensures that only authorized users can access certain resources, such as applications, files or even entire systems. This includes viewing information or modifying it.  

These access controls serve an important goal for the integrity of an organization. Externally, as well as within the organization! Information is protected wherever it is stored, as well as the information systems that can be accessed. This mainly concerns data that is protected with passwords or other technical protection measures.

2. Information classification

Organizations typically classify information in terms of confidentiality, with a typical system including four categories of confidentiality. Surprisingly, we have a blog about the definition and internal development. Learn more about.

3. Employees awareness training

As mentioned several times, employees most often out themselves through mistakes. These can be simple carelessness, or they can be exploited by cybercriminals.

Employees' inability to recognize a fake message, for example, must be addressed through employee awareness training.

Finally, but no less important, information about incident detection, remote work policies, data backup, physical security, and employee rights and responsibilities should also be documented.

We can help you with your policies, even if you are a Montana resident :)! Contact us!

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

Policy management

ISO 27001
ISO 27001
Policy management
Policy management