Part 15: Clause 5.2 Information Security Policy
At the head of every information security management system (ISMS) sits the information security policy. This is one of the first documents you create when building your ISMS, and is also one of the most important.
The Policy is the foundation of your whole ISMS. It’s what your entire system will be built on. The Policy should clearly communicate the intentions and the strategic impact of information security.
This Policy is a document that is established, implemented and maintained by the senior managers of your organisation. Not involving them in creating the document is a big mistake. If they aren’t involved it will then make implementing and maintaining your ISMS very difficult.
The Policy must align with the overall purpose and context of your organisation and be formally communicated to all staff.
Its role is to create one clear vision so that everyone understands the objectives and strategic direction of your information security. And it had better do this well, because it’s from the Policy that everything else contained in the entire system will flow.
Here’s an example of what I mean. The Policy sits at the top of the documentation hierarchy. From the Policy flow objectives. From these objectives high-level procedures will be created. These procedures will drive the creation of forms and records, which in turn will create the details for SOPs and so on. Essentially the policy is embedded in each and every document in the system.
What can go wrong with Information Security Policies?
Organisations which find themselves with an ineffective Policy will eventually find themselves with a poorly performing ISMS as a whole. If your ISMS is performing poorly, it could be because your Policy is:
- Too complex and lacking in clarity;
- A process instead of a policy;
- Not clearly communicated throughout the organisation, and/or
- Not fully committed to by management.
Our Experience at Mango
Here at Mango, we asked for input into the Policy from all employees of the company. We listened to our staff because we value them highly, and because we wanted to encourage them to get on board with our Policy and to share the same desired vision. This was an effective strategy for us as it encouraged participation and enhanced the engagement of our staff. If you are part of a small organisation then I strongly encourage you to adopt a similar approach.
Communicate the Policy
Once your Policy is finalised it is important that management clearly communicates it to your staff and makes access to it easy. At Mango, we sat down with our staff and went over our finalised Policy to ensure everyone’s understanding was correct. We then uploaded it into our Mango document management system so that our staff could access it at any time.
Here are the takeaways from this:
- The Policy does not need to be overly complicated. Simplicity is best.
- The Policy needs to be communicated, understood and applied within the organisation.
- Management need to show commitment to the Policy and be role models for the staff under them.
- Commitment needs to be shown at all levels of the organisation.
View previous blogs in this series "ISO 27001 Information Security Management Standard":