Policies and Objectives

Learn QHSE / Information Security / Policy & Objectives

What is an information security policy?

An information security policy is used to outline the over-riding requirements your organisation has to meet in regards to the security of its information system. The policy should cover your organisation from all sides, including hardware, software, cyber security, human resources and access control.

Your information security policy should also be revised and updated regularly, in order to keep up with changing demands or laws from the industry you operate in.

The policy will outline the objectives of your organisation, followed by the steps employees must take in order to meet these objectives. The roles and responsibilities will be clearly defined.

A successful information security policy will also outline all the assets and state how each one will be managed and who will have control to it. For example, if your organisation is storing data on behalf of medical institutes, the policy would be put into place so that all workers of this organisation know they are restricted from accessing this information.


What is an information security objective?

An information security objective will outline the aims of the information security, including the purpose of the data or assets, and a plan on how to keep the information and assets secure.

The information security objectives will sit inside of the information security policy, and can be altered depending on the types of security measures your organisation is using to protect data.

The information security objectives should align with the overall business objectives, and therefore consider the budget, scope and stakeholders of your organisation.


What are the primary objectives of the development of an information security program?

The most important objective of an information security program would be to protect the information and assets within your organisation.

In order to ensure this protection, some sub-objectives may be;

  • To keep the information confidential by protecting it from unauthorized personal.
  • Think about the integrity of the information, by ensuring it is reliable and accurate. This can be done by safe guarding it from being altered or modified without consent.
  • Consider the availability of the information. This will involve making sure not just anybody from your organisation has available access to confidential documents.


Learn More: