An information security policy is used to outline the over-riding requirements your organisation has to meet in regards to the security of its information system. The policy should cover your organisation from all sides, including hardware, software, cyber security, human resources and access control.
Your information security policy should also be revised and updated regularly, in order to keep up with changing demands or laws from the industry you operate in.
The policy will outline the objectives of your organisation, followed by the steps employees must take in order to meet these objectives. The roles and responsibilities will be clearly defined.
A successful information security policy will also outline all the assets and state how each one will be managed and who will have control to it. For example, if your organisation is storing data on behalf of medical institutes, the policy would be put into place so that all workers of this organisation know they are restricted from accessing this information.
An information security objective will outline the aims of the information security, including the purpose of the data or assets, and a plan on how to keep the information and assets secure.
The information security objectives will sit inside of the information security policy, and can be altered depending on the types of security measures your organisation is using to protect data.
The information security objectives should align with the overall business objectives, and therefore consider the budget, scope and stakeholders of your organisation.
The most important objective of an information security program would be to protect the information and assets within your organisation.
In order to ensure this protection, some sub-objectives may be;