A critical starting point for establishing an appropriate Information Security Management System (ISMS) is the organisation’s security policy. This must be:
- Firmly articulated and agreed from the top down
- Clearly documented
- Proactively communicated to all relevant parties
- Regularly reviewed and kept up to date
It can be difficult for an enterprise to make objective, well informed decisions about how to address the need to adopt, document and communicate policies that strike an optimum balance between effectiveness, accessibility and cost. Most organisations’ internal IT functions are focused at delivering the operational services required for their business, leaving little if any time to be focused on more specialist security matters, or maintain currency with the latest developments in Information Security best practice. Those with dedicated security teams also acknowledge that with internal business pressures they cannot be expected to always be completely objective in assessment of risk and making decisions on appropriate measures to address this – objectivity and independence being critical to adequately addressing security requirements.
It is therefore a sensible best-practice first step for any organisation to solicit support from an independent, expert reviewer and advisor, to assess how current practices and security measures match up to currently accepted industry good practice. The critical requirement to establish and document appropriate corporate security policy is an ideal starting point where Commissum is able to add significant value.
Commissum typically adopts a two phased approach. Initially, we work with the client to establish a sound understanding of the organisation and its business drivers and risk profile. Any existing documentation will be reviewed and recommendations made on addressing deficiencies. The output is:
1. Advice on any gaps in the existing policies – that is ensure they:
- Appropriately adopt current industry good security practice
- Reflect the security posture of the organisation, including any industry/organisation specific issues
2. Recommendations on a structure for the policy set that ensures it is:
- Simple to access, navigate and understand
- Readily supportable by the client from the perspective of maintaining currency
3. A more detailed schedule for the implementation of recommendations.
Phase 1 is conducted as an intensive period of discussion with key staff and inspection of facilities, systems and documentation; a picture is built up of the security posture of the organisation, its business drivers and the business context for the policies. This includes analysis of any existing policies and other relevant documentation and preparation of recommendations.
The schedule that is produced from Phase 1 is discussed with the client and the areas for Phase 2 are agreed. We would usually propose that the final documentation set will adopt our preferred hierarchical structure as follows, but this will be discussed and agreed as part of this assignment:
- Top level security policy document – provides the statement of corporate commitment and high level statement of objectives and scope. It establishes the framework for the supporting policy and procedures
- Subsidiary policy documents – these would cover discrete identified subject areas at policy level, e.g. incident response, third party access, etc.
- Supporting procedures, technical standards and AUPs – these identify a more detailed specification of what should be done and how
We can help identify priorities to make sure your information security policy is practical, proportionate and fit for purpose for your organisation’s requirements.