A security policy establishes what must be done in order to protect an organisation’s information assets. A well written policy contains sufficient definition of “what” to do and part of information security management is determining how security will be maintained in your organisation and how much risk will be tolerated. Management defines information security policies to describe how the organisation wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules and safeguards that will be used to implement the policies.
We can provide answers to the following questions:
- My organisation needs some policies, where do I start and what does finished look like?
- Do my policies reflect my organisation’s tolerance for risk?
- How can I write policies that my people will understand and follow?
- Will my policies pass an audit?
- Do I have all the policies my organisation needs to maintain an acceptable duty of care?