Blog

A.5 Information security policies

A.5.1 Management direction for information security

Objective:
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A. 5.1.1 Policies for information security

Control
A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.

At the highest level, organizations should define an “information security policy” which is approved by management and which sets out the organization‘s approach to managing its information security objectives. Information security policies should address requirements created by:

1. Business strategy;
2. Regulations, legislation, and contracts;
3. The current and projected information security threat environment.

The information security policy should contain statements concerning:

1. Definition of information security, objectives, and principles to guide all activities relating to information security;
2. Assignment of general and specific responsibilities for information security management to defined roles;.
3. Processes for handling deviations and exceptions.

At a lower level. the Information security policy should be supported by topic-specific policies. which further mandate the implementation of information security controls and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.
Examples of such policy topics include:

1. Access control;
2. Information classification and handling ;
3. Physical and environmental security;
4. End user-oriented topics such as:
   1. Acceptable use of assets ;
   2. Clear desk and clear screen;
   3. Information transfer :
   4. Mobile devices and teleworking ;
   5. Restrictions on software installations and use ;
5. Backup;
6. Information transfer :
7. Protection from malware ;
8. Management of technical vulnerabilities;
9. Cryptographic controls
10. Communications security;
11. Privacy and protection of personally identifiable information:
12. Supplier relationships.

These policies should be communicated to employees and relevant external parties in a form that is relevant, accessible, and understandable to the intended reader. e.g. in the context of an “information security awareness. education and training program”. The need for internal policies for information security varies across organizations. Internal policies are especially useful in larger and more complex organizations where those defining and approving the expected levels of control are segregated from those implementing the controls or in situations where a policy applies to many different people or functions in the organization. Policies for information security can be issued in a single “information security policy” document or as a set of individual but related documents. If any of the information security policies are distributed outside the organization, care should be taken not to disclose confidential information. Some organizations use other terms for these policy documents, such as ‘Standards’, “Directives” or “Rules”.