An information security policy is the constitution of a company’s cybersecurity. According to the ISO 27001 standard, it must be approved by top management and made available to all personnel as documented information. But is this merely a checkbox on the road to certification, or something more important? Let’s take a moment to consider how an information security policy can be harnessed as a driver of business.
It’s easy to see how an information security policy helps with the internal implementation of information security. It defines the authority of those responsible for security and requires everyone to act in accordance with the rules. This is certainly important, but an internal document alone does not build trust among partners and customers. For this reason, when drafting a policy, external stakeholders are often kept in mind as well — either by writing the policy without overly sensitive details, or by creating two separate versions: one for internal use and one for broader purposes.
I would dare to argue, however, that a minimal information security policy that merely repeats the standard’s mandatory requirements is not the best option for external use. Does it truly create a solid sense of security? What if we step into the customer’s shoes and think about what we would want to see in a partner’s information security policy? What are the qualities of a high-caliber policy that genuinely support business and set a company apart from its competitors?
How to Harness the Information Security Policy as a Business Enabler?
Here are a few thoughts on how to turn an information security policy into a driver of business:
- Is information security truly a top priority for senior management, and is it a strategic objective? Does the policy describe how top management ensures security across the entire organization? Does the text feel genuine, or merely like a formality?
- Are the key information security roles defined clearly enough? Do they come with reasonable competency requirements and adequate resourcing? Is the company genuinely prepared to invest in security?
- Has responsibility for information security been embedded throughout the organization? Does the company invest in the security competence of its staff? Has it recognized that the majority of data breaches involve human factors in one way or another?
- Does the company recognize the importance of data belonging to other parties — that is, the value of external stakeholders’ own data? It is reassuring to read that a company has understood its role in safeguarding the data of its partners and customers.
- Is the company’s approach genuinely risk-based, or is that just a mandatory buzzword? A thorough risk management process ensures that limited resources are directed appropriately and that real risks are addressed effectively.
- PDCA — Plan, Do, Check, Act — is a core principle of the standard. It guides organizations toward self-critical thinking and continuous improvement. Highlighting this principle sends a strong message, underscoring that the company’s information security posture is alive and constantly evolving.
- Entrusting data to another party for processing requires trust. Transparency builds that trust. Does the company commit to acting openly even when things don’t go according to plan?
This list includes elements not found in off-the-shelf information security policy templates — yet they are all hallmarks of a strong security culture. So why not seize the opportunity and communicate these principles in this important document? The message that top management stands behind these values is useful internally, but equally valuable to other stakeholders. A policy like this would support the business and foster the growth of the organization’s security culture.
Finally, here is a bold thought on drafting an information security policy: what if a communications professional were brought in during the drafting process? This would improve the document’s effectiveness as a tool for strengthening the company’s image — both internally and externally — and would help the message of the policy as a business enabler come through far more powerfully.
Mikael Albrecht,
Senior Security Consultant, 2NS