I
have worked with information security for several years (despite my young age)
and I have seen numerous different policies, rules, procedures and other types
of security documentation. What really works best is to have a clear,
well-defined breakdown between these, for example:
- Policy: Our ambitions and goals. What do we want to achieve? What is the scope? It should be short - Preferably no more than one page.
- Rules: What do we do? What don't we do? What are we (not) allowed to do? The rules must be precise as to who should carry out the various tasks.
- Procedures: 'How-to' documents.
I
will focus the rest of this post on the rules
document. The rules document tends to become (too) long in some companies.
A good tip is to divide the rules up into target groups. In this way a user
only needs to read the rules that are relevant to his or her job. Some
companies even print an end-user-friendly folder containing only the most
important rules on information security - We call it a PIXI.
And
then there's the structure issue. What
chapters should the rules document contain? Some users want descriptive
headings sorted in a way that seems logical to them. Others prefer a structure
that matches the 2005 version of ISO 27002 - these are typically the ones
working directly with information security. The ISO structure is convenient for
the security- or IT department, because the standard is an expression of best
practice. Using a similar structure makes it easy to see if you have remembered
everything, but sometimes at the expense of usability. Having a PIXI book can
make up for this, though.
As
you know, ISO 27002 was updated a
little less than half a year ago. The question is: Should the structure of your
information security handbook now be changed to reflect the structure of the
new version? The 2013 version is very similar to the one from 2005, but some
chapters have been moved around, some have been deleted and new ones have been
added. This means that the numbering of chapters has been changed - even at the
top level.
The
answer to whether you should switch to the new standard is a definite
"yes". You must keep your information security up to date and it is
neither effective, nor good practice to follow obsolete standards for
information security.
In order to help you on your way, Neupart has created an overview of the main chapters of ISO 27002:2013 compared to the2005 version
In order to help you on your way, Neupart has created an overview of the main chapters of ISO 27002:2013 compared to the2005 version
If
you are using an ISMS tool, such as SecureAware, the switch can be made more or
less automatically. The latest version of SecureAware includes a number of
tools to generate an automatic gap analysis comparing your old information
security handbook to the new standard. Since SecureAware knows both the old and
the new standard it can create a new draft suggestion to a rules document based
on the new ISO 27002. It
simply moves your rules around and places them in the new standard where appropriate.
It can place up to 90% of your rules correctly and the remaining rules are
easily moved manually to the right chapter.
Please share your opinion and experience with building a
useful and effective information security policy below.
More resources:
To help the risk manager manage, easily find, understand and perform his daily administrative duties, Solartis presents insurance information in two easy to understand
ReplyDeleteRisk Management Services
Thanks you for sharing this unique useful information content with us. Really awesome work... ISO 45001 Certification in Oman
ReplyDeleteThank you for sharing your insights! I've worked in information security for several years and have seen the importance of clear, well-defined policies, rules, and procedures. FYI, Solutions offers the best cybersecurity services to help implement and maintain these standards. Dividing rules into target groups and updating structures per ISO 27002:2013 is crucial. SecureAware's tools simplify this transition effectively.
ReplyDelete