Policy pile up creates user uncertainty

How many ISO27001 policies are needed?

This blog was written after recently working with different companies on their Information Security Management Systems (ISMSs).  The ISO27000 standard – the Overview and vocabulary part of the ISO27nnn series – defines an ISMS as consisting of “policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets”.  An ISMS also covers the systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security to achieve business objectives based upon a risk assessment.  This blog is about the documents that get produced.

Questions every company needs to ask are ‘how many do I really need’ and ‘how I am going to find them after they have been produced’? The right answer to this is IT DEPENDS. On the current way information security is controlled, what clients expect and how they are going to be used.

How many – the aim is to have as few as possible, but not make them too long or hard to navigate. There isn’t a fixed number or format to follow…although auditors from some certification bodies seem disappointed if you aren’t using the templates they provide. I was called in to help a company that were given more than 20 templates by a consultancy, told to insert their company name at the relevant places and then move on to the risk assessment. This is definitely the wrong approach; you end up with policies that don’t address the specific risks the business is trying to manage and are generally very short. But on the other hand, you don’t want one HUGE document – as provided by another consultancy – or to start from scratch. Do some research and select templates that are a close fit to manage the specific risks and amend them. There are a few providers out there with different approaches, get in touch if you want guidance on ones that can work for your company – contact details are at the end of this blog. And if you already have some policies in place that cover most of the basics try to build on those – people are used to referring to them and starting again may not be the best option.

What format – if you are a company with people spending most of their time on mobile devices use a format that works well on those devices. Downloading large PDFs may not be the best approach here. There will be a trade-off but look at different options and get some staff to trial them out. No point in having the ‘perfect’ Acceptable Use Policy if no one finds it acceptable to zoom in and out of a PDF to find the part they are looking for.

How do I find them aka reference roulette – I was recently asked why didn’t you give the information security documents code like PA123 or PROC-AP/01/19? The answer was ‘none of your other documents use obscure codes, they use names and can easily be found by searching the intranet’. There isn’t anything wrong with using codes. Use a naming/reference convention that matches what is in place.  If you can tag documents with keywords to aid searches that is even better.

Fun fact
The ISO27nnn series includes more than 10 standards.

Get in touch if you need help documenting your ISMS or want an honest opinion on the effectiveness of what is already in place.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462