Information Security Policies

Policies, standards, procedures & guidelines for protecting your sensitive business information assets

Request a Quote

Information Security Policy Development

Information security policies are the foundation of an effective information security governance, risk and compliance strategy. As such, they must be based upon a well-defined strategy that clearly reflects the business’s risk appetite, tolerance and capacity for a breach. Security policies are risk-driven and must recognise that while they cannot prevent a breach, they most certainly help to identify, minimise and manage the risk of a breach.

They must be clear, concise and written in plain language so that they are easily understood by all affected parties. Because of their importance, these policies must be properly created, accepted and validated by the board and senior management before being communicated throughout the business.

Good policies are not easily produced. They must specify requirements, defines the roles and responsibilities in the business, and outline expected behaviours in various situations. They also need to satisfy internal and external compliance and audit requirements and so require a clear framework.

A policy framework serves to define different types of documents and their contents. They can be simple or complex depending on the business. Although, a business may have a stand-alone cybersecurity policy, it should be part of a principal information security policy framework.

Good clear policies are essential in the best of times – in uncertain times, they are critical. Risk Crew can also help you create your “work from home” policies to ensure your staff protect your information assets when working remotely.

A typical information security documentation framework is comprised of policies, standards, procedures and guidelines that include:


APT testing

Features and Components

While there are numerous approaches to policy subject areas, which are largely dependent on compliance requirements, best practice recommends businesses to establish detailed policies that address the below.

Establish Detailed Policies

These will include:

  • Risk Management
  • Access Control
  • Personnel Security Systems Acquisition, Development & Maintenance
  • Work From Home Security Standards
  • Asset Management
  • Communications & Operations
  • Security Incident Response
  • Business Continuity & Disaster Recovery
  • Vendor Management
  • Compliance Management

Align with Controls

Once written, policies need to be aligned to controls implemented to enforce them. Objectives should be established for each control along with the evidence they should produce to verify their effectiveness and how this should be tested. This policy-to-control mapping is critical to ensure the effective implementation of your policies.


mapping controls

Review and Update

Finally, policies must be continually reviewed and updated to ensure that they keep pace with the business’ commercial objectives and risk appetite. Policies must address the dynamic cyber threat and compliance landscapes. They must also consider the everchanging information assets and people, process and technology used by the business to attain these objectives. These are considerable challenges and require considerable expertise.

Why Choose Risk Crew

Risk Crew are industry leaders in designing and delivering effective information security risk management policies.

Our experienced information security governance, risk and compliance consultants implement proven assessment methodologies for measuring and documenting the effectiveness of your business’ ISMS. All our consultants are thoroughly vetted and subject to in-depth professional, criminal and credit records checks.

When you choose Risk Crew, you’re electing to work with qualified experts.

Risk Crew can help you with your specific information security risk management policy development, implementation and maintenance requirements.

Our policy services are customised to your specific business needs. Templates won’t do. Whether you are starting from scratch, need a simple refresh to meet a compliance requirement or a deep dive to strengthen and re-energise your strategy, we can take you to the next level.

Find out how Risk Crew can help you meet your organization development information security risk management policies today.

Frequently Asked Questions

Are individual policies necessary for specific compliance requirements?

No. Best practice recommends that policies or controls required for Payment Card Industry, Data Security Standards (PCI DSS) or Data Protection (DPA) 2018 compliance should be included in baseline documentation and integrated into the overall policy framework documentation implementing the business’ information security management system (ISMS).

Who should “own” information security policies?

In a perfect world, a designated Information Security Risk Manager would “own” the responsibility for keeping security policies current and applicable. The Board owns the responsibility for identifying the information assets that require protection and articulating the risk appetite to be reflected in the policies and Senior Management owns the responsibility for defining the strategy and ensuring the resources required (i.e. an Information Security Risk Manager) to implement it.

How often should information security policies be updated?

Information security policies should be updated at least annually and/or after a significant change to business systems processing, storing or transmitting information assets.