Security Policy Review: SMEs to International PLCs | ISMS Matters
349
page-template,page-template-full_width,page-template-full_width-php,page,page-id-349,page-child,parent-pageid-120,ajax_fade,page_not_loaded,,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-content-sidebar-responsive,qode-theme-ver-10.1.1,wpb-js-composer js-comp-ver-5.0.1,vc_responsive
 

Security Policy Review

Full Analysis of Your Policies

The basis for security co-ordination and initiatives

Policies are a fundamental aspect of information security; they provide the management direction for security co-ordination and the basis for all security initiatives.

 

A common approach, especially amongst SMEs, is to adopt the Staff handbook as ‘company policy’ which is an ineffective approach.

 

Ideally, policy should reflect business requirements, be easily understandable to the desired audience, should be succinct and enforceable. Policy structure can be tiered to support the size of the business and business needs.

Security policy review

Pro-active or “sticky plaster”?

Realistically, policy should be aligned with business objectives and security should be embedded in business as usual (BAU) as opposed to being a sticky plaster reactive approach.

 

Many clients will produce long and detailed policies that are too impractical for successful enforcement. Quite often, the policies are neither read nor understood, have been produced to satisfy auditors as a tick-box exercise.

 

This service (following policy review) can also help to fill policy gaps and ISMS Matters can provide/author baseline policies and standards that are then modified by the particular client to suit their business environment.

 

This approach reduces the client cost as internal resource can be utilised for the modification activity.

Best practice

Ideally, the best approach (from our experience), is for us to actually produce policy and standards documentation that accurately reflects current business requirements, however, this will probably require increased consultancy to identify and map to business operations.

 

This service has in the past also covered the authoring of configuration standards. It is very important that skill set requirements are identified (depended on the technologies that need to be documented) for adequate resourcing.

 

If research time is required (and agreed by the client), this needs to be built into the proposed consultancy time. Authorship of configuration standards can also easily fall into the Information Assurance, PCI DSS or Security Assurance practice areas.

Let Us Help

Our Services

ISO Standards

More Info

Please contact us now for a free quote on your upcoming requirements or project…