I have worked with information security for several years (despite my young age) and I have seen numerous different policies, rules, procedures and other types of security documentation. What really works best is to have a clear, well-defined breakdown between these, for example:
- Policy: Our ambitions and goals. What do we want to achieve? What is the scope? It should be short - Preferably no more than one page.
- Rules: What do we do? What don't we do? What are we (not) allowed to do? The rules must be precise as to who should carry out the various tasks.
- Procedures: 'How-to' documents.
I will focus the rest of this post on the rules document. The rules document tends to become (too) long in some companies. A good tip is to divide the rules up into target groups. In this way a user only needs to read the rules that are relevant to his or her job. Some companies even print an end-user-friendly folder containing only the most important rules on information security - We call it a PIXI.
And then there's the structure issue. What chapters should the rules document contain? Some users want descriptive headings sorted in a way that seems logical to them. Others prefer a structure that matches the 2005 version of ISO 27002 - these are typically the ones working directly with information security. The ISO structure is convenient for the security- or IT department, because the standard is an expression of best practice. Using a similar structure makes it easy to see if you have remembered everything, but sometimes at the expense of usability. Having a PIXI book can make up for this, though.
As you know, ISO 27002 was updated a little less than half a year ago. The question is: Should the structure of your information security handbook now be changed to reflect the structure of the new version? The 2013 version is very similar to the one from 2005, but some chapters have been moved around, some have been deleted and new ones have been added. This means that the numbering of chapters has been changed - even at the top level. The standard describes a number of controls (with a three level numbering) and for instance the control in chapter 8.1.1 in the 2005 edition is not the same as the control in chapter 8.1.1 in the new edition.
The answer to whether you should switch to the new standard is a definite "yes". You must keep your information security up to date and it is neither effective, nor good practice to follow obsolete standards for information security.
If you are using an ISMS tool, such as SecureAware, the switch can be made more or less automatically. The latest version of SecureAware includes a number of tools to generate an automatic gap analysis comparing your old information security handbook to the new standard. Since SecureAware knows both the old and the new standard it can create a new draft suggestion to a rules document based on the new ISO 27002. It simply moves your rules around and places them in the new standard where appropriate. It can place up to 90% of your rules correctly and the remaining rules are easily moved manually to the right chapter.
Read more about the new SecureAware features here
Please share your opinion and experience with building a useful and effective information security policy below.