| Quite often I see information security policies written | | | | On the other hand, detailed policies should be |
| in too much detail, trying to cover everything from | | | | intended for operational use, and focused on a |
| strategic objectives to how many numerical digits a | | | | narrower field of security activities. Examples of such |
| password should contain. The only problem with such | | | | policies are: Classification policy, Policy on acceptable |
| policies is that they contain 50 or more pages, and - | | | | use of information assets, Backup policy, Access |
| no one is really taking them seriously. They usually | | | | control policy, Password policy, Clear desk and clear |
| end up serving as artificial documents whose sole | | | | screen policy, Policy on use of network services, |
| purpose is to satisfy the auditor. | | | | Policy for mobile computing, Policy on the use of |
| But why are such policies extremely difficult to | | | | cryptographic controls, etc. Note: ISO 27001 does not |
| implement? Because they are too ambitious - they | | | | require all these policies to be implemented and/or |
| try to cover too many issues, and are intended for a | | | | documented, because the decision whether such |
| wide circle of people. | | | | controls are applicable, and to what extent, depends |
| This is why ISO 27001, the leading information | | | | on the results of risk assessment. |
| security standard, defines different levels of | | | | Because such policies should prescribe more details, |
| information security policies: | | | | they are usually longer - up to ten pages. If they |
| - High-level policies, such as the Information Security | | | | were much longer than that, it would be very difficult |
| Management System Policy - such high level policies | | | | to implement and maintain them. |
| usually define strategic intention, objectives etc. | | | | In other words, information security is too complex |
| - Detailed policies - this kind of policy usually describes | | | | an issue to be defined in a single policy - for different |
| a selected area of information security in more detail, | | | | aspects of ISMS and different "target groups" there |
| with precise responsibilities, etc. | | | | should be different policies. Middle-sized organizations |
| ISO 27001 requires that Information Security | | | | usually build up to fifteen policies for their ISMS. |
| Management System (ISMS) Policy, as the | | | | One could argue that this number of policies is |
| highest-ranking document contains the following: the | | | | nothing but overhead for a company. I would |
| framework for setting objectives, taking into account | | | | certainly agree if such policies are written only with |
| various requirements and obligations, aligns with the | | | | the certification audit in mind - such policies will bring |
| organization's strategic risk management context, and | | | | nothing but more bureaucracy. However, if a policy is |
| establishes risk evaluation criteria. Such a policy should | | | | written with the intention of decreasing the risks, |
| be actually very short (maybe one or two pages) | | | | then it will most probably show its value - if not right |
| because it's main purpose is for top management to | | | | away, then probably in two or three years, by |
| be able to control their ISMS. | | | | decreasing the number of incidents. |