What ISO 27001 Policies do I need?

Author: Gary Hibberd

Date: 4th August 2020

 

When people ask me about Information Security and talk about their struggles with standards like ISO 27001 (the international standard for information security management); They typically talk about the issues they have with Security policies.

They ask what policies they need to be compliant with ISO 27001 and demonstrate compliance with the General Data Protection Regulation (GDPR). It’s a good question, but often I see their eyes glaze over and the grimaces on their faces as they talk about the pain they go through when having to write policies their people have to go through.

Before we get into what policies you need, I think we need to address the elephant in the room. We need to discuss what policies are, and what they’re not.

 

Policies are a GOOD thing

Firstly let’s state for the record, that policies are a good thing. We all have them. You have policies that you follow right now, but probably never thought about them in that way.

Yes, it’s the law NOT to drink and drive. But you probably have a policy not to drink and drive anyway, right? You know it’s a bad thing.

You probably have a policy of dressing appropriately when you have a formal meeting or presentation. It’s not the law, but you have a policy of doing it, none-the-less.

And you probably make it a policy to always hold the door open for the person walking behind you. It’s certainly not a law, but you know it’s the right thing to do and you were brought up to behave that way.

So you already have a number of policies that you adhere to, and probably a whole lot more, so why all the fuss about Security Policies? And why do people see them as impenetrable?

 

Lawyers and IT.

I have good friends who are lawyers, and I’ve worked in IT pretty much my entire life. I have worked with some of the most incredible law firms in the UK (and internationally), but lawyers do one thing; They do law. And law is complicated! Every word needs to be scrutinised, and every word needs to be clear and unambiguous. Everything needs to be laid out on the page for the world to see. 

Similarly, IT people like structure and certainty, but they’re not policymakers. So why do we expect them to set the rules and write policies?

These are not criticisms of lawyers or IT professionals.  Merely observations. We are asking people who are a) not qualified to write policies and b) love detail and absolute clarity, to write a set of rules that we can follow, and then we complain when they are difficult to follow!

 

Policies, Procedures, Guidelines

Another reason organisations get into a pickle over policies is that they don’t know the difference between policies, procedures and guidelines. If you think that’s a big claim, let me ask you; Is your Security policy more than two pages long? If it is, then you have most likely confused policy with procedures and guidelines too.

Let’s be very clear here;

– A Policy is a statement of fact

– A Procedure is how you implement that fact

– A Guideline is different approaches you might take to implement that fact.

Notice how each of the above statements got longer and longer? That’s what happens when you mix policy with procedures and guidelines. 

Always keep in mind that your policy is a statement of fact.  It should be a paragraph or two at most. So when I see a policy that is more than two pages long, I know that staff aren’t going to understand it and/or be able to follow it.

 

Policies should speak to you

A good policy should speak in your language. It shouldn’t sound like a Consultant or a lawyer has written it. If you are a formal company, then write it in a formal tone, but if you are less formal, and you want people to be engaged, then write your policies in that way. No matter what approach you take, make policies fit YOUR culture and tone of voice.

When I work with organisations to help them write policies, I ask for copies of their current policies on other topics, like Health and safety. I also ask them about their culture. This isn’t to criticise. It’s so I can understand how they speak, and how they want to address their audience (which is usually their staff).

 

What ISO 27001 Policies do I need?

Ok, to the central point of this blog; If you’re implementing ISO 27001, there are a number of mandatory policies you need to put in place. They are considered mandatory because the standard states that you SHALL have a policy for a key aspect of the standard.

In our experience, the following policies need to be in place as a minimum, to comply with the standard. Yes, there are others you can (and probably should) put in place, but ISO 27001 only requires the following;

 

Information Security Policy

Your overall policy statement. What you are looking to do, why, who it affects how you’ll lead it and your commitment to continual improvement.

 

Acceptable use Policy

What do you see as acceptable behaviour when using the internet, your systems, data? A statement declaring what is and is not acceptable.

 

Access Control Policy

How will you control access to systems and data? Who has access? What is your approach to revoking it and monitoring it?

 

Information Backup Policy

What is your approach to backing up important data? How will it be stored? Who has access to it? And when will it be destroyed?

 

Clear desk and clear screen Policy

What is your approach to ensuring desks are free from confidential or personal data? What are your expectations on locking screens when people are in or out of the office?

 

Cryptographic Control Policy

What cryptographic controls do you have in place? Who keeps them up to date? What key management protocols do you have?

 

Classification & Labelling Policy

How do you classify data? Secret? Top Secret? Confidential? Public? How should your people use these classifications and when should they use them?

 

Mobile Device Policy

What do you expect of people when using mobile devices? Can they download any app they like? Are they permitted to use their own devices (aka ‘Bring your own device’ (BYOD))

 

Teleworking Policy

What rules are you putting in place to ensure people working in a remote setting know what you expect of them?

 

And that’s it.  There is your list of mandatory security policies that ISO 27001 requires you to have. As stated above, there are others that you may wish to develop, but this is down to you. I would say, if you have more policies than you do staff, then you have gone too far!

 

Conclusion

Remember that a Policy is a statement of FACT. You can cover all the above in a three or four-page document, and behind it have a more detailed set of procedures and perhaps guidance. But if you’re struggling to get your teams to read your policies, it’s probably because you’ve gone too far, or you’ve asked IT or lawyers to write them.

Look at them from the perspective of YOU. Write them to reflect YOUR wants, needs and expectations. Don’t try and boil the ocean.

Being secure isn’t difficult. Don’t write complicated Policies that no one understands, no one will read, and no one will follow.

The statement above is my policy on writing policies.  See… It’s not difficult, is it?