Have you ever found yourself in a situation where you have been given the task to write a security policy or a procedure, but you don't want your document to end up like so many others - gathering dust in some forgotten drawer?
Here are some thoughts that might help you...
The steps I'm about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit - I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.
1 Study the requirements
First you have to study very carefully various requirements - is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.
2 Take into account the results of your risk assessment
Your risk assessment will determine which issues you have to address in your document, but also to which degree - for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.
This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well - quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.
3 Optimize and align your document(s)
An important thing to consider is the total number of documents - are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don't create a single 100-page document.)
Moreover, you have to be careful to align your document with other documents - the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.
If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy - to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it's much better that one document makes a reference to another, without repeating the same stuff.
4 Structure your document
You also need to take care that you observe your corporate rules for formatting the document - you already may have a template with pre-defined fonts, headers, footers etc.
If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you'll need to observe a procedure for document control - such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.
5 Write your document
The rule of the thumb is - the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read - you have to understand that reading the document takes time, and the level of one's attention is inversely proportional to the number of lines in your document.
One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document - this way they will understand why it is necessary.
6 Get your document approved
This step is rather self-evident, but its underlying importance is this - if you are not a high ranking manager in your company, you won't have the power to enforce this document.
This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me - it is not. This step (and the next one) are the ones where implementation most often fails.
7 Training and awareness of your employees
This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won't welcome another one especially if it means more work for them.
Therefore, it is very important to explain to your employees why such a policy or procedure is necessary - why it is good not only for the company, but also for themselves.
Sometimes training will be necessary - it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.
End of story?
If you thought you've reached the end of your document-implementation story, you're wrong - the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.
Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore - and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose - again, it may be you.
As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure - what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself - it is only a tool to enable your activities and processes to run smoothly. Don't let the opposite happen - that such a document makes these activities and processes run with more difficulty.
Cross posted from ISO 27001 & BS 25999 blog
ISO 27001 and BS 25999-2 Webinar Schedule:
ISO 27001 and BS 25999-2
ISO 27001 and BS 25999-2 StrategyOrganization of Information Security; External Parties; Raising Awareness, Training and HR Management