At the heart of every ISMS process lie policies, meticulously crafted documents that dictate the various procedural guidelines and standards that a company must adhere to, in order to ensure the utmost level of quality and security in its operations.
What are policies?
Policies are formal documents that outline an organization's approach to managing information security in accordance with the particular security framework. These policies serve as the foundation for an Information Security Management System (ISMS) and provide clear guidelines on how an organization protects its data, manages risks, and complies with regulatory requirements.
Policies are essential for ensuring that everyone in the organization understands their roles and responsibilities related to information security.
Why are policies important?
They provide clear guidelines for employees and stakeholders, define roles and responsibilities
They ensure consistency in processes and decision-making, helping to mitigate risks and safeguard your organization
They support legal, regulatory, and certification requirements
Where to start - Policy templates
As a Secfix customer you have access to our policies templates that are a great starting point for creating your own, customized policies. These are crafted based on a successful blueprint tried and tested by numerous Secfix customers to achieve certification. You'll find them in your SharePoint or Google Drive folders, shared with you by your CSM.
Policy best practices
Your policies should resonate with your organization's dynamics. We encourage you to delve into the templates and tailor them to meet your specific organizational needs, ensuring that they echo your organization's character while adhering to ISMS standards.
Roles working on Policies
While it's up to you who will be working on creating each policy, below you'll find our recommendation as to which department is usually the best fit for a specific policy. Bear in mind this is just an example and it can be different for your organization because of your size or structure.
Nº | Policy name | Role | Est. reading time [min] |
POL-00 | ISMS List of documents | HR/ Operations Manager | 5 |
POL-01 | Scope of the ISMS | HR/ Operations Manager | 80 |
POL-02 | Information Security Management System (“ISMS”) | HR/ Operations Manager | 80 |
POL-03 | Roles, Responsibilities, and Authorities | HR/ Operations Manager | 60 |
POL-04 | Information Security & Acceptable Use | HR/ Operations Manager | 120 |
POL-05 | Document Control | HR/ Operations Manager | 30 |
POL-06 | Information Security Communication Plan | HR/ Operations Manager | 30 |
POL-07 | Internal Audits | HR/ Operations Manager | 50 |
POL-08 | Cloud Security | Head of IT / Dev Ops | 80 |
POL-09 | Risk Management | HR/ Operations Manager | 90 |
POL-10 | Physical Security | HR/ Operations Manager | 50 |
POL-11 | Access Control | Head of IT / Dev Ops | 90 |
POL-12 | Cryptography | Head of IT / Dev Ops | 30 |
POL-13 | Asset Management | Head of IT / Dev Ops | 30 |
POL-14 | Data Management | HR/ Operations Manager | 80 |
POL-15 | Human Resource Security | HR/ Operations Manager | 60 |
POL-16 | Business Continuity and Disaster Recovery | Head of IT / Dev Ops | 80 |
POL-17 | Incident Management | Head of IT / Dev Ops | 40 |
POL-18 | Secure Development | Head of IT / Dev Ops | 50 |
POL-19 | Operations Security | Head of IT / Dev Ops | 60 |
POL-20 | Third Party Management | HR/ Operations Manager | 60 |
Tracking progress with your PSR
To aid you in tracking your policy completion progress, utilize the Policy tab found in your Project Status Report. This dedicated space not only allows you to monitor your progress but serves as a collaboration ground where you can actively engage with your team members and jot down essential notes for meetings.
Secfix support
Working on your policies might prompt a lot of questions. Whether it's about a specific policy or a general concept, you can reach out to us for guidance on the chat inside the app 💬