Example for Corporate Policy for Information Security Management System

Uncategorized 3 Minutes

1. Purpose

The purpose of the Information Security Management System (ISMS) in XXX is to ensure the continuity and protection of the business processes and information assets that are considered within the ISMS scope (stated in the ISMS scope document). The information security needs and objectives are stated in this document to minimize the impact of security incidents on the operations of XXX.

2. Scope

The primary audiences for Corporate Information Security Policy are Senior Management, System and Information Owners, Business and Functional Managers, Chief Information Security Officer (CISO), and IT Security Practitioners of the organization.

3. Definition

4.1 Availability – Property of being accessible and usable upon demand by an authorized entity.
4.2 Asset – Anything that has value to the organization.
4.3 Confidentiality – Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
4.4 Integrity – Property of accuracy and completeness.
4.5 ISMS – Information Security Management System is the part of the overall management system and required to establish, implement, maintain and continually improve the information security of the organization.

4. Corporate ISMS Policy

The Information Security Management System of XXX intends to ensure:
4.1 Integrity of all business processes, information assets, and supporting IT assets and processes, through protection from unauthorized modification, guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. The unauthorized modification or destruction of information could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals;
4.2 Availability of all business processes, information assets, and supporting IT assets and processes to authorized users when needed, ensuring timely and reliable access to and use of information. The disruption of access to, or use of, information or an information system could have a serious adverse effect on organizational operations, organizational assets, or individuals;
4.3 Confidentiality of all information assets (information is not disclosed to unauthorized persons through deliberate or careless action). Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could have a limited adverse effect on organizational operations, organizational assets, or individuals;
4.4 All IT-enabled processes and stakeholders shall follow the rules and regulations or circulars published in the organization;
4.5 All audit trails and logs, as decided by the Management Information Security Forum (MISF), shall be maintained and monitored by XXX;
4.6 All operational and system changes shall be monitored closely; these shall adhere to the change management process;
4.7 XXX complies with the laws, regulations, and contractual obligations which are applicable to the organization in general and in particular to its ISMS;
4.8 All applicable information security requirements are satisfied;
4.9 Continual improvement of the information security management system.

5. Applicability

This policy applies to all Manager and staff of XXX, contractors, and third-party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS.

6. Responsibility

XXX  shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for reporting security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of XXX.

7. Enforcement

XXX holds the right to monitor the compliance of its personnel to this policy. Manager and staff of XXX, contractors, and third-party employees, who fail to comply with this policy, may be subjected to appropriate disciplinary actions.

8. Ownership and Revision

This policy statement is owned by the Board of Directors of XXX who has delegated this task to the Chief Information Security Officer (CISO). This policy shall be revised once in two years by the CISO and every time that the Board of Directors of FCI, or the MISF, decides to do so. MISF of XXX shall consist of the following members (as approved by CEO):
Executive Director (IT), Executive Director (Personnel), Executive Director (Finance), Executive Director (P&R), and Executive Director (Legal).

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply