Example for Corporate Policy for Information Security Management System

1. Purpose

The purpose of Information Security Management System (ISMS) in XXX is to ensure the continuity and protection of the business processes and information assets which are considered within the ISMS scope (stated in ISMS scope document). The information security needs and objectives are stated in this document to minimize the impact of security incidents on the operations of XXX.

2. Scope

The primary audiences for Corporate Information Security Policy are: Senior Management, System and Information Owners, Business and Functional Managers, Chief Information Security Officer (CISO), and IT Security Practitioners of the organization.

3. Definition

4.1 Availability – Property of being accessible and usable upon demand by an authorized entity.
4.2 Asset – Anything that has value to the organization.
4.3 Confidentiality – Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
4.4 Integrity – Property of accuracy and completeness.
4.5 ISMS – Information Security Management System is the part of overall management system and required to establish, implement, maintain and continually improve information security of the organization.

4. Corporate ISMS Policy

The Information Security Management System of XXX intends to ensure:
4.1 Integrity of all business processes, information assets, and supporting IT assets and processes, through protection from unauthorized modification, guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. The unauthorized modification or destruction of information could have severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals;
4.2 Availability of all business processes, information assets, and supporting IT assets and processes to authorized users when needed, ensuring timely and reliable access to and use of information. The disruption of access to, or use of, information or an information system could have serious adverse effect on organizational operations, organizational assets, or individuals;
4.3 Confidentiality of all information assets (information is not disclosed to unauthorized persons through deliberate or careless action). Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could have limited adverse effect on organizational operations, organizational assets, or individuals;
4.4 All IT-enabled processes and stakeholders shall follow the rules and regulations or circulars published in the organization;
4.5 All audit trails and logs, as decided by the Management Information Security Forum (MISF), shall be maintained and monitored by XXX;
4.6 All operational and system changes shall be monitored closely; these shall adhere to the change management process;
4.7 XXX complies with the laws, regulations and contractual obligations which are applicable to the organization in general and in particular to its ISMS;
4.8 All applicable information security requirements are satisfied;
4.9 Continual improvement of the information security management system.

5. Applicability

This policy applies to all Manager and staff of XXX, contractors, and third party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS.

6. Responsibility

XXX  shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for reporting security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of XXX.

7. Enforcement

XXX holds the right to monitor the compliance of its personnel to this policy. Manager and staff of XXX, contractors, and third party employees, who fail to comply with this policy, may be subjected to appropriate disciplinary actions.

8. Ownership and Revision

This policy statement is owned by the Board of Directors of XXX who has delegated this task to the Chief Information Security Officer (CISO). This policy shall be revised once in two years by the CISO and every time that the Board of Directors of FCI, or the MISF, decides to do so. MISF of XXX shall consist of the following members (as approved by CEO):
Executive Director (IT), Executive Director (Personnel), Executive Director (Finance), Executive Director (P&R) and Executive Director (Legal).

Back to Home Page

If you need assistance or have any doubt and need to ask any question contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s