Answer yes if your organisation has a documented Cyber Security Policy or Information Security Policy that has been reviewed in the last year. Please provide the Information Security Policy (as a PDF file) as evidence.
What is it?
An overall or “master” security policy defines high-level rules that must be abided to in terms of information security. It can define a number of things but, usually acting at a high level, it typically establishes basic practices and responsibilities as well as ownership and reporting around the general security function. It helps ensure controls are implemented uniformly across an organisation and have someone responsible for carrying them out. An overall security policy reduces the risk of controls being inadequately implemented or operated by mandating them throughout the organization from senior management on down.
Why should I have it?
Security policies provide assurance that security is considered, how it is considered, and provides a baseline against which it is possible to assess an organisation’s security compliance. If you are providing services that involves transmission, processing or other use of client data, the policy will typically be requested by the client’s procurement teams and is the first layer of assurance to them that you have considered security. As such it should detail, at a high level, how your organisation views its responsibilities on the protection of the client’s data and what measures you have implemented to carry out that responsibility.
Whilst security policies can be generic, it is worth taking the time to develop policies specific to your organisation. Ideally, these should be set against a known framework, relevant to your organisation or sector.
There are a number of security consultancies or individual consultants that will be able to assist in crafting a policy that meets your business requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.