Do I need information security policies?

The short answer is yes. Information security policies are a central part of enabling the success of your organisation cybersecurity programme.

Having a policy structure in place demonstrates a clear commitment to security. A policy structure helps establish confidence with your customers and providers. It gives guidance and structure to your employees about the organisations expectations when using IT assets and resources. When correctly implemented they will define roles and responsibilities, and accountabilities.

It can be helpful to think of them as contracts between the organisation and employees and generally will be part of the obligations referenced within employment contracts. These policies are a foundational element in establishing a cyber secure culture.

Only 30% of small and medium businesses in the UK have formal cyber security policies

UK Government 2021 Cyber Security Breaches Survey

What areas are covered by security policies?

A security policy structure should be a manifestation of your organisations beliefs, values, and attitudes. A defined and clear policy should be an enabler of your business objectives and not a barrier. It will help you meet your regulatory obligations which will often require that your cyber security policies be documented. Certifications such as ISO27001 will also require that these artefacts be in place.



How Nuvolo Sicuro approach policy implemention

Nuvolo Sicuro consider best practice and your business context when creating a set of policy positions. We understand that these need to be living documents and need to be accepted by senior management and the employees. These will need to be maintained and updated as your business grows and changes.

  • Obtain senior management endorsement.
  • Understand your business values, attitudes and beliefs
  • Understand your business objectives
  • Understand your regulatory obligations
  • Define the high level policies
  • Define the detailed standards
  • Obtain senior management approval
  • Train document owners on responsibilities and expectation
  • Deliver training and roll out of policies to staff
  • Formalise the ongoing review and update process
policy elements