The role of security policies, standards, processes, and procedures

It's important for you to understand the hierarchy of the ISO standards as the information security manager is responsible for defining the organisation’s information security policy and standards.

Once the standards are defined, the ISO informs the procedures and guidelines to all staff. ISO defines the policy, standards, procedures, and guidelines in a clear manner and with a special order and hierarchy. It’s illustrated in a pyramid graphic as the elements are all interrelated, they build on each other and each one is connected to the next.

This documentation set helps to ensure procedures are clear and staff undertake their obligations for example reporting an incident, in the correct specific way.

The policy hierarchy

1. Policy

The information security policy sits at the top of the organisation and acts as the guide for the processes, procedures, work instructions and technical controls created from it. For example, Equal Opportunities Policy. Everything starts from policy and there must always be traceability back to the policy requirements for every security decision.

2. Standards 

Standards are typically used to complement policies and procedures but are more prescriptive in the controls they provide. Standards can be developed in-house or adopted from publicly available examples. The most common information security standards are ISO/IEC 27001 and PCI-DSS. In the United States, the healthcare standard HIPAA is also adopted by organisations handling medical records.

3. Procedures and processes 

A procedure is a detailed set of instructions that specifies how to do a specific task; for example, it might detail the steps an individual should take to log removable media with the information security manager before it’s used. Processes and individual working instructions are more detailed than procedures. They can incorporate multiple ways of following procedures for individuals in different parts of the business or in different locations. Examples include onboarding new employees, product development and customer support.

4. Guidelines

A guideline outlines how something should be done, but it’s not mandatory; if an organisation has a more effective way of doing something, they can follow their own method rather than the guidelines. An example of a guideline would be advising users how to create a memorable but secure password. Having clearly defined assurance roles and responsibilities in place, and up to date security policies and standards and procedures is fundamental. These will eliminate any ambiguities regarding the direction of security management. It's important that these documents are written in plain English, and they are clearly communicated to staff. For example, assurance responsibilities should be included in employee job descriptions and form part of third-parties’ contractual conditions. All users need to understand clearly what will happen if they do not follow information assurance policies and that senior management will get involved if the rules are broken. Having run through the standards pyramid, you can now see how invaluable this system is as it provides a clear scaffolding for the proper delivery of IA message, policy and documentation.

Striking a balance

The information security manager needs to strike the right balance between security, functionality, and cost to ensure your business gets the best deal. Too much security and you lose functionality, and it's too expensive; too little security and you leave the business exposed to high risk. Tuning your security policies to strike this balance between the security, cost, and functionality, is a key skill for anyone involved in security management. It’s essential to realise that not all countermeasures and controls need to be technological. In some cases, a technical solution may be impossible to implement, so, other measures need to be sought. For example, posting a security guard outside your data centre’s only door might be more cost-effective than the card entry, biometric system suggested by the technical team in your organisation. Your job is to judge what's best and make sure the solution selected is right for the business. Understanding the balance between your physical, procedural, and technical controls is key. It will allow you to best manage the risks within the budget and manpower limitations involved.

What's next?

Next, you'll find out more about governance and governance reviews.

This is an important interface between in-house standards and those of an external or international nature.

Before proceeding, think of examples of a policies, standards, procedures, processes and guidelines at your company. How do they help staff do their jobs?