Corporate infosec policy

At the peak of the typical policy pyramid sits a ‘corporate information security policy’. In clause 5.2, ISO/IEC 27001 explicitly requires an information security policy specifying aspects such as demonstrable top management commitment and objectives.

The corporate information security policy template has:

• The usual boilerplate for any formal policy e.g. summary, applicability, version and date up front, plus responsibilities and references at the back;
• A short introduction, using the pyramid diagram to outline the entire information security policy structure;
• A set of seven principles (objectives) driving information risk and security e.g. “Information is a valuable business asset that must be protected against inappropriate activities or harm, yet exploited appropriately for the benefit of the organization.  This includes our own information and that made available to us or placed in our care by third parties.”

The principles fascinate me. They aren’t (yet!) stated in any of the ISO27k standards, and yet these are fundamental concepts underpinning the entire field such as 'least privilege' and 'personal accountability'. In researching and preparing our corporate infosec policy, I dug out a bunch of principles from various places and rationalized them down to the present set. I’d like to revisit that sometime, maybe even prepare a paper about the principles and then propose either a new ISO27k standard or an appendix to, say, the information security governance standard ISO/IEC 27014.

PS  At the end of 2022, I seized the opportunity to suggest incorporating a set of generic principles into ISO/IEC 27000 as part of SC 27's revision project. I have in mind developing something akin to the archetypal OECD Privacy Principles that remain fundamental to privacy laws and regulations today, decades later. Watch this space!