March 8 - meshy policies [UPDATED]


I'm reviewing and revising our information security policy templates, again. At the moment I'm systematically compiling a cross-reference matrix in Excel showing how each of the 65 policies relates to others in the set - quite a laborious job but it will result in greater consistency. The objective is to make the policies knit together coherently, without significant overlaps or gaps in coverage - less mess, more mesh.

All our policies include a reference section noting other relevant policies, procedures, guidelines etc. but only the main ones: the information risk management policy, for instance, is relevant to all the others but there's no point listing it as a reference in all of them, nor listing all of them in it.

I have shortened the titles of a few policies for readability, and need to check/update the formatting then generate new screenshots for the website. Once that is all done, I will be checking coverage: a couple of policies are similar enough that they might perhaps be combined, and I'm always on the lookout for gaps that need plugging.

In all of this, it helps enormously that I wrote them all in the first place, and have maintained them all continuously. Organisational policies usually accumulate over time from a variety of sources and authors, with different writing styles and mind-sets. Conflicts and holes are not uncommon, creating problems for awareness and compliance. Hot issues tend to have current, up-to-date policies, whereas policies covering longstanding aspects tend to go stale, unless someone takes the time to review and update the entire suite as I am doing now. Even something as simple as using a common MS Word template with styles for headings and text makes a huge difference to the readability and consistency, but the template itself has evolved over the years I've been doing this, and is changing again now. It takes concentration to work systematically through the whole suite, updating them to the same standard.

The end result is worth it though. The policy suite is already a polished, professional product at a good price (a fraction of the cost of developing this much content from scratch). It sells well and I'm proud of it! We are using it to develop custom, branded policies for clients and would love to do the same for you, so if your infosec policies are looking a bit shabby, messy, the worse for wear, let's talk. I'm just as keen to help you develop a 'policy management process' to maintain your policies going forward, avoiding the need to have me back in a few years' time ...

PS  The updated policy suite is on sale now at www.SecAware.com

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Two dozen information risks that ISO forgot

Philosophical phriday - compliance risk

ISMS internal audit priorities

Reading between the lines of ISO27001 [L O N G]

Passionate dispassion

45 ISO Management Systems Standards

Philosophical phriday - a noncompliance ramble

Adaptive SME security Crowdstrike special