I mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today. Warning : your blinkers are coming off. Prepare for the glare. Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel) , it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technolog...

Congratulations on completing this cook's tour of the topic-specific information security policies in ISO/IEC 27002:2022 (forthcoming). Today we reach the end of the track, reflecting back on our journey and gazing forward to the next objective. Through the blog, we have stepped through the eleven topic-specific policy examples called out in clause 5.1, discussing various policy-related matters along the way:  0.   Introduction : an initial overview of the classical 'policy pyramid'.  1.   Access control : 'policy axioms' are key principles underpinning policies.  2.   Physical and environmental security : ignore these aspects at your peril! 3.   Asset management : using templates/models to develop your policies. 4.    Information transfer : consider the business context for policies.  5.   Networking security : risks associated with data and social networks. 6.   Information security incident management : unique or gener...