Policy & Procedure

A strong Information Security Policy, backed up with sub-polices such as an Acceptable Use Policy, and operational procedures, is the backbone of a successful Information Security Management System. It is an integral part of the ISO 27001 standard, and the standard covers, in depth the content that is considered to be best practice to be included. The standard however, is written to cover as many instances of business type as possible, and it is often followed slavishly, creating copious amounts of unnecessary effort and documentation that is often very off-putting to the implementation team.

The methodology that is followed by Thinking Security adheres to the principle that a company should use "as much as is necessary, but as little as possible" - this keeps the system manageable and useable on a daily basis, while ensuring that key aspects relevant to the organisation are given the attention that they deserve and no time or effort is wasted on things that are irrelevant. In fact, regardless if you are actually looking to achieve ISO27001 certification or are looking to establish a strong base to build from - possibly for certification at a later date - we can provide a bespoke solution that encompasses only as much as is required by your scenario allowing you to streamline the introduction of the management system into your existing policies, procedures and organisational structure, and at the same time aligning and integrating it with other business goals such as environmental concerns or existing quality control management systems.

A previous client wished to implement an Information Security Management System as part of their ISO 20000 certification. We were able to assist in this process, liasing closely with both the managerial team and the staff to evaluate the information assets that needed protection, develop new policies and procedures, review and adapt existing documentation and implement new controls and review cycles enabling them to comply with the requirements of ISO20000 for Information Security as well as improving their awareness of and capability to run their organisation in sound and secure way on a day to day basis.

NEXT