Security Policy
To make your organisation more cyber resilient, the security policy is used to formalise and coordinate all organisational and technical security procedures of the organisation.
The security policy should contain a set of good practices (ISO/IEC 27001 and ISO/IEC 27002) and risk assessment.
An Ongoing Process
Safeguarding an organisation is an ongoing process that is implemented based on security measures, evaluated in Impact the most feared, threats the most likely and vulnerabilities the most
important.
This process involves the following steps:
Design
This first step aims to correctly define the scope and context of the future system. It must also make it possible to identify and evaluate risks to develop a management plan. (It cannot, however, replace the risk analysis that must be done beforehand.)
The realisation step consists mainly of applying the security policy created in the previous step. Organisational and technical measures are put in place, behavioural measures are applied by staff.
Evaluation and Control
The evaluation systems must have been described in the safety manual. The goal is to ensure that the procedures put in place work as intended. These evaluations can be of several types:
- regular audits done as part of daily activities;
- automatic controls performed with software tools to create reports;
- comparison with other organisations;
- carrying out planned formal audits (‘risk assessment’);
- revision by the management.
If evaluations and controls reveal inadequacies in certain procedures, corrections must be made.
Improvement
The actions that will have been decided in the previous step will have to be implemented, i.e.:
- at the level of the security system itself, for example by appointing a (new) person responsible for all or part of the system;
- at the level of the operational procedures which will have been deduced, for example by the implementation of a different data backup procedure;
- at the tools level, such as the purchase of an antivirus tool.