WHY DOES YOUR COMPANY NEED IT POLICIES?

Durch klare Richtlinien rudert die Mannschaft in eine Richtung und erreicht zuverlässig gemeinsame Ziele - SEC4YOU - Manfred Scholz

In prac­ti­ce, the clear distinc­tion bet­ween poli­cy and pro­ce­du­re, which is cus­to­ma­ry in Angli­can-spea­king count­ries, has pro­ven its worth. The tar­get sta­te is defi­ned in a poli­cy, and the imple­men­ta­ti­on is then descri­bed in a pro­ce­du­re description.

Poli­ci­es and pro­ce­du­re descrip­ti­ons ser­ve to ensu­re that recur­ring pro­ces­ses in a com­pa­ny are car­ri­ed out in a uni­form man­ner by the per­sons acting. This enables com­pa­nies to achie­ve the desi­red actu­al sta­te inde­pendent­ly of indi­vi­du­al per­sons, alt­hough the per­son car­ry­ing out a pro­cess descrip­ti­on should always be fami­li­ar with the under­ly­ing guidelines.

Gui­de­lines and pro­cess descrip­ti­ons joint­ly defi­ne the tar­get state

Our approach to the crea­ti­on of IT gui­de­lines is a clear sepa­ra­ti­on of gui­de­lines and pro­cess descriptions.

When crea­ting IT gui­de­lines, the requi­red tar­get sta­te is work­ed out tog­e­ther with the cus­to­mer. In par­ti­cu­lar, the fol­lo­wing points must be taken into account:

  • Neces­sa­ry manage­ment support
  • Con­side­ra­ti­on of busi­ness requirements
  • Com­pli­ance requi­re­ments, inclu­ding cus­to­mer and sup­pli­er contracts
  • Con­side­ra­ti­on of the struc­tu­re and pro­cess organization
  • Risk con­side­ra­ti­on

Clear requi­re­ments lead to all employees rowing in the same direc­tion and must be crea­ted and com­mu­ni­ca­ted in a man­ner and scope appro­pria­te to the addressees.

What poli­ci­es and pro­ce­du­res does ISO/IEC 27001 require?

The­re is no pre­scri­bed list of which IT spe­ci­fi­ca­ti­ons you need to crea­te in the cour­se of an ISO/IEC 27001 cer­ti­fi­ca­ti­on. Typi­cal­ly the fol­lo­wing docu­ments are deve­lo­ped in the first step:

  • Metho­do­lo­gy for risk assess­ment and risk treatment
  • Per­mit­ted use of assets (user policy)
  • Access con­trol policy
  • Sup­pli­er secu­ri­ty policy
  • Infor­ma­ti­on clas­si­fi­ca­ti­on policy
  • Pass­word policy
  • Dis­po­sal and des­truc­tion policy

SEC4YOU will be hap­py to sup­port you in the crea­ti­on of IT policies.

YOUR ADVANTAGES

  • Gui­de­lines lead to all employees rowing in the same direction!

 

  • An important mile­stone for ISO/IEC 27001 certification

 

  • Tar­ge­ted crea­ti­on helps with the adop­ti­on of the gui­de­lines by the employees

 

  • Target/actual com­pa­ri­son as a basis for sub­se­quent IT audits

Ques­ti­ons about IT-Poli­ci­es? You would like to talk to an expert?