Information Security Management System Policy
Aim
To document the policy regarding the Information Security Management System
Summary
The ISMS Policy is a document which acts as the root “Quality Manual’ of the Information Security Management System (ISMS).
Information Security Management System Policy
Information Security Requirements
A clear definition of the requirements for information security will be agreed and maintained within the business so that all ISMS activity is focused on the fulfillment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements with regard to the security of new or changed systems or services will be captured as part of the design stage of each project.
It is a fundamental principle of the NLG’s Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.
Top Management Leadership and Commitment
Commitment to information security extends to senior levels of the organization and will be demonstrated through this ISMS Policy and the provision of appropriate resources to provide and develop the ISMS and associated controls.
Top management will also ensure that a systematic review of performance of the program is conducted on a regular basis to ensure that quality objectives are being met and quality issues are identified through the audit program and management processes. Management Review can take several forms including departmental and other management meetings.
The Information Technology Director shall have overall authority and responsibility for the implementation and management of the Information Security Management System, specifically:
- The identification, documentation and fulfillment of information security requirements
- Implementation, management and improvement of risk management processes
- Integration of processes
- Compliance with statutory, regulatory and contractual requirements
- Reporting to top management on performance and improvement
Framework for Setting Objectives and Policy
An annual cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the annual management review with stakeholders.
ISMS objectives will be documented for the relevant financial year, together with details of how they will be achieved. These will be reviewed on a quarterly basis to ensure that they remain valid. If amendments are required, these will be managed through the change management process.
In accordance with ISO/IEC 27001:2013 the control objectives and policy statements detailed in Annex A of the standard will be adopted where appropriate by NLG. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with IS Risk Assessment and Treatment Process. For references to the controls that implement each of the policy statements given please see Statement of Applicability.
Roles and Responsibilities
Within the field of information security, there is a number of management roles that correspond to the areas defined within the scope set out above.
Full details of the responsibilities associated with each of the roles and how they are allocated within NLG are given in a separate document IS Roles, Responsibilities and Authorities.
It is the responsibility of the Information Technology Director to ensure that staff understands the roles they are fulfilling and that they have appropriate skills and competence to do so.
Continual Improvement of the ISMS
NLG’s policy with regard to Continual Improvement is to:
- Continually improve the effectiveness of the ISMS
- Enhance current processes to align them with good practice as defined within ISO/IEC 27001
- Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
- Increase the level of pro-activity (and the stakeholder perception of pro-activity) with regard to information security
- Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
- Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
- Obtain ideas for improvement via regular meetings with stakeholders and document them in a Root Cause Investigation Tracker
- Review the Continual Improvement Plan at regular management meetings in order to prioritize and assess timescales and benefits
Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once the ideas are identified they will be added to the OnTime tracker tool and evaluated by the staff member responsible for Continual Service Improvement.
As part of the evaluation of proposed improvements, the following criteria will be used:
- Cost
- Business Benefit
- Risk
- Implementation timescale
- Resource requirement
If accepted, the improvement proposal will be prioritized in order to allow more effective planning.
Approach to Managing Risk
Risk management will take place at several levels within the ISMS, including:
- Management planning – risks to the achievement of objectives
- Information security and IT service continuity risk assessments
- Assessment of the risk of changes via the change management process
- As part of the design and transition of new or changed services
High level risk assessments will be reviewed on an annual basis or upon significant change to the business or service provision.
A risk assessment process will be used which is line with the requirements and recommendations of ISO/IEC 27001, the International Standard for Information Security. This is documented in Risk Assessment and Treatment Process.
From this analysis, a risk assessment report will be generated followed by a risk treatment plan in which appropriate controls will be selected from the reference list in Annex A of the ISO/IEC 27001 standard, together with any additional controls thought to be necessary.
Human Resources
NLG will ensure that staff involved in information security is competent on the basis of appropriate education, training, skills and experience.
The skills required will be determined and reviewed on a regular basis together with an assessment of existing skill levels within NLG. Training needs will be identified and a plan maintained to ensure that the necessary competencies are in place.
Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained.
Auditing and Review
Once in place, it is vital that regular reviews take place of how good information security processes and procedures are being adhered to. This will happen at three levels:
- Structured regular management review of conformity to policies and procedures
- Internal audit reviews against the ISO/IEC 27001 standard by the NLG Quality Team
- External audit against the standard in order to gain and maintain certification
Details of how internal audits will be carried out can be found in ISMS Internal Audit Procedure.
Documentation Structure and Policy
All information security policies and plans must be documented. This section sets out the main documents that must be maintained in each area.
Details of documentation conventions and standards are given in the following documents:
- Controlled Document Creation Process
- Controlled Document Naming Guidelines
- Creating Process Wiki Pages Process
- Process Documentation Review Process
A number of core documents has been created and will be maintained as part of the ISMS. The current versions are tracked in Confluence documentation system.
Control of Records
The keeping of records is a fundamental part of the ISMS. Records are key information resources and represent evidence that processes are being carried out effectively.
The controls in place to manage records are defined in the documents:
- Document Retention Policy
- Document Obsolete Process