You need to have an Information Security Policy / set of policies. This should show your approach to information security and how you intend to manage your objectives. Your inputs should cover business strategy, governing legislation and regulations and the IS threat environment you are exposed to in both now and in the future. Statements should specifically address your interpretation of Information Security, your objectives and guidelines for all activities that could be encompassed by its remit. You should identify specific roles and responsibility for Information Security management and implementation and how irregularities will be handled.

Lower level policies should be established and could be included as part of a Statement of Applicability but made available to all those affected by them. These could cover:

  • Access Controls
  • Information Classification
  • Physical security
  • Acceptable use of Assets
  • Clear desks and screens
  • Information Transfer
  • Mobile devices / teleworking
  • Software Installation
  • Backups
  • Malware
  • Technical vulnerabilities
  • Cryptography
  • Communications
  • Privacy
  • Supplier relationships

Once you have your policy / policies in place. Make sure all those affected are aware and include the fact as part of your internal auditing – external auditors will want to know your employees know how to behave in order to maintain the control you put in place and so should you.