Seven Steps for Implementing Policies and Procedures

Thursday, March 17, 2011

Dejan Kosutic


Have you ever found yourself in a situation where you have been given the task to write a security policy or a procedure, but you don't want your document to end up like so many others - gathering dust in some forgotten drawer?

Here are some thoughts that might help you...

The steps I'm about to present to you are designed based on my experience with various kinds of clients, large and small, government or private, for-profit or non-profit - I find these steps applicable to all of them. Actually, these steps are applicable to any kind of policies and procedures, not only those related to ISO 27001 or BS 25999-2.

1 Study the requirements

First you have to study very carefully various requirements - is there a legislation which requires something to be put in writing? Or maybe a contract with your client? Or some other high level policy that already exists in your organization (perhaps a corporate standard)? And of course the requirements from ISO 27001 or BS 25999-2 if you want to comply to those standards.

2 Take into account the results of your risk assessment

Your risk assessment will determine which issues you have to address in your document, but also to which degree - for instance, you may need to decide whether you will classify your information according to its confidentiality, and if so, whether you need two, three or four levels of confidentiality.

This step may not be relevant in this form if your policy or procedure is not related to information security or business continuity. However, risk management principles are applicable to other areas as well - quality management (ISO 9001), environmental management (ISO 14001), etc. For instance, in ISO 9001 you have to determine to which extent a process is crucial for your quality management and accordingly to decide whether you will document it or not.

3 Optimize and align your document(s)

An important thing to consider is the total number of documents - are you going to write ten 1-page documents or one 10-page document? It is much easier to manage one document, especially if the target group of readers is the same. (Just don't create a single 100-page document.)

Moreover, you have to be careful to align your document with other documents - the issues you are defining may be already partially defined in another document. In such case, it may not be necessary to write a new document, maybe only expand the existing one.

If you are writing a new document about an issue that is already mentioned in another document, be sure to avoid redundancy - to describe the same issue in both documents. Later it would become a nightmare to maintain those documents; it's much better that one document makes a reference to another, without repeating the same stuff.

4 Structure your document

You also need to take care that you observe your corporate rules for formatting the document - you already may have a template with pre-defined fonts, headers, footers etc.

If you already implemented ISO 27001 or BS 25999-2 (or any other management standard), you'll need to observe a procedure for document control - such a procedure defines not only the format of the document, but also the rules for its approval, distribution etc.

5 Write your document

The rule of the thumb is - the smaller the organization and the smaller the risks, the less complex your document will be. There is nothing more useless than deciding to write a lengthy document no one is going to read - you have to understand that reading the document takes time, and the level of one's attention is inversely proportional to the number of lines in your document.

One good technique to overcome the resistance of other employees to this document (no one likes change, especially if that means something like an obligation to change passwords on a regular basis) is to involve them in writing or commenting this document - this way they will understand why it is necessary.

6 Get your document approved

This step is rather self-evident, but its underlying importance is this - if you are not a high ranking manager in your company, you won't have the power to enforce this document.

This is why someone with such a position has to understand it, approve it, and actively require its implementation. Sounds easy, but believe me - it is not. This step (and the next one) are the ones where implementation most often fails.

7 Training and awareness of your employees

This step is probably the most important, but sadly it is one that is very often forgotten. As mentioned before, employees are tired of constant changes, and they surely won't welcome another one especially if it means more work for them.

Therefore, it is very important to explain to your employees why such a policy or procedure is necessary - why it is good not only for the company, but also for themselves.

Sometimes training will be necessary - it would be wrong to assume that everyone possesses the skills to implement new activities. For you, who wrote this document, it may seem easy and self-evident, but for them it may seem like brain surgery.

End of story?

If you thought you've reached the end of your document-implementation story, you're wrong - the journey has just begun. It is not enough to have a perfect policy or procedure that everyone just loves, you also need to maintain it.

Someone has to take care this document is up-to-date and improved, or else no one is going to observe it anymore - and that someone is usually the same person who has written it. Not only that, someone has to measure if such a document has fulfilled its purpose - again, it may be you.

As you may have noticed reading this article, it is not enough to have a nice template for a successful policy or procedure - what is needed is a systematic approach to its implementation. And in doing so do not forget the most important fact: the document is not an end in itself - it is only a tool to enable your activities and processes to run smoothly. Don't let the opposite happen - that such a document makes these activities and processes run with more difficulty.

Cross posted from ISO 27001 & BS 25999 blog

ISO 27001 and BS 25999-2 Webinar Schedule:

ISO 27001

ISO 27001 Lead Auditor Course Preparation Training

ISO 27001 Benefits: How to Obtain Management Support

ISO 27001: An Overview of ISMS Implementation Process

ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

ISO 27001 Foundations Part 3: Annex A Overview

ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

ISO 27001 Implementation: How to Make It Easier Using ISO 9001

BS 25999-2

BS 25999-2 Foundations Part 1: Business Impact Analysis

BS 25999-2 Foundations Part 2: Business Continuity Strategy

BS 25999-2 Foundations Part 3: Business Continuity Planning

BS 25999-2: An Overview of BCM Implementation Process

ISO 27001 and BS 25999-2

ISO 27001/BS 25999-2: The Certification Process

How to Become ISO 27001 / BS 25999-2 Consultant

ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

ISO 27001 and BS 25999-2 Strategy

Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

Asset Management and Classification


Possibly Related Articles:
Compliance Risk Assessments ISO 27001 BS 25999-2 Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.