Back to M1.2.1 - P1 - INFORMATION SECURITY POLICY
When developing the information security policy as well as the supporting policies (Control M1.2.2), take into account relevant NESA’s issuances and guidance in this regard.
The following information should be considered for inclusion in the information security policy:
- A. Statement related to management commitment and support of the goals and principles of information security in line with the business strategy and objectives
- B. Description of the entity’s approach to managing information security
- C. Definition of information security in terms of confidentiality, integrity and availability
- D. Reference to the entity risk management policy and the entity’s approach to information security risk management
- E. Reference to other risk management activities taking place in the entity, and how the information security risk management relates to that
- F. Importance of compliance with the information security policy, and all supporting information security policies and procedures, and consequences of violations
- G. Requirements of particular importance to the entity, e.g.:
- compliance with legislative, regulatory, sector and contractual requirements
- security education, training, and awareness requirements
- business continuity management
- H. Definition of general and specific responsibilities for information security, including reporting information security incidents
- I. References to supporting information security policies and procedures
This information security policy should be communicated throughout the entity in a form that is relevant, accessible and understandable to the intended reader.
The information security policy should be written in a way that it can also be communicated to outsiders, e.g. outsourcing partners or contractors.
