The E-LIGHT team shall help develop and launch a corporate security policy according to the requirements of international standard ISO / IEC 27001. An adequate level of information security in the modern organization can only be achieved through the integrated approach, the implementation of which is to begin from the development and implementation of effective security policies. These policies determine the necessary and sufficient set of security requirements allowing to reduce information security risks to an acceptable value.
According to the international standard ISO / IEC 27001, the information security policy must expose organization’s approach to information security management.
Information security policy of an enterprise shall include:
- Determination of information security, its general objectives and sphere of action, as well as definition of the safety significance as a tool providing the possibility of information sharing.
- Exposition of objectives and information security principles specified by the management department.
- A summary of principles, rules and requirements, which are the most important for the security policies of the organization, such as:
- Compliance with legal requirements and contractual obligations;
- Requirements for security training;
- Prevention and detection of malicious software;
- Business continuity management;
- Responsibility for violations of security policy;
- Determination of general and specific responsibilities of employees in frames of the information security management, including informing about incidents of information security violations.
- References to the documents that supplement the information about security policy, for example, more detailed policies and procedures for specific information systems, as well as the safety rules that must be followed by users.