Guide to InfoSec Policy Management

A guide for setting up and managing InfoSec policies to simplify and strengthen compliance posture

Objective

Purpose: This guide will assist you in setting up and managing your Information Security Policies, helping to simplify and strengthen your company's compliance posture.
Target Audience: Designed for new clients and organizations that are establishing or updating their information security policy frameworks.

Outline

Introduction: This guide provides a straightforward pathway for new clients to establish and manage effective information security policies, ensuring compliance and enhancing security measures within their organizations.
Overview: The guide outlines the processes involved in creating a policy framework, storing and accessing policies, communicating policy updates, and documenting compliance to ensure a comprehensive approach to policy management and supporting documents.

Visualizing the Who, What, Why, and How

This diagram shows the layered structure of policy management.

Governance Layer Diagram

Information security is achieved by creating layers of policies and details. It breaks down into simpler categories so you can easily grasp each part's role.

The “Why”
This is about understanding the reasons behind the Information Security Policy. It encompasses the information security standards we must follow, our organization's principles, the importance of protecting data, and maintenance of a trustworthy reputation. Essentially, it is the foundation that justifies the need for specific policies and procedures.
The “What and Who”
With a firm foundation laid, we can stand up the specific policies that address particular areas of security. These policies define what actions need to be taken and who is responsible for implementing them. This serves as the blueprint for the behaviors and practices expected within the organization.
The “How”
This level translates your policies into action – The “How” is all about the practical application of your policies, including:
- Step-by-step procedures
- Standards to adhere to when selecting tools and technologies
- Baselines for maintaining a consistent level of security
- Guidelines that shape our daily operations

Step-by-Step Instructions

Creating Your Policy Framework

Step 1:
- Establish your foundational Information Security Policy and Security Program Committee Charter, approved and backed by your executive leadership, using the template Trustero provides.
  - If you are starting with the ISO 27001 or NIST framework, you will have an additional higher business level policy named InfoSec Management Program Policy.
- Within the Security Program Committee Charter, assign members with the flexibility to hold more than one position. Use “acting or interim” titles if certain roles don’t exist in your organization. If you do not have an individual with the official Chief Information Security Officer (CISO) title, you will still need to assign CISO responsibilities to someone. Example: [full name], CTO and acting CISO
Step 2: Develop and integrate all the topic-specific policies using Trustero’s templates.

Storing and Accessing Policies

Step 3: Utilize cloud-based document storage (like Google Drive) to track policy owners, review dates, and approval records.
Step 4:
- Publish your finalized policies in PDF format to your internal wiki page (e.g., Confluence, Notion), to ensure all employees have easy access. Include the link at the bottom of all policies for accessibility.
- Also ensure finalized and approved policies in PDF format are accessible within your Trustero account. You have two options:
  - Upload individually into the “Policies” page within your Trustero account.
  - Or setup and use document integrations to sync your policies (from your cloud-based document storage like Google Workspace) directly with your Trustero account.

Steps for Communicating Updates and Capturing Acknowledgement

Step 5: Communicate policy updates to all employees via email for awareness.
Step 6: Capture electronic signatures (e.g. HRIS, DocuSign) to ensure all employees have read, understand, and agree to the policies.

Tools and Template References

Trustero offers a set of ready-to-use policy templates as part of our core content. This allows for quick customization and deployment of essential policies.
- Policy template set is custom built, based on framework scope and industry classification. These will be populated with your Trustero account provisioning or provided during onboarding call.
- Adopt and complete after policy adoption and enforcement: Intro & Overview - Documented InfoSec Operational Activities

Maintenance and Updates

Review schedules and change management: Use Trustero’s Documented InfoSec Operational Activities Template to track and schedule regular policy reviews. Reviews must be held at least annually.
Communicate updates: Communicate policy updates to all employees via email for awareness.

Documenting Compliance

What You Need for Evidence

Assigned policy owners, with documented dates for updates, reviews, and approvals.
A link or screenshot of the published policies on your internal wiki page (e.g., Notion, Confluence).
Documentation of policy update communications and employee acknowledgments.
Finalized latest PDF versions of all policies have been uploaded or use document integrations to sync your policies directly with your Trustero account.

Auditor Preparedness

Auditors Focus: Auditors will verify that your policies clearly delineate "what you have to do." Their examination will ensure you understand these obligations and check that all controls are covered by a policy. The supporting documents should define "how to do what you have to do" to comply with the policy.

Trustero’s Template for Operational Activities

If you are using Trustero's policy templates, consider our Documented Information Security Operational Activities template. This not only covers the operational aspects ("how you do it") but also helps track and assign any manual tasks to ensure ongoing compliance throughout the year.