Resources

Policy Management as a Service (PMaaS) is designed to make the development, delivery, and maintenance of IT security policies efficient and cost-effective. In a matter of weeks, PMaaS allows a client to deploy a full suite of tailored IT policies aligned with recognised frameworks, standards, and best practice guidance such as ISO 27001, ISO 27002, PCI DSS, the Cyber Assessment Framework, and Cyber Essentials Plus. Once the service is deployed, it is supported on an ongoing basis by subject matter experts who ensure client policy content remains up to date and fit for purpose. A range of workflow options helps clients manage content and user engagement within the service.

Policy Management as Service builds policies using its massive library of best practice statements. Within five weeks, these policies and statements are reviewed by key stakeholders for feedback and then tailored to each client's business requirements with the help of our subject matter experts and policy editors. Achieving a similar outcome through a manual approach with in-house or contracted resources would take more than two years of time and effort. The first challenge is often finding a person with the right combination of writing skills and security expertise to create easy to read IT policies aligned with best practice.

Since our business launched, we’ve helped to develop and deliver thousands of IT policies across multiple sectors. We maintain a massive library of best practice statements that form the foundation of our policies. This means that when we work with a new client, most of our effort goes towards identifying and building the appropriate policy documents for their business and tailoring them so they are fit for purpose. This approach is much faster than trying to draft policy documents manually from scratch while also trying to align them with standards and best practice guidance.

Templates can be a useful starting point, but they’re rarely enough on their own. Most are generic, written for a wide audience, and not aligned with the specific standards or regulations your organisation needs to meet.

Starting with a template also leaves you or a contractor with the work of adapting, reviewing, and maintaining the policy wording - a process that can take months and still result in gaps. If policies don’t readily reflect your actual environment and business requirements then staff are less likely to follow them. Furthermore, the content may not be adequate to satisfy audit requirements and likely require revision or redrafting.

Yes. Every organisation has different requirements depending on its sector, size, and regulatory obligations. We adapt policies to reflect the needs of sectors such as housing, local government, not for profit, healthcare, and more.

IT policies quickly lose value if they’re not kept current. We monitor changes to international standards such as ISO and PCI DSS, UK guidance including the Cyber Assessment Framework and Cyber Essentials Plus, and legislation like the UK Data Protection Act and GDPR.  When policy updates are needed as a result of changes to standards and legislation, our service ensures you are presented with options to revise your policy wording. Once you have selected your preferred options they are implemented automatically for you.

Our policies are mapped and aligned with leading UK and international standards and frameworks, including:

• ISO 27002, ISO 27017, ISO 22313, ISO 29151
• ISO 27001
• PCI DSS
• Cyber Assessment Framework
• Cyber Essentials Plus

This alignment helps ensure your organisation’s policies support recognised best practice and regulatory requirements.

Our policy framework covers the full range of information security topics, including:

• Acceptable use
• Access control  
• Information Management
• Incident response
• Network and system security
• Use of Cloud-based services

Policies are written for 3 personas – Users, Managers and Technical staff.  

A Policy is a high-level guiding principle or rule that sets the direction for decisions and actions within an organisation.

A Process is a series of related tasks or steps taken to achieve a specific outcome.

Procedures detail step-by-step set of instructions for carrying out a specific tasks or part of a process.

In combination a policy sets the direction, a process outlines the flow of activities to meet that policy, and a procedure provides the detailed steps to perform tasks within the process. 

Without clear policies, staff are left to make their own judgments about the use of technology and information. This often leads to inconsistent practices, higher risk of human error, and greater exposure to cyber threats. Proper IT policies set expectations, reduce uncertainty, and help demonstrate a responsible approach to managing information security risks.

There are three components to information security, often summarised as C.I.A.:

Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes

Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes

Availability - information must be accessible and useable on demand by authorised entities

IT security policies are the bridge between governance and day-to-day operations. Governance sets the direction and expectations. Risk management identifies where threats exist and what needs to be controlled. Policies, aligned with recognised standards and best practice, then turn that into clear guidance for staff - for example, how to handle data securely, how to respond to incidents, or how to secure system access properly.