All part of the service!

Steve Macmillan

The maintenance and upkeep of IT policies is typically driven by changes in business requirements, the adoption of new technology, changes in best practice standards, or increasingly a cybersecurity incident.

In some of these examples policy maintenance and upkeep work may not be too significant however, when it comes to changes in a standard the work to review and edit policy wording to ensure it is aligned with the updated guidance can be significant.

A good example of this is the new version of ISO27002:2022, the information security management standard that provides a framework for implementing and maintaining effective information security controls. The new version provides a more relevant and adaptable framework for effective information security management.

Some of the main changes in ISO27002:2022 over the previous 2013 version are:

  1. Up-to-date controls: The new version of the standard includes updated controls to address emerging information security threats and challenges such as cloud computing, mobile devices, and social media. The controls are more relevant to current technology developments, making the standard more adaptable to new and evolving risks.
  2. Simplified structure: The standard has been restructured to align with the high-level structure of other ISO management system standards.
  3. Enhanced guidance: The usability of the standard is enhanced and is more practical for organisations to adopt and apply. This is because the 2022 version includes more guidance and examples to help organisations better understand and implement the controls.
  4. Increased risk management emphasis: The new version places greater emphasis on risk management by including new controls related to risk assessment and treatment.
  5. Measurement and evaluation: There is increased emphasis on the importance of measuring and evaluating the effectiveness of information security controls. This helps organisations to identify areas for improvement and optimise their security posture.

For many organisations being able to allocate resources to review the new version of ISO27002, or any other applicable security standard, is difficult when staying across business as usual requirements consumes most hours of the working day.

“Without the necessary resource and commitment to keeping policies updated they can quickly become out of date and irrelevant. With the ever-advancing security frameworks, utilising IT Policy Management as a Service will ensure our policies will keep pace as we seek accreditation.” - Buckingham Shire Council (Click here to read the case study)


Policy Management as Service – doing the heavy lifting

A key benefit of IT Policy Management as a Service is the fact that it is designed to the make the policy review and update process easy when it comes to understanding and communicating the impact of changes introduced by a new standard version such as ISO27002:2022.

The online upgrade function in the IT policy management software allows customers to go straight to the specific policy material that they need to review as a result of a change in a standard. Also new and revised policy statement wording options are provided by our Policy Editors. As a result, IT Policy Management as a Service customers invest significantly less time working through their policies to ensure they are still aligned with the new standards guidance.

“I assessed our requirements in the area of IT Policies and it was very evident that we had a lot of work to do if we were to draft content that was easy to read and understand, whilst being aligned with best practice. My estimate was that it would take 12-18 months to do this exercise in house and that was time we didn’t have, particularly as we were immersed in deploying new technology. I began researching options and identified Protocol Policy Systems (PPS) as a specialist provider in this area.“ - Tower Hamlets Community Housing (Click here to read the case study)

If you would like to discuss how IT Policy Management as a Service can help your organisation build and maintain the foundations for a secure computing environment please contact us.


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233