October 05, 2023
When drafting IT policies, aligning the content with best practice guidance helps to ensure that your organisation operates securely, efficiently, and in compliance with relevant regulations. It also positions your organisation to effectively adapt to changing technology landscapes and emerging threats.
Cross-checking your IT policies to ensure they are aligned with best practices involves a systematic and thorough review process. One of our new customers recently gave us a run through of how they had recently tried to approach this task on a manual basis, using some of their own team members and an external consultant.
Having had a selection of IT policies in place for 5-6 years, a decision was made to refresh the content and in doing so ensure it aligned with the ISO27002:2013 best practice guidance.
The external consultant used a spreadsheet to create a mapping document, and started to link each of the IT policies to the ISO27002 guidance and record reference numbers.
A review team was assembled comprising of knowledgeable individuals from IT, Governance, HR, Legal and Commercial Operations.
The team started a detailed review to:
• Check if an existing policy addressed the key requirements and recommendations from the guideline.
• Ensure that policy language was clear, concise, and would be easily understood by all employees.
• Verify that the policy aligned with legal and regulatory requirements.
• Evaluate the effectiveness of the policy in achieving its intended goals.
The mapping document was intended to record gaps and deficiencies that the team identified in the IT policies, plus note any policy content that did not align with best practice or legal requirements.
After the second session it was obvious that the exercise was going to require a significant investment of time and effort from the team members - which they didn’t readily have available. With resources stretched, business as usual took priority. Furthermore, the external consultant advised that they were moving on to take up a new role, and ISO announced the release of a new version of the 27002 standard – 27002:2022. What had started out as an efficient review process was now shaping up to be a drawn-out exercise.
The project lead made the decision to put the exercise on hold, review the plan and the new version of the standard, and to consider other possible options to get the project completed. Budget had been approved to employ the services of an external consultant for the project however, with that individual leaving someone else would need to fill in at a similar cost. An additional concern was that no analysis had been done on the amount of time required for the involvement of the various team members.
Contact us to obtain our IT Policies Calculation Tool and find out how much it costs to develop, deliver and maintain your IT policies inhouse.
A call to Protocol Policy Systems (PPS) in the following weeks looking to recruit a replacement consultant led to a discussion about IT Policy Management as a Service. The good news for the project lead was that the service addressed the challenges they needed to overcome to complete the policy refresh project whilst ensuring alignment to best practice.
First draft policies could be created and delivered to the customer in less than 48 hours using a library of 700+ best practice statements.
No spreadsheet or manual mapping of content to standards was necessary as the best practice statements in the policy management software are already mapped to standards such as ISO27002:2022, representing a major time saving.
Any future requirement to introduce additional standards mappings covering the use of cloud services, protection of personally identifiable information or credit card data could be enabled with minimal effort.
The job to customise the first draft version of the policy content for the business was made easy with the assistance of a PPS Consultant. The subject matter experts in the team could use their Stakeholder role in the policy management software to provide online input regarding the wording of policies, without having to attend a meeting.
The final draft policies were branded, customised and ready for sign off within 7 weeks.
With IT Policy Management as a Service now in place, the customer can manage their content and user’ engagement with the service by using a selection of useful features in the policy management software such as policy review reminders, online change requests, user activity reporting and on screen signing for compliance. Furthermore, ongoing access to subject matter expertise is provided under the subscription model to ensure that the policies remain current and aligned to standards.