Cyber Security Policy

An organization’s Cyber Security policy is a document that is tailored to its unique security needs, approved by management and distributed to all employees and partners in a form that is relevant, accessible and understandable to the intended reader. This policy document should address the following:

  • A definition of information security including a statement of management commitment and how information security objectives align with business strategy and objectives.
  • A framework for setting security control objectives and security controls, including the structure of risk assessment and risk management.
  • A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including:
    • compliance with legislative, regulatory, and contractual requirements
    • security education, training, and awareness requirements
    • business continuity management and disaster recovery requirements
    • consequences of information security policy violations
  • A definition of general and specific responsibilities for information security management, including reporting information security incidents.
  • References to documentation which may support the policy
  • The information security policy should be communicated throughout the organization to users