The theme of your security policy and how good it is (not), is of course a recurring one. The recurring one, annual cycle (Is that still frequent enough? Yes if it’s truly a policy like here) included, with an all else follows attached. But then, it’s only Bronze when only a top-10 bulleted list extracted from … ISO2700x, mostly. It’s Silver when actually compliant in all directions, which includes serious ‘local’ adaptations…
And it’s Gold, when over and above that, it looks like this.
Not even kiddin’, really. Since your information security policy, next to the other security policies …, covers all of information of any kind and medium processed anywhere in the business. Which means that the from-IT angle will very probably not suffice.
But which also means that it helps when it rocks, in ways that interests all of your audience which is all of your colleagues including all colleagues at outsourced, cloudsourced and what have you processes and lines of business. Transparency, right ..? Runs all the way down the food/supply chain.
Indeed, the maturity of a company may be gleaned from the maturity (rocks’iness) of the information security policy. Get that right, and all else need not follow since it has gone before.
And oh, did I mention that in the implementation, resilience should be built in and not only be through formal (for-) BCM practices ..? I’ll return to that tomorrow. Plus:
[Lightning (-) rocks (pavement), too; Ottawa]