IS08 ICT Security Policy

To the requirements of ISO 27001:2013

Document Ref: IS08 ICT Security Policy

Version: 1
Date of Version: [dd/mm/yyyy]
Author: [Name 2]
Approved by: [Name 1]
Confidentiality Level: Controlled: Uncontrolled if printed
[Business Name] Limited Controlled

Circulation List
This ICT Security Policy is a controlled document and is maintained on the server as read only. The
Information Security Management Representative must ensure that all amendments are circulated
and obsolete copies removed and filed. Hard copies used for training and internal auditing are
controlled and distributed as follows.

Copy No. Holder

1 Information Security Management Representative

Amendment History
This document is reviewed periodically, at least annually, and is retained for a period of [Time].
Amendments and revisions are distributed to the named holders. The history of amendments and
the issue of revisions are recorded below.

Amend. Page New Issue

Date Reason for Change Authorised by
No. No. No.
[dd/mm/ - All 1 Initial release. [Name 1]
yyyy]
1 2
2 3
3 4
4 5
5 6
6 7
7 8
8 9
9 10
10 11
11 12
12 13
13 14
14 15
15 16
16 17

Copies of this document other than those listed above will not be revised; such copies will be marked
as UNCONTROLLED.

Issue No. 1 Page 2 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

Table of Contents
0. APPLIED CONTROLS............................................................................................................................... 4

1. INTRODUCTION..................................................................................................................................... 4

2. SCOPE................................................................................................................................................... 4

3. POLICY STATEMENT............................................................................................................................... 5

3.1 AUTHORISED USE......................................................................................................................................5

3.2 ACCEPTABLE USE.......................................................................................................................................5
3.3 SECURITY AWARENESS................................................................................................................................5
3.4 BUSINESS CONTINUITY................................................................................................................................6
3.5 MONITORING AND REPORTING.....................................................................................................................6
3.6 RISK ASSESSMENT......................................................................................................................................6
3.7 SECURITY POLICY REVIEW............................................................................................................................6
3.8 ASSET MANAGEMENT.................................................................................................................................6
3.9 SANCTIONS...............................................................................................................................................6

4. COMPLIANCE WITH LEGAL AND CONTRACTUAL OBLIGATIONS...............................................................7

5. RESPONSIBILITIES.................................................................................................................................. 7

5.1 CO-ORDINATION........................................................................................................................................7
5.2 SECURITY OFFICER.....................................................................................................................................7
5.3 DIRECTORS...............................................................................................................................................7
5.4 USERS OF RESOURCES.................................................................................................................................7

6. DEVELOPMENT OF SPECIFIC ICT POLICIES, PROCEDURES AND GUIDELINES.............................................8

7. BREACHES OF POLICY............................................................................................................................ 8

7.1 INCIDENT REPORTING.................................................................................................................................8

8. ASSOCIATED DOCUMENTS AND RECORDS.............................................................................................. 9

9. DOCUMENT MANAGEMENT.................................................................................................................. 9

APPENDIX A: LIST OF ISMS SECURITY POLICIES.............................................................................................10

APPENDIX B: LIST OF ISMS SECURITY PROCEDURES......................................................................................11

Issue No. 1 Page 3 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

0. Applied Controls

Control Title
Ref
A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information security
A.6.1.1 Information security roles and responsibilities
A.18.1.1 Identification of applicable legislation and contractual requirements

1. Introduction
[Business Name] recognises that ICT systems and information are valuable assets which are essential
in supporting [Business Name]’s strategic objectives. [Business Name] recognises its obligations to
protect information from internal and external threats and recognises that effective information
security management is critical in order to ensure the successful enablement of ICT and delivery of
business functions and services. [Business Name] is committed to preserving the confidentiality,
integrity and availability of all physical and electronic assets.

Information security management is an ongoing cycle of activity aimed at continuous improvement

in response to emerging and changing threats and vulnerabilities. It can be defined as the process of
protecting information from unauthorised access, disclosure, modification or destruction and is vital
for the protection of information and [Business Name]’s reputation.

This policy details [Business Name]’s approach to Information and Communications Technology (ICT)
Security Management, contains no sensitive or restricted information, and may be freely publicised
to relevant parties. A current version of this document is available to [Business Name] staff on the
corporate intranet and is available to external parties on [Business Name]’s website at
http://www.yourwebsite.com

The approach is based upon recommendations contained within ISO 27002 Information technology.
Security techniques. Code of practice for information security controls.

2. Scope
This ICT Security Policy applies to:

 ICT systems belonging to, or under the control of, [Business Name];
 Information stored, or in use, on [Business Name] ICT systems;
 Information in transit across [Business Name]’s voice or data networks;
 Control of information leaving [Business Name];
 Information access resources;
 All parties who have access to, or use of ICT systems and information belonging to, or under
the control of, [Business Name] including:

 [Business Name] employees

 Contractors
 Temporary staff
 Partner organisations

Issue No. 1 Page 4 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

 Volunteers
 Any other party utilising [Business Name] ICT resources
Application of this policy applies throughout the information lifecycle from acquisition / creation,
through to utilisation, storage and disposal.

3. Policy Statement
The Information Security Policy is based on the principles set out in the British Standard for
Information Security - ISO/IEC 27002.

[Business Name] is committed to the development and maintenance of an Information Security

Management System based upon the International Standard.

[Business Name] has developed this ICT Security Policy to:

 Provide direction and support for ICT security in accordance with business requirements,
regulations and legal requirements;
 State the responsibilities of staff, partners, contractors and any other individual or
organisation having access to [Business Name]’s ICT systems;
 State management intent to support the goals and principles of security in line with business
strategy and objectives.
 Provide a framework by which the confidentiality, integrity and availability of ICT resources
can be maintained.
 Optimise the management of risks, by preventing and minimising the impact of ICT security
incidents;
 Ensure that all breaches of ICT security are reported, investigated and appropriate action
taken where required;
 Ensure that supporting ICT security policies and procedures are regularly reviewed to ensure
continued good practices and protection against new threats;
 Ensure ICT information security requirements are regularly communicated to all relevant
parties.

3.1 Authorised Use

Access to ICT systems and Information for which [Business Name] is responsible is permitted in
support of [Business Name]’s areas of business or in connection with a service utilised by [Business
Name]. Authorised users are defined as: [Business Name] employees, authorised contractors,
temporary staff or partner organisations when using information services provided by [Business
Name].

3.2 Acceptable Use

All users of ICT systems and information for which [Business Name] is responsible must agree to,
and abide by, the terms of [Business Name]’s Acceptable Use Policy, associated security policies
and applicable Codes of Connection or Conduct.

3.3 Security Awareness

[Business Name] is committed to promoting safe working practices. All employees will receive
security awareness training commensurate with the classification of information and systems to

Issue No. 1 Page 5 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

which they have access. Staff working in specialised roles will receive appropriate training relevant
to their role. Relevant information security policies, procedures and guidelines will be accessible
and disseminated to all users. It remains the employees’ responsibility to ensure they are
adequately informed of information security policies and procedures.

3.4 Business Continuity

[Business Name] has developed, and maintains, a Business Continuity Strategy based on specific risk
assessment to maintain critical business functions in the event of any significant disruption to
services or facilities on which [Business Name] is reliant.

3.5 Monitoring and Reporting

[Business Name] reserves the right to monitor the use of ICT systems and information, including
email and internet usage, to protect the confidentiality, integrity and availability of [Business
Name]’s information assets and ensure compliance with [Business Name]’s policies. [Business
Name] may, at its discretion, or where required by law, report security incidents to the relevant UK
authorities for further investigation. As part of the standard audit review process, Internal Audit will
routinely assess compliance with [Business Name]’s ICT Security Policy and applicable ISO27001
controls and report matters to senior management where appropriate. Security incidents reported
through the Security Incident Management Policy and Procedures, will inform on the effectiveness
of ISO27001 controls and assist in identifying training and awareness requirements and
improvements through the Improvement procedure.

3.6 Risk Assessment

[Business Name] has developed a Risk Management Strategy and the risk to [Business Name]’s ICT
systems and information will be managed under this framework with reference to the guidelines
detailed in BS ISO/IEC 27005:2011 Information technology. Security techniques. Information
security risk management. Reviews are independent, unbiased and verified by either internal audit
or external parties when required.

3.7 Security Policy Review

[Business Name] will conduct an annual review of the policy or following any significant security
incidents, changes to UK or EU legislation or changes to [Business Name]’s business requirement or
structure.

3.8 Asset Management

[Business Name] will maintain an inventory consisting of all information assets which will be
managed in accordance with [Business Name]’s information security policies and procedures.

3.9 Sanctions

Failure of [Business Name] employees to comply with [Business Name]’s Information Security Policy
may lead to disciplinary action under [Business Name]’s disciplinary procedure.
Failure of contractors, temporary staff, partners or third party organisations to comply with
[Business Name]’s Information Security Policy may result in termination of contracts and
connections, suspension of services and/or lead to prosecution.

Issue No. 1 Page 6 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

4. Compliance with legal and contractual obligations

[Business Name] will abide by all UK legislation relating to information storage and processing
including:

 The Data Protection Act (1998)

 The Freedom of Information Act (2000)
 The Computer Misuse Act (1990)
 The Human Rights Act (1998)
 The Copyright, Designs and Patents Act (1988)
 The Regulation of Investigatory Powers Act (2000)
 The Electronic Communications Act (2000)
 Privacy and Electronic Communications Regulations (2003)

[Business Name] will also comply with any contractual requirements, standards and principles
required to maintain the business functions of [Business Name] including:

 Protection of intellectual property rights;

 Protection of [Business Name]’s records;
 Compliance checking and audit procedures;
 Prevention of facilities misuse;
 Relevant codes of connection to third party networks and services.

5. Responsibilities
5.1 Co-ordination

[Business Name] co-ordinates information security management across the company network via the
IT Department.

5.2 Security Officer

[Business Name]’s Information Security Management Representative is responsible for ensuring

policies and procedures are in place to cover all aspects of ICT systems and Information security. All
policies will be communicated across [Business Name] to ensure good working practices and to
minimise the risk to [Business Name]’s reputation.

5.3 Directors

Directors are responsible for ensuring that ICT systems and information within their service areas are
managed in accordance with [Business Name]’s ICT Security Policy. Day to day responsibility for the
management of ICT systems and information may be delegated to staff designated as information or
system owners within departments.

5.4 Users of resources

It is the responsibility of any individual or organisation having access to [Business Name]’s ICT
systems and information to comply with [Business Name]’s ICT Security Policy, associated guidelines
and procedures and to take adequate steps to safeguard the security of the ICT systems and
information to which they have access. Any suspected or actual security weakness, threats, events

Issue No. 1 Page 7 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

or incidents must be immediately reported to the Security/Business Continuity Manager via [Business
Name]’s Incident Reporting system.

6. Development of specific ICT policies, procedures and guidelines

[Business Name] is committed to the ongoing development and review of ICT policies, procedures
and guidelines to manage the risk of emerging threats to its systems and services. This work will be
co-ordinated by the IT Manager. A list of current supporting documents is included in Appendices A-
B. New policies and procedures are distributed to all stakeholders at the time of issue. Appendices
A-B of this policy are updated during the annual ICT Security review.

7. Breaches of Policy
Breaches of this policy and/or security incidents can be defined as events which could have, or have
resulted in, loss or damage to [Business Name] assets, or an event which is in breach of [Business
Name]’s security procedures and policies.

All [Business Name] employees, partner agencies, contractors and vendors have a responsibility to
report security incidents and breaches of this policy as quickly as possible through [Business Name]’s
Incident Reporting Procedure. This obligation also extends to any external organisation contracted to
support or access the Information Systems of [Business Name].

[Business Name] will take appropriate measures to remedy any breach of the policy and its
associated procedures and guidelines through the relevant frameworks in place. In the case of an
individual then the matter may be dealt with under the disciplinary process.

7.1 Incident Reporting

Users will be continually be encouraged to report any breaches to the IT Department. Breaches can
involve not only Information Technology equipment but also data that is mishandled, lost or abused
or any other incident which may cause a security concern or which may contravene [Business
Name]’s associated policies.

7.2 Incident Management

During reporting of a breach, details of the incident will be entered into the call logging system -
either by the person directly reporting the incident using the form or by the Service Desk operator
taking the call. Once the call has been entered into the system, an email is generated and sent to the
Information Security Management Representative and also copied to the Director of the IT Service.
The Information Security Management Representative will then determine if the incident needs to be
escalated to the appropriate pre-identified departmental representative to deal with.
Representatives looking into security breaches will be responsible for updating, amending and
modifying the status and clearance code of incidents in the call logging system.

Issue No. 1 Page 8 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

8. Associated Documents and Records

Document / Storage Owner Protection Control Retention

Record Name Location Schedule
All ICT policies and [Drive Location] [Name 1] Controlled: Password [Time]
procedures Protected Access

9. Document Management
This document is valid as of [dd/mm/yyyy].

This document is reviewed periodically and at least annually to ensure compliance with the following
prescribed criteria.

 Conformance to the requirements of ISO 27001:2013

 Legislative requirements defined by law, where appropriate

_______________
[Name 1]
Managing Director

Issue No. 1 Page 9 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

Appendix A: List of ISMS Security Policies

Title Status Review Date

01/10/2017
IS01 Statement of Applicability (SoA) Published
01/10/2017
IS02 Acceptable Use Policy Published
01/10/2017
IS03 Access Control Policy Published
01/10/2017
IS04 Asset Management Policy Published
01/10/2017
IS05 Corporate Digital Records Preservation Policy Published
01/10/2017
IS06 Corporate Records Management Policy Published
01/10/2017
IS07 Encryption Policy Published
01/10/2017
IS08 ICT Security Policy Published
01/10/2017
IS09 Information Backup and Restore Policy Published
01/10/2017
IS10 Information Classification and Handling Policy Published
01/10/2017
IS11 Internet and Email Acceptable Use Policy Published
01/10/2017
IS12 ISMS Policy Published
01/10/2017
IS13 Operational Management Published
01/10/2017
IS14 Password Policy Published
01/10/2017
IS15 Record Disposal Policy Published
01/10/2017
IS16 Scanning and Disposal Policy Published
01/10/2017
IS17 Secure DesK Policy Published
01/10/2017
IS18 Secure Email Policy Published
01/10/2017
IS19 Security Incident Management Policy Published
01/10/2017
IS20 Server Security Policy Published
01/10/2017
IS21 Supplier Security Policy Published
01/10/2017
IS22 Third Party Connection Policy Published
01/10/2017
IS23 Wireless Network Policy Published

Issue No. 1 Page 10 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

Appendix B: List of ISMS Security Procedures

Title Status Review Date

01/10/2017
IS24 Data Protection & Storage Media Handling Procedures Published
01/10/2017
IS25 Desktop PC Security Procedures Published
01/10/2017
IS26 Disposal of ICT Equipment Published
01/10/2017
IS27 Document and Record Control Procedures Published
01/10/2017
IS28 Business Continuity Policy Manual Published
01/10/2017
IS29 Improvement Procedure Published
01/10/2017
IS30 Incident Reporting and Management Procedure Published
01/10/2017
IS31 Information Classification and Handling Procedures Published
IS32 Information Systems Development and Maintenance 01/10/2017
Published
Procedures
01/10/2017
IS33 ISMS Internal Audit Procedure Published
01/10/2017
IS34 Laptop & Mobile Device Security Procedures Published
01/10/2017
IS35 Malicious Software and Anti Virus Procedure Published
01/10/2017
IS36 Mobile Phone Procedures Published
01/10/2017
IS37 Physical and Environmental Infrastructure Procedure Published
01/10/2017
IS38 Records Appraisal Procedure Published
01/10/2017
IS39 Risk Assessment and Treatment Published
01/10/2017
IS40 Security Awareness Procedure Published
01/10/2017
IS41 Teleworking and Mobile Working Procedures Published
01/10/2017
IS42 Management Review Procedure Published

Issue No. 1 Page 11 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]
[Business Name] Limited Controlled

Issue No. 1 Page 12 of 12

Date: [Nth] [Month] [Year] Authorised by: [Name 1]