How to Write an Information Security Policy (GDPR covered)

With the adoption of the GDPR (General Data Protection Regulation) in May 2016, we are almost half way through the two-year journey towards its application in all member states, including the UK on May 25th, 2018. The GDPR will replace the Data Protection Directive 95/46/EC and therefore the Data Protection Act 1998 in the UK. Brexit will not change this, as even the earliest possible Brexit would mean several months of compliance requirement while still part of the EU and independent of that, businesses are trading with the EU and are holding data that fall within the scope of the Directive and will therefore have to comply.

In order to be compliant with national and international information and data protection laws and regulations, organisations need to introduce appropriate and effective cyber security and data protection controls. The Information Security Policy forms the basis of these controls.

A well thought through information security policy will also address the human factor and take the organisation’s specificities into consideration. We are all aware that no matter how strong or advanced security applications or technical controls are, protecting the company’s data assets will heavily depend on the people within the organisation. People unfortunately are the weakest link in any information security and privacy programme albeit rarely intentionally. The Board and the executive team are ultimately responsible for security breaches, no matter if they occur due to an employee’s misconduct, plain negligence or for the simple reason that employees are not aware of threat and how to protect against them.

A comprehensive Information Security Policy therefore covers a range of topics, from identifying data assets, defining security objectives to establishing and enforcing formal, written policies and guidelines which govern employees’ behaviour.

This full day course is designed to give a practical introduction about the importance of having an information security policy and to provide clear guidelines on how to develop and to document a well-thought through and effective policy that ensures information security, is aligned with the business strategy, reduces the impact of identified and diverse risks, manages resources and infrastructure effectively and efficiently and delivers value for the security investment made.