FAQ

Below are some common questions and answers that we get asked on occasion, but if you need further assistance and cannot find answers you're looking for please don't hesitate to contact us.

How does Security Bastion work?

Once the registration process is complete you will be given access to our security governance dashboard where you will be able to access a wide variety of information security templates covering all aspects of information security in line with the ISO/IEC 27002. It is regarded as the global principal for information security management and has provided the starting point for many compliance standards.

All our governance templates are in doc format and have been specially designed to be easily customized to an organization’s own documentation standards within a matter of minutes. Your registration will last one full year, during this period all new and updated documents will be freely available to you.

Will your policies help us meet compliance standards?

Yes, helping organizations meet compliance was one of the main reasons we launched Security Bastion as deciphering an understanding what needs to be in place can be frustrating for many. Our policy templates have been specifically written using ISO/IEC 27002 control objectives so that policy and standards statements can be easily tied back to the most common compliance standards. Each policy statement has the applicable ISO/IEC 27002 control objective reference code attached so that it can be easily cross-referenced with virtually any current compliance standard.

This is one of the reasons that most organizations have selected the ISO/IEC 27002 Code of Practice for Information Security Management as the framework around which security management road-maps and frameworks are developed. More mature organizations approach this standard holistically and develop solid business processes to ensure repeatability and long term success based on a reasonable strategy and road-map.

What is an information security policy?

Policies are management instructions indicating how an organization is to be run. They are high-level statements of goals, objectives, beliefs, ethics, and responsibilities. Policies should change little over time and be independent of a particular technology. Compliance with corporate policy is mandatory, and requires special approval when an individual or organizational entity wishes to take a contrary course of action.

The importance of business rules such as information security policies is becoming appreciated by senior management at many organizations. All around them are projects that critically depend on clearly-articulated business rules. Without information security policies and corresponding technical documents such as standards and processes, management cannot be sure that information systems are operated in a secure manner.

What is an information security standard?

Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. Standards cover details such as implementation steps, systems design concepts, software interface specifications, software algorithms, and other specifics.

Policies are intended to last for up to five years, while standards are intended to last only a few years. Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly.

What is the difference between policy and guideline?

Policies are mandatory and can be thought of as the equivalent of organization-specific law. Special approval is required when a worker wishes to take a course of action that is not in compliance with policy. Because compliance is required, policies use definitive words like “must not” or “you must.” The words used to compose policies must convey both certainty and unquestionable management support.

Policies are distinct from, but similar to guidelines, which are optional and recommended. The policies that Security Bastion supplies can be transformed into guidelines by replacing the word “must” with the word “should.” As easy as this substitution may be, the transformation of the policies into guidelines is not recommended. This is because guidelines violate a basic principle of secure systems design called “universal application” which means controls are significantly weakened if they are not consistently applied.