Information Security Policy Structure

CX Index’s Information Security Policies are structured in such a way to give flexibility as required by the business objectives and needs while maintaining security across the company.   Frequently, the weakest link is the link that breaks the security chain and causes a breach in security.  Through consistent application of Information Security across the company, any weak areas are compensated for and the organisation is stronger overall.Information Security Policy follows this tiered structure:

  • Information Security Mission Statement
  • Information Security Policy
  • Information Security Standards and Processes
  • Information Security Specific Configurations and Procedures

The hierarchy lends support as you progress up the tiers and becomes more detailed as you progress down the tiers.  In this way, all actions taken have a basis in policy and directly support the policy or policies they are governed by.  To illustrate this hierarchy, descriptions of the various levels are given below.

Information Security Mission Statement – This is the overall management direction in regards to Information Security at CX Index.  It is broad in scope and sets the expectations for protecting the company’s information resources.  It is contained in this document.

Information Security Policy – This is the collection of policies that implement the overall guidance of the Mission Statement.   Policies are somewhat broad but topical in nature (centred on specific Information Security topics).  CX Index’s Information Security Policies are organised in accordance with the ISO 27001 Information Security Standard, an international standard and is in compliance with other regulatory and compliance mandates where applicable.   Policies apply equally to everyone within the company, regardless of location or role.  The Information Security Policies are contained in this document.

Information Security Standards and Processes – These are collections of standards and processes that are to be used to implement the given policy they reference.   Standards may dictate a type of technology to use, but may stop before naming a particular product (depending on the policy and standard subject).  Processes will detail the steps to take to fulfil the goals of a particular policy.  Standards and 

Processes will be published under separate titles.   Standards and Process will clearly delineate where they apply.

Information Security Specific Configurations and Procedures – These are very specific details that support the implementation of the standards and processes given above.  These will include specific products and configuration details, or step-by-step procedures to implement processes.  These are very highly localised and will apply to the environment for which they were written (i.e., there may be a specific configuration for Linux systems that is different from Windows configurations).   These will be published under separate titles where directed.


Was this article helpful?