In Brief

Securing information is far from being a technical issue for an organisation. In fact, technical operations are just one aspect of a process which, to be successful, must include all of the company’s activities as a whole.

Before implementing technical procedures and measures aimed at improving an organisation’s security, it is important to first conduct a risk analysis (risk management) and to write up a security policy.

The security policy formalises and coordinates all of the organisation’s security techniques and organisational procedures.

Writing up a security policy is a lengthy task. We do not advise that small companies tackle it all in one go. It is better to make gradual progress through continuous improvement, creating a document that is both short and concise, to progressively develop the procedures and sectoral policies that are most needed.

The governing principle when drafting a security policy consists of, on the one hand, a set of best practices (ISO/IEC 27001 and ISO/IEC 27002) and, on the other hand, risk analysis and assessment. All organisations should ensure they implement behavioural, organisational, and technical measures where they can be quickly and truly effective.

In any case, you should choose an approach that is best suited to the size, and especially the criticality of assets, and the maturity of the organisation.

Security Charter

The definition and application of a security charter is the first step towards security management. To guarantee its success, it must meet the specific security requirements for the organisation. A risk analysis, even a brief one, must precede this process. Without this analysis, the management will not be in a position to determine which assets should be protected as a priority. In order to be able to predict the worst possible outcome, the management must identify the most likely threats and vulnerabilities which are the easiest to exploit.

The introduction of a charter must imperatively be accompanied by a presentation to the employees who will have to implement the suggested measures on a daily basis. Without this training, there is a risk that the charter will be ignored and will, therefore, become useless.

Security Policy

Once the major risks for the organisation have been identified (risk management), the management will, with a view to continuous improvement, be able to go beyond a simple security charter. They will introduce an actual policy, as well as specific procedures.

With the introduction of even a rudimentary security policy, the management will be able to begin organising security. The security policy will define in the formal procedures, the obligations and responsibilities of each individual, as well as the processes related to the security of information.

At this stage, there is no point in compiling an exhaustive security policy. Making an organisation secure is an ongoing process (Design, Implementation, Assessment/Checks and Improvement), and it is implemented according to security measures, assessed based on the worst possible outcomes, the most likely threats and the largest vulnerabilities.


This first step aims to correctly determine the scope and context of the future system. It must also be able to identify and assess the risks, to develop a management plan. (It cannot, however, replace the risk analysis which must be carried out in advance.)


The implementation stage primarily consists of applying the security policy created in the previous stage. Organisational and technical measures are implemented and behavioural measures are applied by the staff.

Assessment and Checks

The assessment systems must have been set out in the security manual. The aim is to ensure that the procedures put in place work as intended.

These assessments can take several different forms:

  • regular inspections carried out as part of the everyday tasks;
  • automatic checks performed using software tools which can generate reports;
  • comparison with other organisations;
  • performance of planned formal audits (risk assessment);
  • management review.

If the assessments and checks uncover inadequacies in certain procedures, measures must be taken to correct them.


The actions that were decided upon in the previous step will have to be implemented, either:

  • at the security system level itself, by appointing a (new) manager for all or part of the system, for example;
  • at operational procedure level which will have been determined, such as the implementation of a different (and obviously better suited) data backup procedure;
  • at tool level, with the purchase of an antivirus, for example.

Contents of the Security Policy

The security policy should contain the following documents:

Section 1. Security Policy

  1. Management commitment
  2. Review and assessment

Section 2. Organisation of Security

  1. Attribution of responsibilities
  2. Authorisation procedure for adding information processing tools
  3. Expert advice
  4. Independent review of information security
  5. Third-party access and outsourcing

Section 3. Classification and Monitoring of Resources

  1. Classification of and responsibility for resources

Section 4. Human Factors

  1. Security as a mission
  2. Training and information
  3. Response to incidents and security malfunctions

Section 5. Physical and Environmental Security

  1. Physical security perimeter
  2. Rules within the perimeter
  3. Electrical equipment safety
  4. Maintenance
  5. Off-site equipment security
  6. Disposal or reuse of the equipment
  7. Clean desk

Section 6. Operational and Communications Aspects

  1. Documented procedures
  2. Separation of development and production environments
  3. External management of resources
  4. Protection against malware
  5. Data backups
  6. Device security during transport
  7. Email

Section 7. Access Control

  1. Access control policy
  2. Access rights management
  3. Password management
  4. Use of external networks
  5. External connections
  6. Separation of networks
  7. Login procedure

Section 8. Development and Maintenance of Systems

  1. Use of encryption
  2. Electronic signatures

Section 9. Management of Security Incidents

  1. Reporting information security events
  2. Incident management and improvements of information security
  3. Analysis of non-fulfilment of obligations

Section 10. Managing Business Continuity

  1. Operational continuity

Section 11. Compliance

  1. Identification of applicable legislation
  2. Intellectual property
  3. Protection of operational data
  4. Personal data protection