Information security is often about technology. But information security starts with the information security policy in the organization. The information security policy states the requirements the organization sets for security. Sometimes this is one document, but it can also be multiple documents that cover different topics. The policy is approved by the organization’s management and implemented by a member of the board or a delegated person within the organization.

Topics in an information security policy can be technical, such as the use of a firewall, but also ‘softer’ topics such as having a security awareness program. Both are essential for properly securing the organization. Other examples of topics are: software development, incident response, cryptography, workplace security, network security, artificial intelligence, software and hardware suppliers and personnel screenings.

It is important that the policy moves with the technology, the organization and developments in the market. The use of AI and long language models such as ChatGPT is a new development and requires attention in the policy. Therefore, policy is a living document or set of documents that is subject to change.

The policy must also be complied with and tested. Deviations from the policy can occur, but this means that they must be registered and it must be decided whether this is an acceptable deviation; it can also be an indication that the policy is due for an update.

Our CaaS service and platform helps organizations create an appropriate information security policy based on criteria specified by you. The system also automates the periodic testing of the policy requirements, the registration of deviations, and the management of risks. This ensures that the policy can be evaluated with the requirements of the organization, and ensures that the stated requirements are continuously tested, giving you a good overview of the security posture of the organization.