Directory of information security policies  
computer security standards, and  
information security policy template  

 Directory of information security policies and information security policy resources Contact Us Front Page

The Information Security Policies / Computer Security Policies Directory

Information security policies underpin the security and well being of information resources.. they are the foundation, the bottom line, of information security within an organization.

This directory is intended to help you ensure that your policies actually meet your needs. It will help you:

  • develop them if they don't exist (or buy them off the shelf)

  • implement them properly

  • manage compliance with them

Whatever your needs with respect to information security policies or an individual information security policy, you should hopefully find something of value.




The first issue revolves around the content and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs? This list of issues is extensive!

There are a number of possible routes available when creating the policies, ranging from off the shelf purchase, to carefully crafting every clause and sentence.

The most cost effective way is often to procure a set of pre-written policies, and then tailor as necessary to meet specific cultural needs: why re-invent the wheel and proceed down a more complex route than necessary?

When adopting this course, or indeed, when simply redeveloping existing polcies, a number of less direct factors should also be taken on board - how will the policies sit with ISO17799 for instance (see later)?

The set of policies available from the Computer Security Policy Portal are particularly comprehensive, and are also fully compliant with ISO17799 and other standards.

information security policies

For your convenience, we have added this excellent set of policies to our Download Page


Having a secuity policy document in itself is not enough.... the contents MUST be implemented to be effective. This is often easier said than done!

The fundamental question is how to deploy the policies - how to deliver them. This is critical, as undelivered or badly delivered policies might as well not exist.

The most dynamic and direct method is to deliver the policies directly to the users desktop. This carries many benefits, including:

  • Instant availability for the user

  • Familiar navigation interface.. using Windows, search facilities, etc

  • The potential to use the power of a PC to make the experience richer and more productive for the user

A product has of course emerged which utilises this method to deliver all these benefits - the well known SOS Interactive Policy solution. This was designed specifically to ensure efficient delivery of security policies.... to effectively bring the policies to life. It has been met with significant acclaim..

Again we are pleased to be able to offer the evaluation copy of this on our Download Page.




The relationship between information security policies and risk analysis is by their very nature complex. Both are essential pre-requisites to sound information security, but in some organizations they tend to sit uneasily together. This need not and should not be the case.

As described above, information security policies are 'the bottom line'... they set the boundaries of acceptability across the organization. However, it is certainly the case that some areas are more security sensitive than others. In these, for example, more stringent security measures may be appropriate.

This is the bedrock of risk analysis - determination of what controls (and expenditure) is appropriate for given situations or specific areas/systems/applications. This does NOT replace the application of security policies, but supplements them. Indeed, many modern information security policies now propose or mandate risk analysis in defined circumstances.

For more information and background on risk analysis, visit the Security Risk Analysis portal.


When embracing security policies, it is important consider their objectives, scope, and coverage. Awareness is another often neglected area.

Comprehensive information security policies should also include within their scope stipulation regarding related legislation. At the very least they should include a clause regarding compliance with legislation.

Legislation itself is often regarded are a form of policy... it is mandatory, organization wide and baseline in nature. Often it presents similar challenges to information security policies, in terms of implementation, management and monitoring.

It is therefore sometimes sensible from a cost effectiveness perspective to co-ordinate the approaches to both security policy and related legislation. This should certainly be considered with respect to compliance management and application.

ISO 17799



Compliance with this internationally recognized standard is growing in importance. Because of this, and because of the standards relevance as a common currency for information security measurement, many organizations are basing their security policies upon the standard itself.

When considering your position with respect to ISO 17799, a good start point is to consider consider what ISO17799 is, and what it's contents are.

Having this basic awareness of the standard, sensible consideration can be given to the extent to which your policies should reflect it. They should certainly not contradict it, and ideally should be largely compliant with it (see the policies referred to above).

For more information, see our ISO 17799 presentation. Externally, DenialInfo review both ISO 17799 and ISO 27001.


A number of information security policy related products can now be downloaded from our multi-vendor software page.

Visit the Download Page    

A selection of information security books can also be purchased online and shipped worldwide.

Other IS Resource Sites On Related Topics:
Business Continuity, Disaster Recovery, SANS, NSL, The IS Search Directory, Security Policies, CERT and Information Security Policies

We hope that this directory has been of substantial use. If not present within the site itself, the links provided should direct you to a suitable source. If, however, you need any further assistance, or have any comments on this portal, please contact us



Copyright © 1993-2007 The Information Security Policies & Standards Group. Jl