editione1.0.0
Updated October 9, 2023All of this may seem overwhelming and like a huge commitment of time and resources. As a result, many people turn to their handy local search engine and type “Information Security Policy Templates” in the helpful little box. Often you will find dozens of collections of policy templates, often referred to as “policy suites.”
I get it; we have all been there. You never want to solve a problem that has already been solved, and why invest this time and effort if you can simply buy, download, and customize a policy suite.
There is a lot to this question, but let’s dig into the pros and cons.
Advantages of off-the-shelf policy suites:
They are very often written by consultants and have been used in dozens, if not hundreds, of organizations before. As a result, you can expect them to have had a certain level of scrutiny.
They may come with a support package that can help you navigate and customize the templates for your environment.
They may have been specifically written to comply with certain commercial or national regulations and can help with compliance audits.
Disadvantages of off-the-shelf policy suites:
These are likely to be very generic policies and making them work for your fast-moving environment may be challenging. If you are a cloud native team and don’t have a big on-premise IT infrastructure, for example, these policies may not fit your operational or technical architectures at all.
They may be outdated. The nice thing about selling policy online is that you write it once and sell it over and over again. While some providers will commit to updates on a regular basis, some will not. Check carefully for signs of outdated or antiquated policy built long ago.
They won’t be aligned with your company’s communications style and culture. As we have discussed previously in this chapter, this is key to getting people to buy in and help with their implementation. Without this, you may spend a lot of time lost in translation when socializing them with your team.
No book can tell you whether buying existing templates and customizing them or writing your own is the better strategy for your company. However, if you are considering this plan, do your due diligence and make sure you are investing wisely in something that suits your technical environment and operating culture.
A policy, standard, or playbook that sits unloved and unimplemented does nothing for your company’s security.
It’s important to remember that creating these documents isn’t the end of the process, it’s the beginning. From here it’s up to you and your team to ensure that the requirements and processes defined in this document suite are understood, widely known in the team, and most importantly, put into practice across every area of your business.
There is no one-size-fits-all approach to how you do this. Your business and operations will be unique to your context, and so you will need to weave your new security practices through your culture. As you begin to do this, there are a few things you may want to consider that will help maximize your chances of success.