April 12, 2016

Last Updated on January 12, 2024

I often come across clients with little documentation supporting internal standards, policies and/or procedures. Or, if the documentation exists, updates are far and few in between.
When I inquire about the status of the documentation, the response usually boils down to either or both of these common rationalizations: It just hasn’t happened, and/or “standard operating procedures” are common knowledge among employees.
The fact is that nobody enjoys writing this kind of documentation, let alone updating it. So it doesn’t surprise me when my initial suggestions around improving the documentation based on ISO 27001 requirements and Annex A controls are frequently met with that “What’s the point?” look.
If you’re wearing that look yourself right now, please bear with me briefly and let’s examine the three key reasons why standards, policies and procedures are important and why your company should have them in place.
One: Compliance
Compliance with ever-changing and ever more numerous and complex industry regulations and legal requirements is a basic organizational requirement. Hopefully, you’re doing that… But how easy is it for you to demonstrate that to auditors or regulators? Processes that are reasonably well documented, when combined with records that demonstrate that processes are actually carried out, can show that you have appropriate internal controls in place to comply with regulations and standards. Scrambling to make it look like you’re doing what you should be doing takes almost as much time as doing it right, and is a lot riskier and more nerve-wracking.
Two: Risk management
If there are no clear standards, policies, and procedures that managers and others can point to, then chances are processes are inconsistent and potentially flawed. When it comes to information security, inconsistency means increased risk. Are your system administrators forgetting to change default passwords? Are your knowledge workers putting confidential data on unencrypted thumb drives? Are your executives failing to backup their laptops? Whatever your industry, any of these kinds of oversights could result in a data breach or data loss. Maybe you won’t be hit with thousands of dollars in expenses and fines… Or maybe you will.
Three: Operational efficiency and continuous improvement
By documenting standards, procedures and policies, you ensure that some of your most critical business processes are performed in a consistent way that meets the company’s needs. This is especially important with regard to capturing, communicating and securing information.
Documenting information security standards, procedures and policies are especially important to every company. Not only does this documentation help ensure that controls function as intended, but also it helps with training and knowledge transfer. Do you have one or a couple “IT guys” (employees or contractors) who perform various critical tasks that nobody else is even aware of? What happens when they leave? Who can step in and keep those balls in the air?
Writing things down also gives management a chance to provide guidance and review performance data for effectiveness. What really matters to your bottom line and your competitive success? And are these key processes happening efficiently and in alignment with goals? Probably not if they aren’t even written down…
It’s commonplace during assessments to note that companies of all sizes come up short on documentation. IT and many other functions are so focused on urgent daily tasks that there’s little bandwidth for “non-essential” work like documentation.
But documentation isn’t “non-essential,” especially for companies that want to pursue ISO 27001 certification or otherwise demonstrate to clients, prospects and regulators that they can keep confidential data secure—an increasingly urgent concern in many industries. An experienced third party can accelerate the documentation process significantly and reduce the workload on staff.
To get some expert advice and support around your organization’s procedural and policy documentation, contact Pivot Point Security.