Writing an Acceptable Use Policy for a small organization
I have written my fair share of policies and procedures for ISO 9001 compliance, but I wanted to bring in some ISO 27001 policies for two reasons:
- ISO 27001 standards are there to help mitigate risk to the company and I want the company to succeed.
- I love the IT space and I wanted to incorporate some of what I’ve been learning into my actual job.
This policy was the first ISO 27001 policy I wrote for my current organization. I utilized the SANS Security Policy Template library on their website: https://www.sans.org/information-security-policy/?per-page=100
Their library is a veritable goldmine of GRC documentation, but one shouldn’t just download a policy, slap a company letterhead on it, change the company names and call it done for the day. Or at least that’s not what I did. Most of the policies have similar layouts, but not exactly the same. They also tend to have some errors or specify things that are not applicable to your company or industry. Instead, I used a layout I created for our own ISO 9001 policies so everything matched. Then I used the SANS templates as more of a guide and just rewrote every section directly into my custom format. It is more work, but it is definitely worth the extra time to customize these policies to fit your organization perfectly.
Below are some pictures showing the overall layout and wording I used in creating this policy.
The policy then goes on to include approximately 44 subsections describing in-detail what is authorized and what is considered a violation. I also include sections on Attachments, Related Documents, and Revision History as well as a section for senior leadership to print and sign for physical documentation at the corporate address.
Additional Policies
I wrote a total of 8 GRC-type policies thus far. Additional policies are likely to come as the company expands. Below is a snippet from the SOP & Policy Index showcasing the IT/GRC Policies completed and currently in place.
If you have any questions, please feel free to reach out to me on my LinkedIn