Written Information Security Program (WISP)

We currently offer two different versions of the Written Information Security Program (WISP) - one is based on ISO 27002:2013 and one is based on NIST 800-53 Revision 4. This request is from our customers, since some businesses prefer ISO to NIST, while others prefer NIST to ISO. They are the two main, competing frameworks for what IT security "best practices" are based on. 

 

Why offer two versions of the Written Information Security Program (WISP)?

It comes down to business needs - most US and international companies are ideally suited to use ISO 27001. However, for companies that contract with the US government or are in-scope for certain US Federal laws it makes more sense for them to adopt information security program documentation that is aligned with NIST 800-53, since that is the language of the US Federal government for information security.

You could modify the ISO framework to meet NIST requirements, but it is a lot of work when you can just start from the NIST framework. It is similar to the concept of making a square peg into a round hole - you can do it, but it won't fit very well and no one will be happy. When you think of NIST vs ISO, it is just better to have a square peg for a square hole:

  • ISO 27002 for companies that do little to no business with the government and
  • NIST 800-53 for companies that must comply with US government regulations.

Rule of thumb for NIST vs ISO - if you do not primarily conduct business with the US government (Federal or state levels), then your best bet is to choose ISO. The reason for this is ISO 27001/27002 is really geared for business, while NIST is geared for the government and its vendors.

 

OPTION 1: Example Written Information Security Program (WISP) based on ISO 27002:2013 

download-example-iso-27002-security-policy.jpg

wisp-iso-27002-security-policies.jpg

 

 

Your ISO-based Written Information Security Program (WISP) will be in Microsoft Word format, so you can edit it as necessary to meet your own specific needs. This allows you to edit sections or even delete controls that you may not need to cover. 

Click on the image below to open a PDF document that shows you what the example Written Information Security Program (WISP) contains and how it is written. 

cover-wisp-iso-27002.jpg

 

ISO 27002-Based Written Information Security Program (WISP) Highlights

  • Easy to implement & tailored to your company
  • Policies are based on the ISO 27002:2013 framework 
  • Dozens of policies and standards specifically tailored for small to medium businesses
  • Lots of helpful examples of additional documentation you need:
    • Data classification
    • Acceptable use
    • Incident Response Plan (IRP)
    • Information Security Officer (ISO) appointment orders
    • User acknowledgement template
  • Covers PCI DSS v3 requirements 

 

OPTION 2: Written Information Security Program (WISP) based on NIST 800-53 Revision 4

 

download-example-nist-800-53-rev4-security-policy.jpg

 

wisp-nist-800-53-rev4-security-policies.jpg

Your NIST-based Written Information Security Program (WISP) will be in Microsoft Word format, so you can edit it as necessary to meet your own specific needs. This allows you to edit sections or even delete controls that you may not need to cover. 

Click on the image below to open a PDF document that shows you what the example Written Information Security Program (WISP) contains and how it is written. 

cover-wisp-nist-800-53.jpg

 

NIST 800-53 rev4-Based Written Information Security Program (WISP) Highlights

  • Easy to implement & tailored to your company
  • Policies are based on NIST 800-53 rev 4 framework 
  • Dozens of policies and standards specifically tailored for small to medium businesses
  • Lots of helpful examples of additional documentation you need:
    • Data classification
    • Acceptable use
    • Incident Response Plan (IRP)
    • Information Security Officer (ISO) appointment orders
    • User acknowledgement template
  • Covers what you need:
    • PCI DSS
    • Federal Laws
    • GLBA
    • FACTA
    • HIPAA / HITECH
    • SOX
    • State Laws
      • MA 201 CMR 17
      • OR Identify Theft Consumer Protection Act
      • NV SB 227
      • CA SB1386
      • MN Plastic Card Security Act
      • WA HB1149

Sort by:
×
×