ISO 27002 Based Security Documentation

 banner-iso-27002-based-written-information-security-program-wisp.jpg

 

ISO 27002 - Comprehensive IT Security Policies & Standards

microsoft-word-editable-cybersecurity-policy-standards.png

Editable Documentation

The Written Information Security Program (WISP) is our premier ISO 27002:2013-based set of IT security policies and standards. This is a comprehensive, customizable, easily implemented document that contains the policies, control objectives, standards and guidelines that your company needs to establish a world-class IT security program. Being Microsoft Word documents, you have the ability to make edits, as needed.

Unlike some of our competition that sell “bronze, silver and gold” levels of documentation, we understand that a standard is a standard for a reason. We remove the guesswork associated with picking an appropriate package level - we focus on providing documentation that offers a straightforward solution to provide the appropriate coverage you need. This focus on providing the best solution for our clients makes us proud that we are providing the best set of IT security policies and standards available. Saving a few dollars on a cheap solution can easily leave you with a false sense of security and gaping holes in your documentation that can leave you liable.

The WISP can serve as a foundational element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer:

What Is The Written Information Security Program (WISP)?

  • The WISP contains ISO 27002-based cybersecurity policies & standards in an editable Microsoft Word format.
    • Each of the ISO 27002 control sections has a policy associated with it, so there is a total of 14 cybersecurity policies.
    • Under each of the policies are standards that support it.
    • The WISP provides policies and standards to cover all of the controls from ISO 27002.
  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
    • The WISP provides the underlying cybersecurity standards that must be in place, as stipulated by statutory, regulatory and contractual requirements.
    • Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the WISP does this from a cybersecurity perspective.

We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready!

2017-cybersecurity-governance-wip-dsp-pci-risk-compliance-framework-documentation.jpg

 What Problem Does The WISP Solve?  

  • Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The ISO-based WISP is an efficient method to obtain comprehensive ISO 27002:2013-based security policies and standards for your organization!
  • Compliance Requirements - Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
  • Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP's standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!

 How Does the WISP Solve It?  

  • Clear Documentation - The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
  • Time Savings - The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
  • Alignment With Leading Practices - The ISO-based WISP is written to align your organization with ISO 27002:2013!  

 

This Is How ISO 27002 IT Security Documentation Is Meant To Be Structured!

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices.

graphic-example-information-security-policies-standards-control-objectives-procedures-guidelines.jpg

SEE FOR YOURSELF - EXAMPLE ISO 27002:2013 IT Security Policies & Standards

Don't take our word for it - take a look at the examples of ISO 27002 Written IT security policy and standard statements to see for yourself the level of professionalism and detail that went into it.

download-example-iso-27002-security-policy.jpg

ISO 27001-Based Information Security Management System (ISMS)

Our customers choose the ISO 27002 Written Information Security Program (WISP) because they:

  • Have a need for comprehensive IT security documentation built on an industry framework
  • Need to be able to edit the document to their specific needs
  • Have documentation that is directly linked to best practices, laws and regulations
  • Need an affordable solution

ComplianceForge provides businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All information security policies and standards are backed up by documented best practices. The following leading practices are mapped into the ISO-based Written Information Security Program (WISP) and you will get an Excel spreadsheet with the mapping as part of your purchase:

  • ISO 27002
  • FAR 52.204-21
  • PCI DSS v3.2
  • NY DFS
  • HIPAA
  • GLBA
  • MA 201 CMR 17.00
  • Oregon ID Theft Protection Act (ORS 646A)
  • UK Data Protection Act
  • UK Cyber Essentials
  • NIST Cybersecurity Framework

HIERARCHICAL APPROACH – BUILT TO SCALE & EVOLVE WITH YOUR BUSINESS

Our experience has proven that when it comes to Information Security policies, a standard is a standard for a reason. With that in mind, our Written Information Security Program (WISP) is based on industry-recognized best practices and Information Security standards so that you can meet your legal requirements. Unlike some competitor sites that offer “Bronze, Silver or Gold” packages that may leave you critically exposed, we offer a comprehensive Information Security solution to meet your specific compliance requirements. Why is this? It is simple - in the real world, compliance is penalty-centric. Courts have established a track record of punishing businesses for failing to perform “reasonably expected” steps to meet compliance with known standards. 

The Written Information Security Program (WISP) follows a hierarchical approach to how the structure is designed so that standards map to control objectives and control objectives map to policies. This allows for the standards to be logically grouped to support the policies.

Component

Example Content  
comprehensive-cybersecurity-documentation.jpg   comprehensive-cybersecurity-documentation-example.jpg

Policies are “high level” statements of management’s intent and are intended to guide decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but provide an overall direction for the organization.

Control Objectives support policy by identifying applicable requirements that the organization needs to address. These applicable requirements can be best practices, laws or other legal obligations.

Standards establish formal requirements in regards to processes, actions and configurations. Standards are entirely focused on providing narrowly-focused, prescriptive requirements that are quantifiable.

Procedures are formal methods of performing a task, based on a series of actions conducted in a defined and repeatable manner.

Controls are technical or administrative safeguards that may prevent, detect or lessen the ability of the threat actor to exploit a vulnerability.

Metrics are designed to facilitate decision-making, improve performance, and improve accountability through the collection, analysis, and reporting of relevant performance-related data.

 

Written Information Security Program (WISP) Cost Savings Estimate

As you can see, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a WISP from ComplianceForge is approximately 4% ($17,000+ savings) of the cost as compared to writing your own documentation and 2% ($41,000+ savings) of the cost as compared to hiring a consultant to write it for you!

   2017-pricing-written-information-security-program-wisp.jpg

 

The Most Comprehensive ISO 27002-Based Security Documentation Available Online

The ISO 27002-based Written Information Security Program (WISP) is a Microsoft Word document that contains Information Security-related policies, standards, procedures and guidelines that are customized to your organization. The WISP is a comprehensive document that you can edit to your own specific needs, so you have the flexibility to make changes as you need. At a price of $720, it is a fraction of the cost of doing it yourself or hiring a consultant to write one for you. Lesser Information Security policies and standards are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs. 

Our Written Information Security Program (WISP) contains fourteen information security policies that map directly to ISO 27002:2013:

  • Information Security Program Policy
  • Information Security Organization Policy
  • Human Resource Security Policy
  • Asset Management Policy
  • Access Control Policy
  • Cryptography Policy
  • Physical & Environmental Security Policy
  • Operations Security Policy
  • Communications Security Policy
  • System Acquisition, Development & Maintenance Policy
  • Vendor Management Policy
  • Information Security Incident Management Policy
  • Business Continuity Management Policy
  • Compliance Policy

Each of these policies contain multiple standards and guidelines, so the Written Information Security Program (WISP) provides your company with a scalable, best practices-based set of documentation to address your needs now and in the future!

 

In addition to ISO-based IT Security Policies & Standards, ISO 27002 WISP Comes With These Supplemental IT Security Resources

As an extra bonus, we include the following supplemental documentation at no additional cost:

  • Easy to implement & tailored to your company (delivered in Microsoft Word format)
  • Policies and standards are based on the ISO 27002 control framework
  • Dozens of policies and standards specifically tailored for small to medium businesses
  • Complete coverage of all PCI DSS version 3 requirements - over 240 unique PCI DSS control requirements!
  • Customizable PCI DSS Controls Matrix in Microsoft Excel (RACI to help manage and assign responsibilities) 
  • Customizable presentation in Microsoft PowerPoint for information security awareness training ($260 value)
  • Certification of information security awareness training form
  • Customizable Incident Response Plan (IRP) template
  • Business Impact Assessment (BIA) template
  • Business Continuity Plan (BCP) & Disaster Recovery (DR) template
  • Service provider indemnification & Non-Disclosure Agreement (NDA) template
  • User acknowledgement form
  • Change management request form
  • Risk assessment methodology template
  • Appointment orders for an Information Security Officer (ISO)

This documentation saves hundreds of hours by not having to make it on your own!

  

ISO 27002:2013 IT Security Documentation - Understanding How Policies, Control Objectives, Standards, Guidelines & Procedures Relate

The Written Information Security Program (WISP) is logically organized, following industry-recognized best practices as established by the International Standards Organization (ISO).

example-cybersecrity-framework-customized-comprehensive-written-information-security-program-it-security-policy-wisp.jpg

2017-cybersecurity-audit-preparation-integrated-comprehensive-cybersecurity-program-documentation-example.jpg

Our comprehensive ISO 27002-based Written Information Security Program (WISP) is written in a manner that it is customized to your company, where you will be provided with the policies, procedures, standards, and guidelines required to properly educate your employees to their responsibilities and to provide documentation of your standards. Your ISO 27002-based Written Information Security Program (WISP) will contain your logo on the front cover and the document is written from your company's perspective, incorporating your company's name throughout the document. This helps employees "take ownership" of the document and abide by the policies.

Lesser products are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs. Since ignorance is neither bliss, nor is it an excuse, you need to be able to prove you followed due care & due diligence to protect your business. In terms of liability for a company, security does not exist until it is documented! We developed our products based on ISO 27002 best practices, which follow the ISO 27001 framework for an Information Security Management System (ISMS).

 

Need An ISO 27002-based Written Information Security Program (WISP) For PCI DSS version 3 Compliance?

The ISO 27002-based WISP from ComplianceForge.com is footnoted with all of the requirements of PCI DSS version 3. Our WISP was designed to address all of the PCI DSS v3 requirements. Feel free to download a copy of that mapping for yourself (click the image below for a PDF). 

example-pci-dss-v3-compliant-information-security-policy-standard.jpg

 

Why Does Your Business Need An ISO 27002-based Written Information Security Program (WISP)?

It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have two or more employees, a WISP is just as important as the professional liability insurance you carry on your business.

We recently rewrote the WISP to meet new requirements of the 2013 version of ISO 27002. This upgrade also includes the necessary changes to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) v3.0. The ISO 27002 Written Information Security Program (WISP) provides a comprehensive framework to manage your company’s Information Security program. The ISO 27002 Written Information Security Program (WISP) allows you to implement and document the steps to be compliant with Federal, state and industry laws and regulations.

It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have two or more employees, a WISP is just as important as the professional liability insurance you carry on your business. 

We were the industry's first source for a customized, on-demand Written Information Security Program (WISP) that is specifically tailored for small and medium sized business. Our Written Information Security Program (WISP) follows industry-recognized best practices (e.g. ISO 27001 and ISO 27002) and we reference applicable laws, requirements, standards, and best practices that businesses need to follow to be considered compliant with common information security requirements. Unfortunately, ignorance is neither bliss, nor is it an excuse! What your employees do not know has the proven ability to hurt your company. In terms of liability for a company, security does not exist until it is documented.

The benefits of Information Security for businesses of any size are many:

  • Decreased costs - less reactive IT support
  • Improved productivity - decreased distractions
  • Less virus & spyware outbreaks - decreased downtime & expense
  • More efficient operations - better performing network & computers
  • Better accountability of assets & resources
  • Better educated & trained employees
  • Having documentation to prove you are doing the right thing

 

Please take a few minutes to review a sample ISO 27002-based Written Information Security Program (WISP)

diagram-federal-laws.jpg 

 

How Is An ISO 27002-based Written Information Security Program (WISP) Applicable To You?

Our ISO 27002-based Written Information Security Program (WISP) is something applicable to every business, regardless of the number of employees. The harsh reality is that small and medium-sized businesses have always been at a disadvantage when it comes to securing their networks from threats. Generally, the lack of IT expertise and staffing are the contributing factors, but the overwhelming issue is a false sense of security. 

Most smaller businesses lack a dedicated IT staff and must rely on outsourced expertise. This is a good solution for most technology needs, but the vast majority of IT companies that support smaller businesses lack the expertise to properly consult their clients on Information Security and what compliance issues they should be concerned with. This is where BlackHat Consultants is a wonderful resource, since our focus on Information Security products and services can be implemented by your current IT provider. We provide them with the roadmap and the tools to properly secure your network and make you compliant. It is as easy as that!

Lesser products are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs. Since ignorance is neither bliss, nor is it an excuse, you need to be able to prove you followed due care & due diligence to protect your business. In terms of liability for a company, security does not exist until it is documented! We developed our products based on NIST 800-53 and ISO 27002 best practices, which follow the ISO 27001 framework for an Information Security Management System (ISMS). This false sense of security comes from business owners not asking the question of what issues they should be compliant with and from the IT provider or staff not being proactive and bringing up compliance issues to management. This scenario creates a dangerous set of assumptions that can potentially put the company out of business. 

 

  

comparison-pcidss-policy-written-information-security-program-wisp.jpg

 

 

THE MOST COMPREHENSIVE ISO 27002-BASED IT SECURITY DOCUMENTATION AVAILABLE ONLINE.

 

IT Security policies & standards based on the ISO 27002:2013 framework: 

 

INFORMATION SECURITY PROGRAM POLICY

Purpose: The purpose of this IT security policy is for the company to specify the development, implementation, assessment, authorization, and monitoring of the IT security program. The successful implementation of security controls depends on the successful implementation of the company’s program-level controls.

Supporting Documentation: ISO 27002 section 5 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

INFORMATION SECURITY ORGANIZATION POLICY

Purpose: The purpose of this IT security policy is for the company to specify the development, implementation, assessment, authorization, and monitoring of the IT security program. The successful implementation of security controls depends on the successful implementation of the company’s program-level management controls.

Supporting Documentation: ISO 27002 section 6 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

HUMAN RESOURCE SECURITY POLICY

Purpose: The purpose of this IT security policy is to ensure Human Resources (HR) personnel management incorporates information security best practices.

Supporting Documentation: ISO 27002 section 7 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

ASSET MANAGEMENT POLICY

Purpose: The purpose of this IT security policy is to ensure that assets and data are properly classified (based on its business value) and measures are implemented to protect the company’s data from unauthorized disclosure, regardless if it is being transmitted or stored.

Supporting Documentation: ISO 27002 section 8 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

ACCESS CONTROL POLICY

Purpose: The purpose of this IT security policy is to ensure that the company implements the concept of “least privilege” through limiting access to the company’s information systems and data to authorized users only.

Supporting Documentation: ISO 27002 section 9 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

CRYPTOGRAPHY POLICY

Purpose: The purpose of this IT security policy is to ensure the confidentiality of the company’s data through implementing appropriate cryptographic technologies to protect information systems and data.

Supporting Documentation: ISO 27002 section 10 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

Purpose: The purpose of this IT security policy is to minimize risk to the company information systems and data by addressing applicable physical security and environmental concerns.

Supporting Documentation: ISO 27002 section 11 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

OPERATIONS SECURITY POLICY

Purpose: The purpose of this IT security policy is to ensure the confidentiality, integrity and availability of the company’s data through implementing appropriate technologies to protect information systems and data.

Supporting Documentation: ISO 27002 section 12 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

COMMUNICATIONS SECURITY POLICY

Purpose: The purpose of this IT security policy is to ensure sufficient mechanisms are in place to protect the confidentiality and integrity of the company’s communications.

Supporting Documentation: ISO 27002 section 13 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY

Purpose: The purpose of this IT security policy is to ensure that information systems employ a System Development Life Cycle (SDLC), where the security of systems and services are assessed throughout their operational life to reduce risks to the company.

Supporting Documentation: ISO 27002 section 14 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

SUPPLIER RELATIONSHIPS POLICY

Purpose: The purpose of this IT security policy is to ensure that risk associated with outsourced service provider relationships are minimized or eliminated. As service providers’ people, technology and practices evolve over time, the company must ensure the appropriate levels of due care and due diligence are applied to validate IT security controls are effective.

Supporting Documentation: ISO 27002 section 15 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

INFORMATION SECURITY INCIDENT MANAGEMENT POLICY

Purpose: The purpose of this IT security policy is to establish and maintain a capability to guide the company’s response when cyber-security incidents occur.

Supporting Documentation: ISO 27002 section 16 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

BUSINESS CONTINUITY MANAGEMENT POLICY

Purpose: The purpose of this IT security policy is to establish processes that will help the company management to quickly determine the appropriate actions to be taken due to an interruption of service or disaster.

Supporting Documentation: ISO 27002 section 17 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

INFORMATION SECURITY COMPLIANCE POLICY

Purpose: The purpose of this IT security policy is to ensure safeguards are in place to be aware of and comply with applicable statutory, regulatory and contractual compliance obligations.

Supporting Documentation: ISO 27002 section 18 control objectives, in addition to IT security standards and guidelines directly support this policy.

 

 

Sort by:

Sign up for our Newsletter!

×
×