Intelligent Issue 27 | Page 27



The best approach is to ensure that everyone in the business is regularly reminded of the content of the policy and the expectations for their role , such as through regular trainings . Line managers should also keep an eye on employees ’ performance and set them straight if they stray from the policy .


Business , regulation and cyberthreats are constantly shifting , so an infosec policy can ’ t be a static document . To address this , the document itself can include a mention of how often it should be reviewed and updated . SMEs may also benefit from an information security management system ( ISMS ) – a central hub for conducting , maintaining and updating infosec policies .
Sam Peters , Chief Product Officer , ISMS . online
Think ahead


With an understanding of the risks and requirements in hand , decision-makers can begin crafting the policy document . Fortunately , they don ’ t need to start from scratch – frameworks such as the ISO / IEC 27001 standards offer a clear set of requirements and ensure that a business has considered all aspects of its security policy .
Many businesses only realise the vital importance of a solid infosec policy after something has gone wrong . This doesn ’ t have to be the case ! It doesn ’ t take long or require an unattainable level of expertise to create an effective infosec policy for an SME , it just takes foresight .
Organisations which maintain a clear , current policy will have a significant business advantage in terms of security , employee experience and customer trust . �


The next step is to identify who is responsible for what . This step is also a chance to increase buy-in . An imposed , top-down policy may be met with resistance , and it may not be designed with the realities of the business in mind . Conversely , a co-created policy spreads a broad sense of ownership and responsibility .


Even the best policy can ’ t carry itself out but ensuring that the policy becomes a part of the business ’ s operations is a challenge . This is especially true for SMEs where there is no C-suite head of cybersecurity to manage enforcement . Having a clearly written , specific policy will pay dividends here .
Intelligent SME . tech
. tech