In-Reply-To: <001401c4b4e9$76982a80$e1711bac@Shoosh>
Sharon,
a good place to start would be to define what you mean by 'policy' and
'procedure' (Is 'procedure' synonomous with 'standard' in your organization?
Even if it is, a clear definition - agreed-upon by all concerned will pay
dividends further on in the process.)
Where you are structuring your policies on ISO17799, I hope you're using the
domain-level to determine which policies your organization needs (tho' many
organizations decide they want an extra one or two to cover specific risks such
as virus and email). At the next level down (the 'x.1' level) you'll find a
good set of headings for standards (or perhaps 'procedures' in your
organization). The levels below that will give you good content for the
standards (or 'procedures')
Your other question is the major one: Who should write them? The short answer
is: The people in charge of the departments to which the ISO domains best
apply. In other words, Human Resources should write the Personnel Security
Standards, Facilities Management the Physical Security standards, Applications
Development the Application Security standards, etc.
The short answer, however, won't suffice as these people have no idea what
Personnel Security standards, etc. ought to be and so the long answer is: The
people in charge of (etc., etc.) with strong input from Information Security.
However, the people who have responsibility for writing the standards (HR, App.
Dev. etc.) must own those standards, be accountable for them and - here's the
biggest thing of all - be responsible for producing and executing a plan to
implement this standards.
Good luck. Let me know if you'd like to talk some more about this.
John A Blackley
