As Promised: ISO17799-Aligned Set of IT/Information Security P&P’s – Great Rational Starter Kit for a Security Program
Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799. I said that I would do the sanitizing work and release them if I got a fair response.
I did and here they are. This is in Microsoft Word Format. 534 KB.
My only caveats for those who download and use these is please don’t sell them or otherwise engage in commercial activity based upon this work.
I’m releasing it into the wild because I want to help make people’s lives easier and if these P&P’s can help make your security program better, great. I don’t want anything in return except perhaps that someone else will do something similar.
I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document. To be fair and honest in full disclosure, I did not create the majority of this work; it’s based upon prior art from multiple past lives, and most of it isn’t mine exclusively.
As a level-set reminder:
The P&P’s are a complete package that outline at a high-level
the basis of an ISO-aligned security program; you could basically
search/replace and be good to go for what amounts to 99% of the basic
security coverage you’d need to address most elements of a well-stocked
security pantry.You can use this “English” high-level summary set to point to
indexed detailed P&P mechanics or standards that are specific to
your organization.
All you need to do is modify the header/footer with your company’s logo & information and do a search/replace for [COMPANY] with your own, and you’ve got a fantastic template to start building from or add onto another framework with.
Please let me know if this is worthwhile and helped you. I could do all sorts of log tracking to see how many times it’s downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.
I also have a really good Incident Response Plan that I consolidated from many inputs; that one’s been put through at least one incident horizon and I lived to tell about it.
Regards,
/Hoff
Absolutely phenomenal! Very well written and organized!
Thank you for this most excellent contribution to the community!
Sweet! Thanks so much.
Since we're leeching off you already, would you also make the IRP available too?
That one is going to take some serious sanitizing; I am working on it already…I've got eleventybillion requests for that already 😉
Glad it's helpful.
/Hoff
Just idle curiosity, sire.
It certainly looks and reads like an "instant security policy document" – and I mean that in the best possible way. You know there's companies out there that would pay good money for that? And there's also consultants out there that would … lets not go there.
Hoff, Thanks for this. This is the kind of things that we as a community need to do more of.
Thanks for this, will compare against mine and fill in the gaps. Would love to see your IR plan as well.
@Saso…well, now they can spend their good money on something else! Yes, consultants may be grumpy about this, but now they have an opportunity to help a company derive the actual policies, procedures and standards…
@Herrnihl/Eskimoke…working on it.
/Hoff
Thanks for posting this. I too will compare an old plan I have that is ISO 17799 based against yours. I would be really interested in your Incident Response Plan. Thanks again!
Great post, we will bring this up with our VPofIT.
Fantastic! We're in the process of stepping up our security program and this will be an enormous help. I'm also looking forward to seeing your IRP.
Excellent!! I look forward to cross referencing this with our current policy. It always helps to understand what other people are doing. I would love to see your IRP.
Thanks!!
Yo Hoff,
Any movement on making the IRP available?
P.S. Love your show.
Thanks!
Hoff,
Thanks man, this is great. Looking forward to seeing your IR stuff too.
Andy Willingham turned me on to this. Thank you very much! This is quite awesome.
Did you ever post your incident response plan? Didn't see it during a search of your site.