How Cyber Security Fits into Your Information Security Policy

How Cyber Security Fits into Your Information Security Policy

  • 28 Nov 2019
  • Written by David

IT policies can be a bit of a misnomer.

Historically, companies had an “IT Policy”, or they may have called it an “Acceptable Use Policy” or a “Computer Policy”. These policies tended to be brief and contained mainly what employees could not do. You’d typically find things like “Don’t use social media at these times”. 

These sorts of policies are not fit for purpose anymore and are not what I’d regard as an IT Policy.

In this article, I cover what an IT policy is and how it impacts your company’s cyber security.

What should be in an Information Security Policy?

An IT policy is, in fact, a series of policies that together, form your Information Security Policy. An Information Security Policy is more applicable and better suits your objective: To ensure the security of the data it holds.

The high-statement of the policy might be brief but it would feed into other policies that expand on the expectations of the business. Other polices would be things like social media, BYOD (Bring Your Own Device), email policies and so on.

All policies are organisation-specific so it’s not a one-size-fits-all. What’s in an Information Security Policy will vary.

Over the years, I’ve come across companies that have light policies and some heavy-duty ones too. Personally, I prefer lighter Information Security policies because the heavy policies tend not to be adhered to. These highly detailed policies are often too complicated, too dry and too prescriptive, so the staff don’t bother reading them because they don’t have 3 days to read through them!

However, there are common features of a good Information Security Policy. While a good policy is light, it needn’t be flimsy and meaningless. A good policy must:

  • State your stance without getting bogged down in detail e.g. how long a password should be.
  • But the policy needs to make a clear statement on what the company expects and who is responsible for delivering the policy.
  • The policy must contain enough detail to be actionable. Yet, it’s not so heavy that staff don’t have the time, attention or interest to read it.
  • Good policies are adaptable to emerging trends and company changes.
  • Good policies include or refer to relevant processes (e.g. an administration workflow is necessary for changing bank account details for staff or suppliers - this is a security control just as much as an internet firewall).
  • The policy should make clear stances on user awareness - how staff are educated, how policies are implemented in onboarding.
  • A good policy is part of a company culture of compliance, from board level down.


Cybersecurity Information Security Policy


Linking Your Information Security Policy to Cyber Security

It’s easy to think that having policies boosts your cyber security. They do, but it works the other way around. Cyber security actually plugs in around your policy.

Policy is a framework for security. Without that policy and subsequent framework around your business, you’re really just plucking stuff out of air. You’d be haphazardly reacting to the most recent threat, for instance. Or you hear of Company X getting hacked because they didn’t have things set up a certain way, so you go off and get that thing in place.

While keeping close to current trends isn’t bad, without a policy, one that is risk-based, you’re likely to be:

  1. Unaware of and therefore, not addressing serious risks to your company; you’re missing them because you haven’t thought through them.
  2. Spending time/money on the wrong areas or on areas that are not as high a priority as others that you’re missing.

Everything stems from the policy. Beginning with a high-level security statement, then flowing that down to other policies in the business based upon risk.

When is Your Information Security Policy not “Good”?

You wouldn’t have to scratch too far under the surface to find that a policy isn’t working effectively. Red flags include:

  • A blasé attitude towards (or confusion around) the policy among employees.
  • Overly prescriptive rules such as employees are to use social media only during lunch hours while the use of LinkedIn and professional Twitter accounts are probably being encouraged at other levels for business purposes. These mixed messages can be a sign that your policy isn’t working to manage risk in your business.
  • No suggestion of technical or administrative controls of the policy. How do you ensure that employees don’t use work emails for personal purposes? And is that worth the time and effort required to control and implement?

Any material regarding cybersecurity should change on a regular basis, keeping with the ever-evolving threats. At a minimum, policy updates should be regularly pushed out to employees in a variety of ways to suit their learning styles. The Information Commissioner’s Office has a useful checklist to ensure you have covered the bases in your Information Security Policy.

Is an Information Security Policy necessary to work with an IT company like Nimbus Blue?

We don’t need our clients to have IT policies to come on board with us. However, our Pro-Cover service, where we continue to assess alignment with industry standards and best practices, will flag the lack of a policy early on. To get the most productive relationship with any IT company, an organisation needs quality policies understood by both parties. That’s why we call this out at the start.

If a client doesn’t have the capability in-house to create a policy, we can put them in contact with our partners. These consultants are skilled at determining the precise details of what a company requires and noting anything that has been missed.

Policy creation is usually an enlightening process for Nimbus Blue clients who come to us without those high-level statements around cybersecurity. It’s not simple, straightforward, or quick. Yet, our clients always find it worthwhile for taking their business security to the level it needs to be for meeting their goals.


If you’d like to find out more about how Nimbus Blue and our partners can work with your business to address cybersecurity, contact Jamie on 01224 608190 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Got a question?

Speak to our friendly team about keeping your IT systems secure and running smoothly.

Get in touch