Appendix B. Security Policy and Standards Taxonomy

A complete Policy and Standards Library is essential to a comprehensive security programme (see Chapter 4, “Governance and Risk Management”). This appendix provides a minimum outline of the policies and standards you can expect to see—it is derived from ISO/IEC 27002:2005, “Code of Practice for Information Security Management.” The first level (bolded) indicates where a policy would be expected; the second level (italicized) indicates where a control standard would be expected. Baseline standards, documented security procedures, and guidelines/guidance documents can be tied to the control standards they support. For example, system hardening baseline standards can be tied to Section 6.1.

Topics ...

Get Information Security: Principles and Practices, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.