Best Practices: templates or self-created policies, procedures & plans?

We see a lot of customers ask about policy templates to solve the various requirements of Infosec. It makes sense; why start from scratch or re-invent the wheel?


Templates in any context, are a great way to get you thinking about the right things and helping you get started with the bare necessities done for you. But there’s two catches where that benefit turns into a problem.


Misinformation by default: When you use a policy template, the default is to follow the template rather than ask the hard questions that need answers to define how your company operates or should operate. If your team doesn’t know what your company does, that’s a problem. The policy template “solves” that, only to create a bigger problem that your team doesn’t know what to do and now has a template telling them the wrong thing is the right way. Because the reality is; no template should define how you operate in your own context with your own culture, purpose and unique environment.


Undervaluing information security: There's many out there that see information security as a box-ticking exercise, or something that's required but ultimately unimportant. Using a template for your policies fits this theme and sends that message to your team; whether intended or not. This makes it less likely that you'll get real value and operational benefits out of defining policies, procedures and plans. The purpose of these documents is really about communication; defining what's important, who is responsible, how it's managed, and why. By clearing defining it, you give your teams clarity of expectations, a reference point when situations arise that need direction, and supports a culture of managing your operations with deliberate and measured approaches.



Before you throw out the templates; you might notice the above issues are avoidable. You can get the best of both worlds. Start with a template and the understanding that you are going to ask the tough questions to figure out the right way to define it for your business. To build in your own characteristics to make it your own and fit the context and culture. To get the most value out of your policies, procedures and plans, it's important to show leadership and build a culture that those documents play an important role and reflect the best thinking of management in how to handle related matters that arise in the course of business.


The Compliance perspective


There’s some standards like ISO 27001 that you can get “pass” with right policies and templates of the practices you should apply. But other standards, customer audits and InfoSec requirements will often look beyond just ticking boxes based on documents that may sit on the shelf. From a SOC 2 perspective the policies, procedures and plans cover about 10% of the total requirements; leaving the primary focus on the operation of your controls and security practices.


Some additional information in one line