The cut and paste Security Policies don't past the sniff test either. If an organization does not put the time and consideration atleast amending ISO 17799 to fit their circumstances rest assurred they have likely not put any effort in to implementing the "policy" either.

Brian Sorrell, CISA, MSCE, CCA

Excellent article, I am currently trying to do research on what organizations are actuall using. See the link:
http://www.keysurvey.com/survey/143775/132d/

Dorian,

You are correct.

Many overlook the key transformations that need to be done to specifically tailor the standard/s to suit each organization.

This can only be done through using skilled personnel from either within the business (or external as long they have relevant experience) to develop policies and procedures that demonstrate in written form how you are attempting to comply with the standard. The standard sets the outline framework and objectives. ie; take a very fictitious hypothetical example - "ensure a continuous secure network connection to allow online secure access from all points around USA, UK and SEAsia."

How you achieve that (fictituous requirement – assuming one would write that into a standard!) will vary very wildly across every site and reader that tries to interpret that requirement in the standard IN CONJUNCTION with their specific business requirements, budgets, goals and objectives. No CDROM template can answer that question for you!

Tailoring the documentation set can mean expanding on what the standard "outlines" as well as removing or downgrading portions form the standard that are not relevant to the business at hand.

There are no off the shelf, (lets call them loosely) "set of procedures" that can fit all businesses, they need to be heavily modified in almost, if not 100% of the cases.

There are lots of good templates around as to the "shape (style) of the documents" you can use but as for the “content required specific for your business needs”, they will be very "light-on" and the true content needed can only come via skilled personnel from either within the business, or external as long they have relevant experience.

Another aspect that is forgotten is the ongoing training and development including coaching that has to take place when the standard and its associated policies and procedure subsets are deployed.

This is very different to how many see the process as "lets write a bookshelf volume form some CDROM templates and then we comply".

By bookshelf volume I mean a nicely bound manual / CDROM / website that looks all glossy and righteous, but is as ineffective as a catalog book when it comes to being an operational procedure and assurance manual.

All the staff who work under (really means comply with) this standard, through the actual policies and procedures, actually have to "be doing what you say you are doing" as well “as being seen to be doing” when it comes to being assessed as to having an effective standard and policy and procedure set. Not just the person who wrote up the manual! Your aim is to demonstrate compliance with (= doing), and the assurance statement will come from, an internal/external assessor. You can also fail this assurance test, don’t forget.

We wrote about some of these issues around "policy and procedure writing" some years ago at that time focusing on CoBit, COSO, SOX etc but the words written then also apply to writing policies and procedures to comply with an ISO standard - see http://www.pcprofile.com/Governance.pdf