3.1.3 Cyber Security Policy
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
A cyber security policy should be defined, approved and communicated.
Objective
To document the Member Organization's commitment and objectives of cyber security, and to communicate this to the relevant stakeholders.
Control considerations
| 1. | The cyber security policy should be defined, approved and communicated. | |||
| 2. | The cyber security policy should be reviewed periodically according to a predefined and structured review process. | |||
| 3. | The cyber security policy should be: | |||
| a. | considered as input for other corporate policies of the Member Organization (e.g., HR policy, finance policy and IT policy); | |||
| b. | supported by detailed security standards (e.g., password standard, firewall standard) and procedures; | |||
| c. | based on best practices and (inter)national standards; | |||
| d. | communicated to relevant stakeholders. | |||
| 4. | The cyber security policy should include: | |||
| a. | a definition of cyber security; | |||
| b. | the Member Organization's overall cyber security objectives and scope; | |||
| c. | a statement of the board's intent, supporting the cyber security objectives; | |||
| d. | a definition of general and specific responsibilities for cyber security; | |||
| e. | the reference to supporting cyber security standards and procedures; | |||
| f. | cyber security requirements that ensure: | |||
| 1. | information is classified in a way that indicates its importance to the Member Organization; | |||
| 2. | information is protected in terms of cyber security requirements, in line with the risk appetite; | |||
| 3. | owners are appointed for all information assets; | |||
| 4. | cyber security risk assessments are conducted for information assets; | |||
| 5. | relevant stakeholders are made aware of cyber security and their expected behavior (cyber security awareness program); | |||
| 6. | compliance with regulatory and contractual obligations are being met; | |||
| 7. | cyber security breaches and suspected cyber security weaknesses are reported; | |||
| 8. | cyber security is reflected in business continuity management. | |||