CHAPTER 2: INFORMATION RISK POLICY – Managing Information Risk: A Director's Guide


As priority, directors should draw up an information risk policy to help steer the organisation, key security staff and information owners towards a more secure landscape. There is a ‘Checklist for Directors’ drawn up by the National Archives in Appendix 1 highlighting the various areas for consideration.

In March 2009, the UK government published its Guidance on the Department Information Risk Policy based on generic guidance set out by CESG and published in ISO27002. The paper states that the foundations for good information risk management lie in forward planning, and management should expect at least the following criteria to be included in an information risk policy:

• A definition of information risk and the importance of managing information risks.

• A description of the information risk management structure within the organisation with specific roles and responsibilities for team members.

• The strategic approach to information risk management (including the organisation’s approach to risk appetite, risk tolerance and the sharing of data), including details of the adopted information risk assessment methodology.

• The applicable legal and regulatory requirements and other policies and guidance to be used in the management of information risk covering physical, procedural, personal and technical measures.

• An outline of risk escalation and reporting procedures and the organisation’s policy for information risk management decisions.

• A plan to introduce the necessary changes in culture to ensure that information, in paper or digital form, is valued and protected.

• Requirements for staff awareness and training – including the corporate and individual consequences of failure to apply policy.

• A threat assessment.

• Minimum requirements for risk inspections, reviews, monitoring and audit.

• External accountability and status or progress reporting.

• Incident or abnormal event reporting, recovery and contingency policy and procedures.

• Minimum requirements for system accreditation and events or conditions that must trigger review and re-accreditation.