Generally speaking, the Information System Security Policy (ISSP) is presented as the reference document for cybersecurity within a company. Unfortunately, this document all too often goes unused by information system security managers who have to deal with a constantly changing production environment. So what's the point of such a document, described as indispensable but unused? How can we create an effective and useful ISSP ? And what are the mistakes to avoid if you have to draw up your own IT security policy? Answers in this article.

Is ISSP still relevant in 2024?

More than just a document, ISSP is an approach designed to formalize a vision of the security of a company's information system. It's far from being a novelty, as the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) has been promoting it for almost 20 years.

With the emergence of geopolitical conflicts, the impact of climate change on data centers, and the emergence of artificial intelligences such as GPT-3, which provide cybercriminals with new offensive capabilities, the threats that can strike a company today are heterogeneous and difficult to predict. This raises the question of the relevance of drafting an information systems security policy, which by definition is a vision for a given time, to be applied in a constantly changing environment.

That's why, before embarking on the design of an internal security policy, ask yourself what your objective is: 

  • Is it to meet a compliance obligation or obtain certification? 
  • Is this a "profession of faith", out of a clear conscience? 
  • Is it to establish a real safety framework and monitor the indicators of its proper application?

For our expert Baptiste DavidHead of PreSales and Delivery at Tenacy,

"My first piece of advice is simple: only do ISSP if you have to! If you don't have a compliance obligation, don't feel obliged to reinvent the wheel. Take a leaf out of policies public documents such as NIST or the ANSSI guide. If all companies were already applying the ANSSI's 42 digital hygiene rules, that would already be a victory!"  

The tone is set, and you now know that drafting a ISSP is not an end in itself, but a response to a real need to bring your organization into compliance and make it more secure.

How do you write a coherent and applicable ISSP ?

The drafting of a security policy must involve all the players in your company. It must define the perimeters and responsibilities of each party, the resources and financial means you need, and the objectives and milestones to be met to achieve them. 

Its aim is to " to protect the organization's physical assets (servers, computers, networks, telephony, software applications, etc.) as well as its intangible and intellectual assets and personal data. "as the ANSSI reminds us in its guide to drawing up a ISSP.

But while this definition may seem generic, in reality,ISSP cannot be drafted without knowledge of the business and the company's compliance obligations. A policy applied without taking into account its impact on employee productivity would simply be circumvented over time. It is therefore important to constrain company operations through safety rules and best practices, but within a framework of prior consultation with teams.

If a behavior is risky for the company but mandatory in the production process, what solution can you provide? This is a very common situation in the healthcare sector, where equipment sometimes runs on operating systems that are no longer supported, and are therefore by definition vulnerable. As they are used within ten-year plans, it is simply not possible to change them. The same is true of the energy and industrial sectors. So, before drafting your company's security vision, ask yourself the question: "Is it really applicable?" 

ISSP must not be dogmatic and self-centered. It must be coherent and applicable to the company's constraints.

To achieve this, it must integrate : 

  • Best practices in information system security.
  • Safety measures, protocols and rules already in place, to be applied and complied with, taking into account the company's intrinsic operations.
  • Vulnerabilities and security weaknesses of assets at risk that cannot be modified, based on the results of an information system risk analysis.
  • Organizing the implementation of this internal policy.
  • The method for follow-up and future modifications.

6 common mistakes to avoid when writing your ISSP.

To ensure that your security policy is both useful and applicable, we've drawn up a list of common mistakes to avoid. 

1. Consider that ISSP involves only the CISO

ISSP must reflect the company's information systems security (ISS) strategy, not the vision of the CISO. For an internal policy to be applied throughout the company, it must come from top management. As Baptiste David points out: " Senior management must make a commitment that the rules set out in ISSP will apply throughout the company. In this way, information system security rules become an order from the top, and no longer a request from the CIO or CISO. "And that changes everything!


2. Only for cybersecurity insiders

Don't write your ISSP in technical jargon. On the contrary! This document must be accessible and intelligible, so that all those involved in the company can understand its ins and outs. The clearer your message, the more likely you are to get everyone on board to protect the organization collectively.


3. Forgetting to define processes 

Who validates the compliance of ISSP ? What happens in the event of non-compliance? What can be imposed within departments? These are all questions that require you to define internal processes to ensure proper application. 


4. Do not develop your ISSP

As your information system evolves, so does your security policy. Does your ISSP take account of new cyber threats, such as attacks by supply chain ? Is multi-factor authentication (MFA) mandatory for logging on to your company's applications? What security measures are in place for connected objects (IoT)? Have you taken into account the phenomenon of Shadow IT and the use of third-party services not authorized by the IT department? Do you authorize the use of personal equipment (cell phone, tablet, personal computer) to access the company's IS? Your ISSP must therefore be consistent with the company's actual usage. Update it frequently and at least at least once a year, to avoid being overtaken by new uses.


5. Failing to appoint enforcement officers ISSP

" Responsible but not guilty is how Baptiste David sums up the role of the CISO. Indeed, the CISO has a commitment of means, but not of results. He or she cannot be held responsible for the application of the security rules described in ISSP within the company. His role is to identify non-conformities and provide information so that corrective action can be taken. Each department or business unit to take responsibility for the proper application of ISSP.


6. Do not measure the application of the ISSP

As a CISO, you need to measure the gap between your current level of security and the goal you want to achieve. But what are your monitoring indicators? Do you have the right reporting tool? How and on what basis do you make the necessary trade-offs? It is in measuring these performances that the application of your ISSP will be truly effective for the security of your organization! Let's talk about it.