Creating IT and Security Policies and Standards

Training Duration: 2 days

Training Delivery Method: On-site, instructor-led course; or online, instructor-led course


Experienced IT professionals

What Problem Does This Training Help Solve?

Theory and practice of creation and maintenance of IT and IS related policies, standards, procedures, and guidelines

Who Should Attend?

IT professionals entrusted with IT governance and IT policy management

Course Material:

Content-rich manual/course handouts consisting of about 300 foils

Course Syllabus:

Policies are mandatory high-level documents. They are a true representation of the corporate mission and philosophy as well as the strategic thinking of the senior management and the business units. Policies must be concise and clear and represent ‘what’, not ‘how’.  Policies are also ‘rules of the road’ because they are integral parts of the basic documentation for internal control systems.

Management assumes ultimate responsibility for creating, promulgating, and monitoring compliance of the policies. Employees must understand the intent behind the policy in order to appreciate its significance and comply.

IT Policies set the tone for the IT organization as a whole. Information Security policies set the tone for information security in the organization. There are global policies related to IT and Information Security which are applicable to the whole organization, and there are IT-specific policies which are applicable to IT functions alone. The ultimate goal is for the policies to achieve business objectives and apply fundamental controls at a very high level. A security policy for information systems lays the foundations for building security infrastructure for any organization. Security audits are audits against compliance from the reference framework of security policies.  Standards are derived from the policies. Procedures are detailed documents which are derived from the standards and give step-by-step procedures for the implementation of policies/standards.

Topics to be covered:

  • IT Policies and IS security policies
  • IT Standards and IS security standards
  • What should be included in the policies
  • What should be included in the standards
  • Global Policies vs. IT Policies
  • Sample policy formulation and approval process
  • Who signs the policies and standards
  • Who the target audience for policies and standards is
  • High-level vs. technical standards
  • Procedures and guidelines
  • Considerations for policies and standards for a global organization
  • Different types and categories of IT and IS security policies and standards
  • Contents of a typical policy, standard, procedure, and guideline