Information Security Policy

A template for medium sized organisations

Purpose: provide a lightweight Information Security Management System (ISMS) that reduces cyber risk to an acceptable level for a smaller organisation while meeting board/governance expectations and mapping to NIST CSF and the Essential Eight.

Scope: all IT systems, endpoints, cloud services, user accounts, and third-party services used by the organisation.

Target maturity: Essential Eight maturity Level 1 as the immediate baseline, with a roadmap to Level 2 for critical items (per ASD guidance Cyber Security Australia)

Governance & Roles

Board / Executive

  • Responsibility: set risk appetite, approve ISMS policy and budget, receive quarterly cyber risk reports. (AICD/ACNC guidance: directors must exercise oversight of cyber risk). (aicd.com.au)

  • A risk appetite statement will set the tolerance the board will accept for cyber aligned risks. All reporting and will need to align back to this appetite statement, are you within it, is there a trend, what controls are working or need attention etc.

Senior Management

  • Owns the ISMS, chairs a regular meeting to review cyber security risks, and reports to the board.

  • Classify information, determine who can access the systems that contain data, what access rules are needed, and approve 3rd party data sharing.

  • Ensure 3rd party contracts provide cyber security coverage and align to insurance requirements.

IT Lead / Admin / MSP

  • Implements controls: patching, endpoint protection (antivirus), identity management, backups.

  • This may be a gap in many organisations but with the right help can be achieved.

All staff

  • Complete security awareness training, follow policies, report incidents.

1) Access Control and Admin Management

Policy statement: Accounts are provisioned on least-privilege principles; administrative privileges are tightly controlled and logged.

Controls & procedures

  • Admin accounts: separate admin accounts from day-to-day user accounts; MFA mandatory for all admin accounts. (Essential Eight / NIST: MFA for privileged accounts). (Cyber Security Australia)

  • Just-in-time / time-limited admin elevation where supported.

  • Approvals: manager approval for privilege escalation.

2) Staff Awareness, Onboarding and Accountabilities

Policy statement: All staff complete security training and understand their data/account responsibilities.

Controls & procedures

  • Mandatory induction security training at onboarding (phishing, password hygiene, data handling).

  • Annual refresher and short micro-learning modules quarterly. Owner: ISMS Owner

  • Role-specific training for privileged users or those handling sensitive data.

  • Phishing simulations and follow-up coaching for failures.

3) Password Management

Policy statement: Passwords must meet complexity and management rules; passphrases encouraged; password manager use mandated.

Controls & procedures

  • Enforce password length and complexity through identity provider; encourage long passphrases rather than frequent forced resets.

  • Mandatory use of organisation-approved password manager for shared credentials (vault with access controls).

  • MFA (multi factor authentication) for all accounts, especially remote access and privilege accounts.

  • Avoid SMS or Email MFA. Defensv recommends using an individual authenticator such as Google or Microsoft (your password vault may also provide one).

  • Do not share accounts.

  • Use Single Sign On with MFA as much as possible (e.g. Microsoft or Google) the less seperate passwords the better.

4) Antivirus and AntiMalware

Policy statement: All endpoints and servers must run supported endpoint detection and protection, receive updates and be centrally managed.

Controls & procedures

  • Deploy modern antivirus on all endpoints and servers; ensure automatic definition updates and central management. Owner: IT Lead.

  • Block execution of known malicious files; apply application allow-listing for sensitive hosts where feasible (aligns with Essential Eight strategies: application control). (Cyber Security Australia)

  • Use default settings

5) Data Protection

Policy statement: Data must be classified, access controlled, encrypted at rest and in transit where appropriate, and retained/disposed per policy.

Controls & procedures

  • Data classification (examples could be Public, Internal and Protected)

    • Public - Data that is in the public domain and does not require significant protection but we do not want it changed.

    • Internal - Information that is important, we want to protect it from unwanted access and changes.

    • Protected - sensitive information that if it was changed or became public would be devastating to the organisation.

    • Check if there is personally identifiable information (like a persons name, address, or sensitive data such as a medical condition, health records or government identifiers) as these have regulatory requirements.

  • Use modern cloud technologies that confirm they encrypt data when at rest and use TLS (also known as SSL but check for the padlock).

  • Backups: Regular & tested. This could be a dedicated service or using a cloud provider that is different to your normal one (e.g. if using M365 consider Dropbox or Google with protected accounts).

    • The concept is that if malware infects your laptops, desktops or normal cloud then you have a backup that is available.

    • This could be a backup of spreadsheets or drives monthly, it can be manual or automated.

  • Data minimisation: only collect what’s needed.

    • ACNC highlights charities must manage personal information and privacy obligations. (ACNC)

    • If you collect information then consider how to minimise it and only keep for as long as your privacy policy advises it.

    • Have a privacy policy.

6) Application Patching and Approval

Policy statement: Automatic patching is enabled and regularly tested to ensure devices are up to date

Controls & procedures

  • Maintain an inventory of assets (laptops, routers, smart devices)

  • Patching cadence: set automatic updates on

  • Devices: Internet of Things (IOT), Routers, internet connected devices may not have automatic updates. Set a regular review timeframe or email alerts from the vendor.

    • Look for wifi connected dishwashers/fridges etc in the office

    • Smart lights

    • EV Chargers

7) Email and Social Media

Policy statement: Email is a high-risk vector; controls reduce phishing, business email compromise and data leakage.

Controls & procedures

  • Technical Controls that organisations may need assistance with. These are all very important email settings that are done by the administrators for M365 and Google:

    • Deploy email security gateway with SPF, DKIM, DMARC enforcement; phishing and spam filtering.

    • Safe-reply / warning banners on external emails; block auto-forwarding to external accounts unless authorised.

  • Staff training on verifying payment/change requests; two-person verification for financial changes.

  • Social media: central custodian of official accounts, strong password + MFA, approved posting processes.

  • Unless there is a significant internal technical skill do not host applications.

8) Anti Virus and Malware & Endpoint Protection

Policy statement: Endpoints must be managed for baseline operating system, antivirus and anti malware. This may require assistance from an MSP and technology such as Microsoft Intune.

Controls & procedures

  • Device inventory and configuration baseline (disable unused services, enforce disk encryption, automatic lock).

  • Mobile device management (MDM) for BYOD or corporate devices, with separation of corporate data.

  • Ensure employees do not use unsupported OS; retirement policy for legacy devices.

9) Third Party Management

Policy statement: Third parties with access to systems or data are assessed and contractually required to meet security minimums.

Controls & procedures

  • Maintain supplier inventory with access and data mapping:

    • what they have access to in your environment? This could be contractors, or 3rd parties performing work on trusted systems

    • where is the organisational data being stored, which 3rd parties have what data?

  • Risk-based assessment for suppliers, have they undertaken a cyber security audit such as ISO27001, or a SOC2 Type 2 report

  • Require minimum controls: MFA for access, data encryption, incident notification within 72 hours (or faster), sub-processor list (also known as 4th parties).

  • Periodic reassessment and termination checklist.

10) Incident Response

Policy statement: Prepare to detect, respond, contain and recover from incidents with a tested Incident Response Plan (IRP).

Controls & procedures

  • Maintain IRP with roles, escalation paths, communication templates (internal, board, regulator, media), legal contacts.

  • Incident classification levels and SLAs for initial response (e.g., 1-4 hours for critical).

  • Larger organisations will have what’s known as a SIEM but for many it will fall back to what the 3rd parties used to deliver the service have available for incident response and SLAs to investigate.

    • Review SLAS of vendors to determine appropriateness based on what data or criticality they have to the organisation.

  • Document recovery and response for a number of scenarios:

    • Data, applications or laptops etc are encrypted with malware, can backups be obtained and restored?

    • Data breach

    • Malicious insider

    • 3rd Party Failure

    • Continuity Plans

  • Key areas are identification, containment, Eradication, Recovery and Lessons Learned.

  • Tabletop exercises annually and post-incident after-action reviews with remediation tracking.

Implementation roadmap (12 months, small org)

Adapted from the ASD E8 this is suggested roadmap:

  1. Month 0–1: Board sign-off on ISMS policy, assign ISMS Owner, complete asset & vendor inventory.

  2. Month 1–3: Ensure MFA on all admin accounts; baseline endpoint protection; deploy email protections (SPF/DKIM/DMARC).

  3. Month 2–6: Implement patch management tooling, password manager, and backup improvements; start staff awareness program.

  4. Month 4–9: Harden admin practices (separate admin accounts, remove local admin where possible), start phishing simulations, refine third-party contracts.

  5. Month 6–12: Test IRP with tabletop, restore from backups, review Essential Eight maturity and aim for Level 2 on most critical areas.

Reference: ASD Essential Eight suggests identifying a target maturity and progressively implementing levels; for small orgs Level 1 baseline progressing to Level 2 for critical systems is pragmatic. (Cyber Security Australia)