The Information Security Policy is developed as a pinnacle document which has further policies, standards and guides which enforce and support the policy. The supporting policies are grouped into 3 areas: Technical Security, Operational Security and Security Management and are shown in the diagram below.
The technical security policies detail and explain how information security is to be implemented. These policies cover the security methodologies and approaches for elements such as: network security, patching, protective monitoring, secure configuration and legacy IT hardware & software.
The operational security policies detail how the security requirements are to be achieved. These policies explain how security practices are to be achieved for matters such as: data handling, mobile & remote working, disaster recovery and use of social media.
The security management practices detail how the security requirements are to be managed and checked. These policies describe how information security is to be managed and assured for processes such as: information security incident response, asset management and auditing.
For larger organizations, the below diagram on supporting policies will result in separate documents for each policy; however, for smaller organizations these may be combined or covered under a coverall for each area (technical, operational and security management). Some organizations will have outsourced their IT to a supplier or provider and therefore the information security policy and supporting policies will need to focus on the requirements and conditions to be implemented by the contacted provider.