Information Security Program

For every security assessment conducted within an organization, there should be a list of action items to close any identified gaps. These action items should be transferred into a strategy for execution. Also within the organization, there should be an awareness plan which outlines all the activities for a year that will keep security in the forefront of the minds of all staff. The Information Security Program is a combination of the Security Strategy and Security Awareness Plan, in line with the mission and vision of the organization.


Expert Opinion - Security Policy, Security Program


Control Objective

  • Policy is documented, approved, followed, reviewed, and updated regularly
  • Policy should be standards-based in order to evolve over time
  • Include Appropriate Use so employees know what they may and may not do


Information Security Program Template