Information Security Policy and Guidelines

The Government of British Columbia is committed to providing services to citizens that are efficient and secure.  Through the adoption of new technologies, the government seeks to provide improved services while maintaining the security of government information assets.  Each ministry has a Ministry Information Security Officer who can answer general questions on protecting information specific to their ministry.


The Information Security Policy V4.01 (PDF) is the latest version. It is:

  • Easy for users to understand,
  • Structured so that key information is easy to find, and
  • Short and accessible.

The ISP V4.01 (PDF) provides the foundation for the information security governance program, which includes standards, procedures, training and awareness material, all of which are used to protect government information and information systems. All employees need to be aware of their responsibilities to safeguard government information. The Information Security Policy supports security requirements in the Freedom of Information and Protection of Privacy Act and the Information Management Act.

Supplemental to the B.C. government Core Policy and Procedures Manual and the Appropriate Use Policy, this policy provides the framework for government organizations to establish local policies and procedures necessary for the protection of information and technology assets for the Province of British Columbia. Crown corporations, public bodies and funded agencies are expected to follow the spirit and intent of policy requirements.

The Office of the Chief Information Officer is responsible for developing, communicating, and implementing the Information Security Policy across government, however, each ministry determines how to apply the policy to their business operations. This policy is available to all ministries and remains in use across government today. The policy has also been shared with select vendors who work with the Province to identify new security requirements as needed.

Impact on government staff and stakeholders

We expect that all staff and stakeholders, regardless of their knowledge of technology, will be able to read policy and guidelines and understand the BC government’s responsibilities and the overall intent of the security controls relating to the protection of government information and information systems.

Staff and stakeholders who need access to more specific details, including technical security control details, are able to find appropriate links within the new ISP to other government policies, standards and processes. Initially, all of the technical security control details in the previous version of ISP (3.0) will be republished and available in the Information Security Standard.


The Information Security Guidelines for Ageing Systems have been developed to help with understanding of the security risks arising from the use of obsolete systems. These guidelines provide the security mitigation strategies and controls that should be applied to systems nearing end of vendor support.

The Information Security Guidebook for Small and Medium Businesses is now available! This document provides basic guidance on information security controls that small and medium sized businesses should consider to help protect sensitive or critical information assets.