As Promised: ISO17799-Aligned Set of IT/Information Security P&P’s – Great Rational Starter Kit for a Security Program
Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799. I said that I would do the sanitizing work and release them if I got a fair response.
I did and here they are. This is in Microsoft Word Format. 534 KB.
My only caveats for those who download and use these is please don’t sell them or otherwise engage in commercial activity based upon this work.
I’m releasing it into the wild because I want to help make people’s lives easier and if these P&P’s can help make your security program better, great. I don’t want anything in return except perhaps that someone else will do something similar.
I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document. To be fair and honest in full disclosure, I did not create the majority of this work; it’s based upon prior art from multiple past lives, and most of it isn’t mine exclusively.
As a level-set reminder:
The P&P’s are a complete package that outline at a high-level
the basis of an ISO-aligned security program; you could basically
search/replace and be good to go for what amounts to 99% of the basic
security coverage you’d need to address most elements of a well-stocked
You can use this “English” high-level summary set to point to
indexed detailed P&P mechanics or standards that are specific to
All you need to do is modify the header/footer with your company’s logo & information and do a search/replace for [COMPANY] with your own, and you’ve got a fantastic template to start building from or add onto another framework with.
Please let me know if this is worthwhile and helped you. I could do all sorts of log tracking to see how many times it’s downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.
I also have a really good Incident Response Plan that I consolidated from many inputs; that one’s been put through at least one incident horizon and I lived to tell about it.