Home > Information Security, Risk Management > As Promised: ISO17799-Aligned Set of IT/Information Security P&P’s – Great Rational Starter Kit for a Security Program

As Promised: ISO17799-Aligned Set of IT/Information Security P&P’s – Great Rational Starter Kit for a Security Program

Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799.  I said that I would do the sanitizing work and release them if I got a fair response.

I did and here they are.  This is in Microsoft Word Format.  534 KB.

My only caveats for those who download and use these is please don’t sell them or otherwise engage in commercial activity based upon this work.

I’m releasing it into the wild because I want to help make people’s lives easier and if these P&P’s can help make your security program better, great.  I don’t want anything in return except perhaps that someone else will do something similar.

I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document.  To be fair and honest in full disclosure, I did not create the majority of this work; it’s based upon prior art from multiple past lives, and most of it isn’t mine exclusively.

As a level-set reminder:

The P&P’s are a complete package that outline at a high-level
the basis of an ISO-aligned security program; you could basically
search/replace and be good to go for what amounts to 99% of the basic
security coverage you’d need to address most elements of a well-stocked
security pantry.

You can use this “English” high-level summary set to point to
indexed detailed P&P mechanics or standards that are specific to
your organization.

All you need to do is modify the header/footer with your company’s logo & information and do a search/replace for [COMPANY] with your own, and you’ve got a fantastic template to start building from or add onto another framework with.

Please let me know if this is worthwhile and helped you.  I could do all sorts of log tracking to see how many times it’s downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.

I also have a really good Incident Response Plan that I consolidated from many inputs; that one’s been put through at least one incident horizon and I lived to tell about it.



  1. August 27th, 2007 at 12:24 | #1

    Absolutely phenomenal! Very well written and organized!
    Thank you for this most excellent contribution to the community!

  2. Eskimoke
    August 27th, 2007 at 13:51 | #2

    Sweet! Thanks so much.
    Since we're leeching off you already, would you also make the IRP available too?

  3. August 27th, 2007 at 14:02 | #3

    That one is going to take some serious sanitizing; I am working on it already…I've got eleventybillion requests for that already 😉
    Glad it's helpful.

  4. August 28th, 2007 at 03:16 | #4

    Just idle curiosity, sire.
    It certainly looks and reads like an "instant security policy document" – and I mean that in the best possible way. You know there's companies out there that would pay good money for that? And there's also consultants out there that would … lets not go there.

  5. August 28th, 2007 at 04:04 | #5

    Hoff, Thanks for this. This is the kind of things that we as a community need to do more of.

  6. Herrnihl
    August 28th, 2007 at 04:06 | #6

    Thanks for this, will compare against mine and fill in the gaps. Would love to see your IR plan as well.

  7. August 28th, 2007 at 06:04 | #7

    @Saso…well, now they can spend their good money on something else! Yes, consultants may be grumpy about this, but now they have an opportunity to help a company derive the actual policies, procedures and standards…
    @Herrnihl/Eskimoke…working on it.

  8. Steve Mullen
    August 28th, 2007 at 08:40 | #8

    Thanks for posting this. I too will compare an old plan I have that is ISO 17799 based against yours. I would be really interested in your Incident Response Plan. Thanks again!

  9. Israel Lopez
    August 29th, 2007 at 11:20 | #9

    Great post, we will bring this up with our VPofIT.

  10. David West
    September 1st, 2007 at 02:31 | #10

    Fantastic! We're in the process of stepping up our security program and this will be an enormous help. I'm also looking forward to seeing your IRP.

  11. John Strange
    September 5th, 2007 at 09:29 | #11

    Excellent!! I look forward to cross referencing this with our current policy. It always helps to understand what other people are doing. I would love to see your IRP.

  12. Eskimoke
    November 8th, 2007 at 16:18 | #12

    Yo Hoff,
    Any movement on making the IRP available?
    P.S. Love your show.

  13. May 16th, 2009 at 17:52 | #13


    Thanks man, this is great. Looking forward to seeing your IR stuff too.

  14. February 15th, 2010 at 02:05 | #14

    Andy Willingham turned me on to this. Thank you very much! This is quite awesome.

    Did you ever post your incident response plan? Didn't see it during a search of your site.

  1. No trackbacks yet.