Overview
Policy Statement
This policy outlines the policy management framework for your organization, to ensure that policy development processes are appropriately governed, consistent and that they support the development of high-quality policies.
The Privacy and Security Officers, as defined by the company, are the ones responsible for the Policy Management. It is their responsibility to properly version and update the policies your organization adheres to.
Principles
- Accessibility: policy documents are available and understandable to stakeholders and customers. Under section 20 of the Right to Information Act 2009, exact copies of each of its policy documents must be preserved for inspection;
- Alignment: policy documents are aligned with Public Trustee Strategic Planning and other strategy and planning documents
- Consistency: policy documents are consistent with the whole of government and national policy (where applicable) and comply with relevant legislation;
- Informed: policy documents are informed by research and evidence;
- Implementation: policies are communicated to and implemented together with relevant stakeholders throughout all stages of development and implementation.
Scope
All devices, systems, people, and processes that constitute your organization's information and cloud-based systems.
Policy Hierarchy
Policies
Policies are documents that describe the principles that govern and guide conduct and decision-making in a particular context. Policies are always company-wide documents. They must be high-level and principles-based and express the objectives and intentions of the company. The use and/or application of policies is mandatory.
Procedures
Procedures are operational documents that describe the processes and actions that are required to enable the implementation of a policy. A procedure may also be developed to ensure compliance with legislative requirements. A procedure may be a company-wide document or applicable only to particular business areas. Compliance with procedures is mandatory.
Controls
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity, and availability of information.
Plans, Guidelines and Manuals
Plans, guidelines, and manuals are documents that provide detail and context for particular matters that are generally the subject of a legislative obligation, or a policy or procedure. Guidelines provide a pathway for employees to follow. A guideline may be a company-wide document or applicable only to particular business areas. Compliance with guidelines is usually mandatory; however, where it is optional employees are strongly encouraged to comply with guidelines wherever possible.
Procedures
Procedures and mapped controls
Initiation
Policy development can be triggered, for example, by legislative changes, strategic objectives, restructuring of your organization, or identified institutional risk or gap. A policy proposal should be submitted to the relevant governance or management body to assess the need for policy development or review. The proposal should be submitted using the Policy Proposal Template and should include an impact assessment (equality and other relevant impact assessments). The approval of the policy proposal should involve an initial discussion and stated preferences on the policy principles.
Drafting and Development
The Policy Developer/Reviewer should consider the policy issue, conduct an initial discussion on policy principles with stakeholders, carry out any relevant research including a review of international good practice, formulate a draft policy document, undertake consultation with appropriate stakeholders, address any gaps highlighted by the policy impact assessment, and submit a final draft of the policy for approval.
Policy should:
- Contain language that is plain English and appropriate for the audience;
- Comply with the your organization Policy Template to ensure consistency across all policy documents;
- Record the policy owner, approval body, and approval date of the policy.
Consultation
Informal consultation with interested parties is strongly recommended throughout the development of a new policy or a major policy review. The Policy Developer/Reviewer should seek to engage decision-making groups on the character of policy problems to be addressed as a prior step to developing policy solutions. Once a policy has been drafted, it needs to be made available for a formal consultation with the relevant governance/approval body.
Approval
Approval of policies shall follow an agreed approval pathway which must be established at the outset of policy development or review. Policies are formally approved by the relevant governing body (your organization Management Team or Board of Directors) or by a senior officer operating under its delegated authority. The policy will be effective from the date of approval, if not otherwise specified.
Communication
All policies are published in the online ISMS Governance Library. A policy published in the ISMS is considered the only authorized version. The Policy Owner is responsible for communications about a new or revised policy. A communication plan should be an essential part of the successful implementation and application of a new policy.
Implementation
Implementation should be planned from the very start of a policy development process. It is important to ensure the oversight of policy implementation, in particular where the implementation spreads across different areas of the company. The Policy Owner should discuss policy implementation with relevant stakeholders, in order to agree on a timeline for all required implementation activities and to assign responsibilities for each activity.
your organization uses the company Wiki to publish final versions of the implemented policies. The format for the policies follows a standard and a Sample Policy can be consulted. Furthermore, standardized conventions on how to manage policies using an automated system are outlined in the Conventions Document.
Monitoring and Review
It is essential that once approved, policies remain relevant, fit for purpose, and consistent with your organization's mission and objectives. Policy compliance can be monitored by recording issues arising from implementation, gathering feedback, and monitoring decisions taken under the policy. Information collected automatically through monitoring activities is used during the formal review of the policy. All approved policies are subject to periodic review. Reviews normally take place at a maximum of 3 years of operation. Where necessary, policies may be reviewed outside the review cycle. Editorial or other minor amendments to a policy may be made outside a formal review. Minor amendments to policy require the approval of the relevant governance body. Major amendments to policy can be approved and implemented only as a result of a formal policy review with appropriate stakeholder consultation. Usually, the CEO approves major changes to the ISMS structure.
A review should consider whether the policy:
- Remains consistent with best practice and the strategic direction of your organization;
- Continues to meet stakeholder needs;
- Complies with any existing related policies and supports your organization statutes and regulations;
- Works well on an operational level;
- Could be enhanced.
Query logic
These are the stored checks tied to this policy.
No stored query bodies are attached to this entry.
