Commentary

Corporate management is always a complex mixture of interpretation and implementation. In a small organisation it is possible for managers to rely on their close contact with their employees to pass their intentions around the workforce. In larger organisations or in those where external Regulators or Auditors require it, there is a need for management intentions to be published in the form of documented corporate policies. In general these policy statements serve a number of valuable purposes.

The primary object of a policy statement is to outline the aims of the organisation as endorsed by the executive management team.

The document should be written in a way that can be interpreted at a local level into the operational rules or standard operating procedures (SOPs).

The supporting policies and procedures, which are then derived from the overall policy statement, will control the day-by-day operations, which occur at the various functional levels within the organisation. It is unrealistic to expect the corporate executive to write those detailed supporting policies and procedures.

The existence of a policy statement, endorsed by the executive, implies that it will be recognised as a valid budget item and funded accordingly.

It is also the means by which an organisation tells their staff what the rules are, and unless this happens, there is no method by which the organisation can ensure that they stick to them.

An Introduction To Information, Network and Internet Security
Commentary Corporate management is always a complex mixture of interpretation and implementation. In a small organisation it is possible for managers to rely on their close contact with their employees to pass their intentions around the workforce. In larger organisations or in those where external Regulators or Auditors require it, there is a need for management intentions to be published in the form of documented corporate policies. In general these policy statements serve a number of valuable purposes. The primary object of a policy statement is to outline the aims of the organisation as endorsed by the executive management team. The document should be written in a way that can be interpreted at a local level into the operational rules or standard operating procedures (SOPs). The supporting policies and procedures, which are then derived from the overall policy statement, will control the day-by-day operations, which occur at the various functional levels within the organisation. It is unrealistic to expect the corporate executive to write those detailed supporting policies and procedures. The existence of a policy statement, endorsed by the executive, implies that it will be recognised as a valid budget item and funded accordingly. It is also the means by which an organisation tells their staff what the rules are, and unless this happens, there is no method by which the organisation can ensure that they stick to them.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security