Security Policy and Governance involves the creation and enforcement of cybersecurity policies, frameworks, and standards across the organisation. This sector ensures that security protocols are clear, consistent, and align with both industry best practices and legal requirements. A robust security governance structure helps organisations manage risks, maintain compliance, and ensure that cybersecurity strategies are effectively implemented and monitored across all business operations.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 17.1: Develop a Basic Cybersecurity Policy

Does your enterprise have a simple, clear cybersecurity policy that outlines the basic security practices and responsibilities for employees?
Example: Create a basic cybersecurity policy that covers the use of passwords, access control, reporting suspicious activities, and employee responsibilities regarding information security.

Measure 17.2: Assign a Security Officer or Responsibility

Does your enterprise designate a person or a small team to oversee security practices and ensure the implementation of basic security measures?
Example: Appoint a “Security Officer” or an employee responsible for managing the organisation’s cybersecurity practices, ensuring that employees follow the policy and stay informed on best practices.

Measure 17.3: Educate Employees on Data Handling Best Practices

Does your enterprise educate employees on the basic cybersecurity policies and protocols they need to follow?
Example: Provide onboarding training on the company’s security policies and periodically remind staff about policies on password management, phishing threats, and safe data handling.

Measure 17.4: Implement Basic Access Control Procedures

Does your enterprise have procedures in place to control who can access sensitive systems and data?
Example: Ensure only employees who require access to sensitive data or systems have permissions, and make sure access levels are clearly defined within the organisation.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 17.5: Establish Comprehensive Cybersecurity Policies and Frameworks

Does your enterprise have a comprehensive set of written policies that cover all key aspects of cybersecurity (e.g., incident response, data protection, network security)?
Example: Develop a suite of policies that includes guidelines for data privacy, secure software development, employee access, remote work security, and incident response.

Measure 17.6: Align Security Policies with Industry Best Practices and Regulations

Are your security policies and frameworks aligned with industry best practices and relevant legal requirements (e.g., GDPR, ISO 27001)?
Example: Ensure that your security policies adhere to the GDPR (if applicable), PCI-DSS (if handling payment card data), or any other relevant compliance frameworks to ensure legal and regulatory compliance.

Measure 17.7: Assign Dedicated Security Roles or Teams

Does your enterprise have dedicated personnel or teams responsible for enforcing security policies and conducting security reviews?
Example: Create specific roles such as a Chief Information Security Officer (CISO), security manager, or dedicated IT security team to oversee and manage cybersecurity initiatives across the organisation.

Measure 17.8: Implement Regular Policy Review and Updates

Does your enterprise regularly review and update its security policies to ensure they remain relevant and up-to-date with emerging threats?
Example: Conduct annual reviews of all cybersecurity policies and update them as necessary to address new vulnerabilities, regulatory changes, or changes in the organisation’s operations.

Measure 17.9: Provide Ongoing Security Awareness and Training

Does your enterprise provide regular training to all employees on updated security policies and emerging cybersecurity threats?
Example: Offer quarterly cybersecurity training to employees, covering updated security policies, how to identify phishing emails, best practices for handling sensitive data, and other key security topics.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 17.10: Implement a Security Governance Framework

Does your enterprise have a formal, comprehensive cybersecurity governance framework that defines roles, responsibilities, and decision-making processes across all levels?
Example: Adopt a formal cybersecurity governance model, such as the NIST Cybersecurity Framework or ISO 27001, to ensure roles, risk management practices, and security protocols are clearly defined across the organisation.

Measure 17.11: Conduct Regular Security Audits and Assessments

Does your enterprise conduct regular security audits and assessments to ensure compliance with internal policies and external regulations?
Example: Conduct annual internal and external security audits, vulnerability assessments, and penetration tests to ensure adherence to security policies, best practices, and legal requirements.

Measure 17.12: Ensure Policy Enforcement Through Monitoring and Reporting

Does your enterprise have monitoring tools in place to track compliance with security policies, and does it have a clear reporting structure for security incidents?
Example: Use security monitoring tools like a SIEM to track policy compliance, and ensure employees have clear instructions on reporting security incidents or breaches.

Measure 17.13: Integrate Security into Business Processes

Does your enterprise integrate cybersecurity policies and considerations into key business processes such as procurement, third-party vendor management, and employee onboarding?
Example: Incorporate security requirements into vendor contracts, employee hiring processes including background checks. access controls and system procurement including security checks/risk assessments for software and hardware.

Measure 17.14: Maintain a Cybersecurity Risk Management Programme

Does your enterprise have an established risk management programme that regularly evaluates and mitigates cybersecurity risks across the organisation?
Example: Implement a formal risk management programme where risks are identified, evaluated, prioritised, and mitigated regularly by senior management.

———————————————————————————————————