The PSSI is a strategic document that defines the rules and objectives of an organisation in terms of the security of its information systems.
The Information Systems Security Policy (ISSP) is a reference document that reflects an organisation's strategic vision and objectives for the security of its information systems. It sets out the guiding principles, the security rules to be adopted, and the action plan for achieving and maintaining a certain level of security. The ISSP is tailored to each organisation, taking into account its specific characteristics, challenges, needs and constraints.
Example
An example of an ISSP could include the following elements:
- Introduction and scope of application
- Safety objectives
- Roles and responsibilities
- Security rules (e.g. password management, use of equipment)
- Risk management
- Business continuity plan
- Incident management procedures
- User training and awareness
Figures
Although specific figures vary according to source and year, here are some illustrative data:
- According to a study, 60% of French companies had a formalised ISSP by 2020.
- Organisations with a well-implemented ISSP can reduce the average cost of a data breach from $3.58 million to $2.10 million.
- 95% of cybersecurity breaches are due to human error, underlining the importance of awareness-raising included in the ISP.