The ISSP (Information Systems Security Policy) is a strategic document that defines the rules and objectives of an organisation in terms of the security of its information systems.
The Information Systems Security Policy (ISSP) is a reference document that reflects an organisation's strategic vision and objectives for the security of its information systems. It sets out the guiding principles, the security rules to be adopted, and the action plan for achieving and maintaining a certain level of security. The ISSP is tailored to each organisation, taking into account its specific characteristics, challenges, needs and constraints.
An ISSP is generally drawn up by several key players within an organisation:
- Information Systems Security Manager (ISSM), who is responsible for it
- CIO (Chief Information Officer) and, more generally, the management of the organisation
- DPO (Data Protection Officer)
- Business line managers
- User representatives
- IT security experts
Example of a PSSI
An example of an ISSP could include the following elements:
- Introduction and scope of application
- Safety objectives
- Roles and responsibilities
- Security rules (e.g. password management, use of equipment)
- Risk management
- Business continuity plan
- Incident management procedures
- User training and awareness
🔢 PSSI figures
- According to one study, 60% of French companies had a formalised ISSP in 2020.
- Organisations with a well-implemented IPSP can reduce the average cost of a data breach from $3.58 million to $2.10 million.
- 95% of cybersecurity breaches are due to human error, underlining the importance of awareness-raising included in the ISP.
- It is now compulsory for healthcare establishments in France to have an information security plan in place.
- Companies with a well-defined ISSP generally have a better response time to security incidents.
- It takes an average of 3 to 6 months to draw up an ISSP for a medium-sized organisation.
