Using standards to create cyber security policies

British Standards contain the combined knowledge of experienced UK subject experts often working together with their international colleagues in an open, consensus-based process.

You can read a description of these standards and some other relevant publications that are available from BSI or other organizations below:

Standard number/name Description/Benefits Published by
BS ISO/IEC 27002 Code of practice for information security controls

The starting point for developing your cyber security policy should be BS ISO/IEC 27002. This can help in two ways. It has many controls you can use as guidance when writing your own policy, while its contents list can also be used as a checklist to ensure that important controls aren’t left out.

With respect to legal obligations, BS ISO/IEC 27002 has a section on compliance controls too.

PAS 555 Cyber security risk. Governance and management. Specification PAS 555 can be used to identify desirable outcomes that should be reflected in your security policy. BSI
SP 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations If you are looking for further possible controls not given in ISO/IEC 27002, one source could be the US National Institute of Standards and Technology (NIST) Special Publication SP 800-53r4. But remember this document is intended for use by US government departments and agencies, and many of its controls may be overkill for the typical small UK firm. US National Institute of Standards and Technology
IT-Grundschutz (baseline protection) catalogue Another possibility is the IT-Grundschutz (baseline protection) catalogue published by the German Federal Office for Information Security (BSI). The most recent version is only available in German, however you can find an English translation of an older version (2005). This is a very comprehensive document, identifying more than 1,000 controls. German Federal Office for Information Security
Getting it right - A brief guide to data protection for small businesses For UK data protection advice, the best place to start is with the Information Commissioner’s small business guide.

ICO (Information Commissioner’s Office)