Skip to content
Knighthood Documentation

Security Policies, Processes, & Procedures

Policies, processes, and procedures are essential for setting expectations and developing strategies for achieving security. Knighthood assists customers in selecting the level that best fits their needs.

Enhanced

Section titled “Enhanced”
  • As part of your continuous improvement programme for security, your people and relevant service providers actively contribute to optimising processes and procedures. You have tools in place to facilitate this.
  • Issues and emerging risks relating to contracting and contract management processes are analysed and mitigations strategies are put in place to improve existing and future contracts.

Managed

Section titled “Managed”
  • You have security policies, processes, and procedures in place to protect people, information, and assets.
  • Policies and procedures are easy to access and understood.
  • You review security policies at least every two years, and periodically review processes and procedures to ensure they remain appropriate.
  • Security management processes are embedded, consistently followed, and deliver the outcomes you expect.
  • Your procurement contracts include standard terms and conditions relating to security.
  • Your policies and procedures include aspects on working with external suppliers where relevant.
  • People from across your organisation contribute to designing security management policies, processes, and procedures.
  • You proactively scan your environment for relevant changes and emerging threats, amending security policies, processes, and procedures when appropriate.
  • You set and apply evidence-based performance measures for your security management processes, and performance targets are consistently met.
  • Your security management processes and procedures are supported by automation when that makes them more effective and efficient.
  • You have documented and effective procedures in place to ensure that proposed changes to processes, or new processes, are assessed for their impact on security management requirements.

Basic

Section titled “Basic”
  • You have elements of protective security policy in place, but they’re not yet sufficiently supported by documented processes and procedures.
  • Where security management processes do exist, they usually perform as expected. However, process discipline may be lax.
  • You occasionally review security policies, usually in response to an incident or prompt.
  • When applicable, your procurement contracts identify requirements for protecting people, information, and assets.
  • Levels of due diligence on the security policies and measures of external suppliers vary across your organisation.
  • You have a limited or inconsistent process in place for considering how new processes, or changes to existing ones, will affect security management.

Informal

Section titled “Informal”
  • You have no documented protective security management policies, processes, or procedures in place.
  • Undocumented processes tend to change depending on the situation at the time or who is following them; and the purpose and value of these informal processes may be unclear.
  • Protective security needs may be considered when business processes are developed or reviewed, but you can’t be confident this happens.
  • You don’t ask external suppliers for information about their security policies and measures before you share sensitive information with them.
  • Security is not considered in procurement decisions or factored into supply contracts for products or services.