Security Process
Security Planning
02 Security Policies, Processes, & Procedures

Security Policies, Processes, & Procedures

Policies, processes, and procedures are essential for setting expectations and developing strategies for achieving security. Knighthood assists customers in selecting the level that best fits their needs.

Enhanced

  • As part of your continuous improvement programme for security, your people and relevant service providers actively contribute to optimising processes and procedures. You have tools in place to facilitate this.
  • Issues and emerging risks relating to contracting and contract management processes are analysed and mitigations strategies are put in place to improve existing and future contracts.

Managed

  • You have security policies, processes, and procedures in place to protect people, information, and assets.
  • Policies and procedures are easy to access and understood.
  • You review security policies at least every two years, and periodically review processes and procedures to ensure they remain appropriate.
  • Security management processes are embedded, consistently followed, and deliver the outcomes you expect.
  • Your procurement contracts include standard terms and conditions relating to security.
  • Your policies and procedures include aspects on working with external suppliers where relevant.
  • People from across your organisation contribute to designing security management policies, processes, and procedures.
  • You proactively scan your environment for relevant changes and emerging threats, amending security policies, processes, and procedures when appropriate.
  • You set and apply evidence-based performance measures for your security management processes, and performance targets are consistently met.
  • Your security management processes and procedures are supported by automation when that makes them more effective and efficient.
  • You have documented and effective procedures in place to ensure that proposed changes to processes, or new processes, are assessed for their impact on security management requirements.

Basic

  • You have elements of protective security policy in place, but they’re not yet sufficiently supported by documented processes and procedures.
  • Where security management processes do exist, they usually perform as expected. However, process discipline may be lax.
  • You occasionally review security policies, usually in response to an incident or prompt.
  • When applicable, your procurement contracts identify requirements for protecting people, information, and assets.
  • Levels of due diligence on the security policies and measures of external suppliers vary across your organisation.
  • You have a limited or inconsistent process in place for considering how new processes, or changes to existing ones, will affect security management.

Informal

  • You have no documented protective security management policies, processes, or procedures in place.
  • Undocumented processes tend to change depending on the situation at the time or who is following them; and the purpose and value of these informal processes may be unclear.
  • Protective security needs may be considered when business processes are developed or reviewed, but you can’t be confident this happens.
  • You don’t ask external suppliers for information about their security policies and measures before you share sensitive information with them.
  • Security is not considered in procurement decisions or factored into supply contracts for products or services.