We have just completed and released a brand new information security policy template on professional services.
The policy is generic, pragmatic and yet succinct at just over 2 pages.
Professional services engagements, and hence the associated information risks, are so diverse that it made no sense to specify particular infosec controls, except a few examples. Instead, the policy requires management to nominate Information Owners for each professional services engagement, and they, in turn, are required to identify, evaluate and treat the information risks.
This is another shining example of the value of the 'information ownership' concept. Although they are encouraged to delegate responsibilities to, or at least take advice from, relevant, competent experts (e.g. in Information Risk and Security, Legal/Compliance, HR, IT, Procurement), Information Owners are held personally accountable for the protection and legitimate exploitation of 'their' information.
If Information Owners neglect to ensure that the information risks are properly treated, leading to unacceptable incidents, they may be held to account and sanctioned in some way - a personal impact of an information risk. Hopefully Information Owners will bear this in mind when seeking the advice of those relevant, competent experts about professional services engagements, when deciding how to treat the risks, and when allocating resources to the risk management and control activities, technologies, procedures etc. At least, they should do so if the policy is properly implemented with appropriate governance, management oversight, compliance monitoring and assurance ... and that once again emphasises that corporate policies form a mesh. In almost any situation, several policies may be relevant, which is fine so long as they are consistent, well-written, understood and enforced. I will pick up on that point shortly as we are about to release a couple of 'toolkits' - suites of policy templates and other materials. Watch this space!