Welcome to the SecAware blog

I spy with my beady eye ...

13 May 2022

Professional services infosec policy template


We have just completed and released a brand new information security policy template on professional services.

The policy is generic, pragmatic and yet succinct at just over 2 pages.

Professional services engagements, and hence the associated information risks, are so diverse that it made no sense to specify particular infosec controls, except a few examples. Instead, the policy requires management to nominate Information Owners for each professional services engagement, and they, in turn, are required to identify, evaluate and treat the information risks.

This is another shining example of the value of the 'information ownership' concept. Although they are encouraged to delegate responsibilities to, or at least take advice from, relevant, competent experts (e.g. in Information Risk and Security, Legal/Compliance, HR, IT, Procurement), Information Owners are held personally accountable for the protection and legitimate exploitation of 'their' information.

If Information Owners neglect to ensure that the information risks are properly treated, leading to unacceptable incidents, they may be held to account and sanctioned in some way - a personal impact of an information risk. Hopefully Information Owners will bear this in mind when seeking the advice of those relevant, competent experts about professional services engagements, when deciding how to treat the risks, and when allocating resources to the risk management and control activities, technologies, procedures etc. At least, they should do so if the policy is properly implemented with appropriate governance, management oversight, compliance monitoring and assurance ... and that once again emphasises that corporate policies form a mesh. In almost any situation, several policies may be relevant, which is fine so long as they are consistent, well-written, understood and enforced. I will pick up on that point shortly as we are about to release a couple of 'toolkits' - suites of policy templates and other materials. Watch this space!

The policy template is available here, along with the professional services security guideline and checklists.


  1. I'm not sure I buy this idea of "hold information owners personally responsible". I don't think that scales. Imagine if we held car owners "personally responsible" no matter who was driving the car. I think people would take a really different approach to locking and controlling their car. This "personal" approach only works at some really small companies that move nice and slowly. Large enterprises or businesses that move quickly will not be able to adopt such an approach. There's a lot more to determining whether this policy is suitable for a company than simply looking at whether they hire professional services or not.

    1. Fair point, Paco. It comes down to the way the concept is both understood and applied. The terms vary (e.g. information [asset] owner, [information] risk owner) but the underlying accountability principle is a powerful mechanism, along with the distinction between accountability (which is 'sticky' and personal/individual) and responsibility (which can be delegated and shared). For me, it's the sharp end of governance: regardless of the size, complexity or maturity of an organisation, workers need to be accountable for their own decisions and actions, otherwise ... well, isn't that anarchy?

      I fully agree with you about management determining whether the policy is applicable, and if so how best to implement/adopt it: that's the reason I'm proposing a guideline rather than a strict standard, mandatory specification or regulation. Flexibility wins!