When an ISO delivers a set of policy documents, the same question inevitably comes up:
“Why are we doing all this? Why so many documents? Are we not just feeding a paper tiger to comply with NIS2?”
That question is understandable. Policy can be extensive and sometimes feel technical. Yet policy is not a bureaucratic side issue. It is the foundation that allows an organisation to operate in a controlled, defensible and resilient way.
And more importantly:
An ISMS only works when the agreements laid down in policy are applied in practice in a visible, demonstrable and repeatable manner.
Policy is the foundation, not the end product
An ISMS is about protecting information and safeguarding the continuity of core processes. It ensures that information remains available, reliable and properly protected, especially where personal or sensitive data is concerned.
Without clear policy, it is unclear which agreements apply and who within the organisation is responsible for complying with them. Policy provides direction and anchors accountability at board level. How those agreements are implemented in practice is set out in processes. This keeps policy clear and manageable, while allowing execution to remain practical and flexible.
Policy therefore acts as a route map. It determines how the organisation wants to deal with threats, incidents and recovery. The law requires it, but practice shows why it is needed. Organisations without policy do not know what to protect, how to protect it or who is responsible. But that is only the first step.
Policy only comes to life when it becomes visible in the way we work every day.
Why there are so many policy documents
Information security touches many areas: network management, incident management, change management, access control, encryption, physical security, suppliers, continuity, development and more. Each area carries different risks, requires different measures and affects different parts of the organisation.
That is why a single policy document is not realistic.
There are different ways to structure policy. Some organisations opt for one comprehensive document, but this quickly becomes unwieldy. In practice, it works better to split policy up: a general policy document setting out vision, roles and frameworks, supplemented by topic or domain specific policies. This keeps each document readable and clearly scoped, and makes it immediately clear which agreements apply to which area. This structure improves understanding and makes policy easier to maintain.
One principle remains essential:
Board members do not need to be IT experts to understand policy. Policy must be written in a way that allows them to assess it.
Approving policy without understanding it is not an option under NIS2. Board oversight requires clarity at board level.
Policy only gains value through execution
Policy without execution is worthless.
Policy without monitoring is blind.
Policy without improvement is stagnation.
Policy is necessary to provide direction, but by itself it changes nothing. It is the starting point: the agreements and responsibilities the organisation can rely on. To make those agreements effective, they must be connected to day to day operations. This is where the ISMS comes in.
The ISMS ensures that what is defined in policy actually happens. It translates board level choices into a working process in which risks are assessed, measures are implemented, controls are performed and incidents are investigated. Without this link, policy remains theory.
Operational planning is the engine of this process. It shows, in a visible and demonstrable way, when controls are carried out, who is responsible, how deviations are handled and how the board exercises oversight. Think of checks on certificates, access rights, offboarding, supplier arrangements and physical access controls.
Without such planning, policy remains a paper agreement.
With planning, policy becomes practical reality and the ISMS continues to operate as intended.
Everyone has a role, not just the ISO
One of the biggest misconceptions is that an Information Security Management System belongs to “the ISO”. The Information Security Officer is the director. He or she sets frameworks, safeguards coherence and makes adjustments where needed. The organisation executes. Information security is therefore a chain in which everyone forms a link.
A few examples, with responsibilities made explicit:
-
Reception staff decide who enters the building and prevent unaccompanied visitors from accessing work areas. The ISO ensures clear access procedures, instructions and awareness, and periodically verifies whether these agreements are followed in practice.
-
HR is responsible for screening employees, correct onboarding and, crucially, timely offboarding. A missed offboarding can result in accounts remaining active for months. The ISO embeds this process by defining policy, roles and responsibilities, and setting up controls around joining, internal moves and leaving.
-
IT monitors certificates, accounts, patches and configurations. These are direct measures that determine whether systems remain secure and available. The ISO translates risks and compliance requirements into concrete security requirements, prioritises measures and monitors whether they are performed consistently.
-
Managers and teams ensure that procedures are followed, incidents are reported and deviations do not disappear under the surface. The ISO facilitates this by setting up reporting processes, providing management information and organising follow up on findings and incidents.
An ISMS only works when everyone takes responsibility and governance and execution are aligned. As soon as one link fails, space for risks and incidents emerges. The strength of a well functioning ISMS lies precisely in that coherence.
What happens when the ISMS does not come to life
A practical example that almost every board member will recognise: an employee leaves the organisation. HR informs the manager, who assumes IT will handle the offboarding. IT never receives a notification, so the account remains active unnoticed. Months later it turns out that this old account still had access to mailboxes and files.
The inevitable question then arises: were there clear agreements in policy, and was the process followed in which the required control measures from the standard were embedded? Without policy, it is unclear what the organisation agreed. Without execution of the process, it is unclear why things went wrong. And without operational planning, the periodic checks needed to detect non compliance in time are missing.
In practice, this leads for example to ghost accounts: accounts of former employees that are still active because no one checked whether the offboarding process was fully followed. Without that verification, a deviation remains unnoticed and a small process error can grow into a serious incident. This marks the difference between a situation that can be handled professionally and an incident that results in reputational damage, board level questions, legal risks and potentially regulatory scrutiny.
Why board members should want this
Policy is the basis on which an organisation is governed. It defines which agreements apply and who is responsible for what. Without policy, direction is lacking, accountability cannot be demonstrated and information security becomes unpredictable. Clear policy agreements are essential to deliver continuity, privacy protection and board responsibility.
The ISMS then ensures that this policy does not remain on paper, but is actually implemented. Through processes and operational planning, agreements are translated into controls, actions and oversight. This creates demonstrable effectiveness rather than a paper construction.
The essence
Policy provides direction.
Execution provides substance.
Planning provides assurance.
Together, they form an organisation that manages risks and is demonstrably in control. That is not a paper tiger, but information security that genuinely works.
Good information security starts with clear and supported policy. We can support organisations in establishing this policy, aligned with legislation, risks and day to day practice. That policy only gains value when it is translated into workable processes and concrete measures that are actually implemented and periodically tested.
Many organisations recognise this importance, but lack the capacity or expertise to embed it structurally. With ISO as a Service, we offer a practical and continuously available security function. This helps make policy understandable and applicable, organise execution and ensure that the Information Security Management System operates in a demonstrable way.
Would you like to know what this could look like in your organisation? We are happy to think along with you in a practical way.
