12.1.1 An overall information security policy

Defined Approach Requirements

12.1.1 An overall information security policy is:

• Established.
• Published.
• Maintained.
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.

Customized Approach Objective

The strategic objectives and principles of information security are defined, adopted, and known to all personnel.

Defined Approach Testing Procedures

12.1.1 Examine the information security policy and interview personnel to verify that the overall information security policy is managed in accordance with all elements specified in this requirement.

Purpose

An organization's overall information security policy ties to and governs all other policies and procedures that define protection of cardholder data.

The information security policy communicates management's intent and objectives regarding the protection of its most valuable assets, including cardholder data.

Without an information security policy, individuals will make their own value decisions on the controls that are required within the organization which may result in the organization neither meeting its legal, regulatory, and contractual obligations, nor being able to adequately protect its assets in a consistent manner.

To ensure the policy is implemented, it is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization's information security policy and their responsibilities for protecting information assets.

Good Practice

The security policy for the organization identifies the purpose, scope, accountability, and information that clearly defines the organization's position regarding information security.

The overall information security policy differs from individual security policies that address specific technology or security disciplines. This policy sets forth the directives for the entire organization whereas individual security policies align and support the overall security policy and communicate specific objectives for technology or security disciplines.

It is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization's information security policy and their responsibilities for protecting information assets.

Definitions

"Relevant" for this requirement means that the information security policy is disseminated to those with roles applicable to some or all the topics in the policy, either within the company or because of services/functions performed by a vendor or third party.