abstract
- Information is considered to be the most critical asset in the business world and the management of the risks associated with information must become a pattern practice within the companies [1]. Therefore, the adoption of an Information Systems Security (ISS) policy for the protection of such an asset makes total sense. Organizations handle increasingly larger amounts of information in technological supports, which makes continuously stricter and broader security controls indispensable. The technological process may work as a catalyst for threats but is not alone enough to ensure the effective security of information. Just as if not more important than reaching the appropriate levels of information security within each organization is being able to maintain them. Having software and hardware which contributes to the security of information is not enough. Organizations must also have a security policy and a good security management so as to firmly anchor the efforts to protect the assets of the information system [2]. In order to better understand the concept of ISS policy, it is convenient to distinguish it from concepts such as norms, directives and procedures. Table 1 shows the differences between these concepts.