1.
The intranet and hence the ISMS documentation will be readily available
throughout the organisation to anyone with access to the corporate LAN.
Other departments can not only read and refer to your materials but
hyperlink directly to them in their own policies, procedures etc. (and vice
versa of course!).
2. The content can be structured and presented neatly (e.g. short, easy-to-
read summary/intro pages hyperlinked to more detailed supporting pages
containing the nitty gritty; embedded graphics such as process flow
charts, mind maps ... oh and security awareness stuff).
3. It is easier to control the ISMS website than printed/hardcopy ISMS
documents, provided someone has control over what gets posted to the
intranet ISMS area (implying some sort of change management process to
review and publish stuff). Everyone should be clear that the ISMS
materials on the intranet are the current, live, versions. [You may like to
have a separate 'trial' or 'draft' area to expose proposed policy changes
for feedback, but make sure that area is easily identified as such e.g. with
a different colored page background and an explicit statement that these
are drafts, not the current, live, versions of your policies.]
There are two drawbacks though:
1. You need the skills and tools to design, prepare, publish and maintain the
website, or at least easy access to someone who does that.
2. Web pages (like this one!) don't usually print out very well, so for things
that people want to print and refer to, comment on, or whatever, you may
need to supply printable versions (e.g. PDFs) to download and print from
the same web pages.
That covers the format and type of communication. As to the writing style, that's
something you will have to develop. Parts of the ISMS are inevitably formalized
(e.g. policies), others can usefully be more user-friendly (e.g. guidelines). It’s
perfectly OK to have some fun too, using more creative security awareness
materials such as quizzes, crosswords, seminar/workshops and prize draws. The
idea is to draw people in and engage them, provide useful, readable content, not
scare them off forever with miles of impenetrable red tape.
Implementation tip: It definitely helps to have a consistent style/format for
each type of material, and even better consistent elements on all of them to bind
them into a coherent, professional suite. Do you have an ISMS logo, perhaps,
with which to ‘brand’ the documentation and your other security awareness
materials? Do you employ professional authors? Do they use templates and
styles consistently?
