Executive leaders have a many critical responsibilities, in particular evaluating risk and making business decisions. These executive leaders must find the balance between driving new business innovation with the corporate responsibility for security and adequate system controls. Business advantages however, are not often gained without some degree of risk. As executive leaders look to transform the business with new applications, expansions, and automation, it usually means exposing the business to some degree of new cyber security risk.

Information Systems Security Plans are living documents that help the organization to plan, implement, manage, and assess ongoing risk risk management in relation to the business goals and activities. When done well, an ISSP will provide the organization with recommendations on how to align security and risk management with the needs and requirements of the business.

Here is a sample ISSP for a fictitious technology company, CyberSchlub Inc.  There are some some excellent resources available to help guide you on developing your own ISSP. These include:

NIST Special Publication 800-18 Revision 1 2006. Guide for Developing Security Plans for Federal Information Systems.

Federal Information Processing Standards (FIPS) Publication Special Publication 800-53 rev 4 2013. Security and Privacy Controls for Federal Information Systems and Organizations.

 FDIC System Security Plan Template