A common critique of Information Security Management Systems (ISMS) is that they often become "shelfware" only referred to when the auditors arrive or referred to when the security department wants to say no.
Here are some tips to help these documents become "living documents" referred to by staff in your organisation to guide their actions.
1. Get your standards endorsed. Producing an impact assessment that outlines the financial and operational impact of the standard in question may help you in the process of endorsement by management.
2. Have a feedback loop to improve the standards. Document an email address or a contact person for feedback on the standards. This may help you refine the standards to better meet needs
3. Insert "tips and hints" in standards on how to easily comply with the requirements in the standards. Where further guidance is required write processes, procedures or guidelines (e.g. asset handling). This guidance should be gathered from staff "in the field" and should capture organisational knowledge on security activities. This will encourage staff to refer to standards for ideas on how to do security related activities.
4. Put the standards on your intranet. Most content in security standards is not actually that sensitive. If there are processes which are sensitive just list their name on the intranet and refer the reader to someone they can ask about the process or standard.
5. Conduct security awareness activities related to issue or update of new standards and the issues that the updates are intended to address. Align them with key messages in your security awareness program. These messages can be deployed via a banner on the intranet home page, a screensaver, a message at logon or via a regular email bulletin or newsletter.
