top of page
  • Writer's pictureMatt Gehrisch

Do I need a Written Information Security Plan?

Updated: Jul 22, 2022

An image Xs, Os, and arrows showing a game plan on a soccer field.

Small businesses present a uniquely dynamic operating environment compared to larger organizations. Much of the structure that larger organizations implement to support operations at scale is unnecessary in a small business at best, and wildly inappropriate at worst. Structure for the sake of structure is a non-starter in a small organization. The focus must be on value-added activities that drive the business forward. A mindful strategy and a right-sized approach are the keys to success.

Once leadership has recognized a legitimate business driver for security, attention turns to how to best protect the organization and its assets. As we have discussed in a prior article, it is important to select an appropriate industry standard framework to build the Information Security program against. After a framework has been selected, implementation becomes the next hurdle.

The WISP, as a document, does not exist for its own sake. A Written Information Security Plan (WISP) functions as a strategic charter and forms the foundation of the Information Security program. It serves several purposes to ensure successful implementation and consistent operation of the Information Security Program.

Define and communicate strategy

A WISP contains a set of written Information Security policies. The security strategy is captured and communicated to the organization through those security policies. They articulate what the organization intends to do to protect its assets.

Define roles and responsibilities

To ensure accountability and prevent confusion, a WISP defines key roles and responsibilities related to the security of the organization.

Inform decisions

A WISP provides foundational strategic governance to support efficient decision making within the organization. Through clearly documented policies, decisions can be made at lower levels in the organization. Additionally, those decisions can easily be reviewed by leadership to ensure that the organization is continuing to operate in accordance with the strategic plan.

Support consistent training

The documented policies contained in the WISP allow for consistent training across the organization. Each team member knows what is expected of themselves, what to expect of each other, and how their individual roles impact the security of the organization day to day.

A Written Information Security Plan doesn’t need to be a large complex document. In fact, the best policies are those that are simple and easy to understand.

What questions do you have about creating a Written Information Security Plan for your organization? Use the buttons at the top right corner of the page to connect with us on social media and let us know. Better yet, join us as a caller on a future episode of The Mindful Business Security Show and ask your questions on our podcast!


Recent Posts

See All


bottom of page