• Matt Gehrisch

What is an Information Security Program, anyway?

Updated: Mar 24



A shadowy figure in cyberspace

Before we can talk about building an Information Security Program in a small business environment, it is important that we define what that term means. Don’t worry, this isn’t going to get complicated. In its simplest form, an Information Security Program is a plan. It is an organization’s plan to protect their information.



Well, maybe it isn’t quite that simple, so stick with me here! Every organization, including the smallest of small businesses, has information to protect. Common examples include:

  • Business plans

  • Financial reports

  • Supplier lists

  • Customer lists

  • Price lists

  • Order books

  • Inventory status

  • Intellectual property and trade secrets

  • Bank and credit card information

  • Personal information about employees

  • Personal information about customers

This information can take different forms. For example, it can be physical – written or printed on paper, or it can be digital – entered into and saved on computers. Regardless of whether it is physical or digital, it is in the organization’s best interest to protect these types of information. Failing to do so can cause damage to the organization reputationally, operationally, and financially.


It is important to note that organizations do not typically achieve their business objectives by accident. If that were the case, there would be many more successful small businesses out there! Achieving a business objective such as protecting the organization’s information requires a plan. Like any other business plan, that plan should consist of both the strategy and the initiatives that the organization will take to achieve their objective.


The Information Security strategy takes the form of clearly defined policies and standards that provide guidance to support decision making. The initiatives take the form of projects, processes, activities, capabilities, and tools related to the protection of information.


To define an Information Security Program as simply a plan does it a disservice because protecting information within an organization is an active and ongoing pursuit. It is not a project with a finite end. Rather, an Information Security Program becomes woven into the organization’s day-to-day operations.


An image of gears and a design drawing.

Now, back to our original question – What is an Information Security Program? When we talk about an Information Security Program, we are referring to a formalized collection of policies, standards, projects, processes, safeguards, activities, and tools. The components are designed to work together and are actively managed as a unit. It is the Information Security Program that provides the organization with the capabilities necessary to achieve the business objective of protecting their information.


We will dive into all of this in more detail in future articles, so stay tuned. Follow us on Twitter, LinkedIn, or Facebook to make sure you don’t miss out!


If you are ready to take the first steps towards building an Information Security Program in your organization, contact us today.

56 views