Quiz Entry - updated: 2026.06.04
What is an Issue-Specific Security Policy (ISSP), and how does it differ from the EISP in change frequency?
An ISSP states the organization's position on one specific issue — and unlike the strategic EISP, it requires frequent updates.
Characteristics:
- Addresses a specific issue and contains a statement of the organization's position on it
- Typical topics: who has internet access, use of personal equipment on company networks, use of photocopy equipment, prohibitions against hacking or testing the organization's security controls
- Requires frequent updates — issues evolve with technology and usage (compare: the e-mail ISSP of 2010 vs. one covering today's collaboration tools)
The layering logic: the EISP says "company information must be protected" (stable, strategic); the ISSP says "here is our binding position on personal devices" (issue-level, revisited regularly); the SysSP says "configure the MDM server like this" (system-level, changes with the product).
Tip: ISSPs are where policy meets employee behavior — they're the documents staff actually read (or sign). Clarity beats legalese here.