What is the absolute minimum an Enterprise IS Policy (Leitlinie zur Informationssicherheit) must contain?
Four elements: Geltungsbereich, Sicherheitsziele, Organisationsstruktur, and Sicherheitsstrategie.
Even the smallest viable policy ("Leitlinie zur Informationssicherheit") must answer four questions:
- Geltungsbereich (scope) — for whom and what does this apply?
- Sicherheitsziele (security objectives) — what are we protecting, and to what level? (the CIA goals in business terms)
- Organisationsstruktur (organizational structure) — who is responsible? (CISO, roles, reporting lines)
- Sicherheitsstrategie (security strategy) — by what approach do we reach the objectives?
Why this minimal set: strip any one away and the document stops functioning — without scope nobody knows if it applies to them; without objectives there is nothing to verify against; without organization nobody owns it; without strategy it's a wish list.
Tip: Useful as a review checklist: when handed any organization's security policy, check these four first. Many real-world policies are pages of prose that still fail to answer one of them.
Go deeper:
Sicherheitsrichtlinie (Wikipedia DE) — Die Kernelemente (Geltungsbereich, Sicherheitsziele, Organisationsstruktur, Durchsetzung).