- B.C. Home
- Ministry of Citizens’ Services and Open Government
- Office of the Chief Information Officer
- About the OCIO
- Architecture and Standards
- Identity Information Management
- Information Security
- Intellectual Property Program
- Legislation, Privacy and Policy
- Network BC
- Strategic Partnerships
- Contact Us
Information Security Policy
The Information Security Policy is supplemental to the B.C. government Core Policy and Procedures Manual. The policy provides the framework for government organizations to establish local policies and procedures necessary for the protection of information and technology assets for the Province of British Columbia.
The policy was originally developed and published in 2006 and is based on the international standard ISO/IEC 27002:2005 “Information technology - Security techniques - Code of practice for information security management”.
The Information Security Policy is structured into eleven main control areas based on a risk assessment approach. A case requiring security attention in the ministry may be governed by many control areas. Example: When using a portable storage device, we need to think of the various security aspects of it, which include protection of the information on the device, physical handling of the device, reassignment or disposal of the device, access control to the device, loss reporting and the Information Incident Management Process.
The Information Security Policy is reviewed regularly. The current version is 2.2, October 2012. The Information Security Policy Revision Summary provides a brief overview of main changes. The itemized change log can be requested from the Information Security Branch.
Where a business area is unable to comply with the Information Security Policy, it is necessary to apply for an exemption. The Government Chief Information Officer will review the risk and the risk-mitigation plan and decide whether to approve the exemption request or not.
To apply for a Standard, Architecture or an Information Security Policy exemption, please complete the Exemption Request Form. Upon completion and approval, please submit the form as indicated in the form instructions. NOTE: The Exemption Form is a Word template, please save to your local drive and rename.
For questions about the Information Security Policy, please see the ISP Frequently Asked Questions
To make it easy to apply the Information Security Policy to specific cases, the Information Security Branch, Office of the Chief Information Officer (OCIO), has written Policy Summaries which offer guidance on how the ISP applies to a subject area with regards to government personnel and managers. Personnel include all employees as well as other individuals such as contractors, volunteers and third-party organizations. The full list of Policy Summaries are available here.