Here’s a story for you. This is disgusting, and happened to one of our clients.
This client is a two-person financial services firm.
Yes, even two-person firms need an Information Security policy.
They went to one of those online services — you know the type.
For $99, you get their template “customized” for you.
The end result?
This two-person company had a 200 page Information Security policy!
In many ways, this is worse than having no policy at all.
We read the policy, and it was very clear that the firm wasn’t doing 90% of the things that the policy said they were.
And believe me — an auditor or a breach investigator would see right through that. They hate it when they get policies that are long and useless.