This section of the guidelines provides a high-level reference point for the management of information security and privacy in social security institutions. The guidelines which follow form a starting point from which institutions can develop their own policies and plans, and will assist in addressing the challenges of information security through a consistent and standards-based approach. They are also intended to raise awareness of the security risks to information assets and to indicate how to deal with them.

Guidance is based upon well-recognized principles and best practice related to planning, risk management and performance measurement. It has been drawn from several policy instruments, guidelines and reports from various jurisdictions, and input from private industry, professionals in social security institutions and standards bodies such as the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST) and Information Systems Audit and Control Association (ISACA).

These guidelines are oriented towards ICT staff, executives and managers responsible for the security of information assets, and staff responsible for initiating, implementing and/or monitoring risk management and information security within their organizations. They may also be useful for departmental corporate risk managers, strategic planners, coordinators and other specialists who play an important role in helping to integrate security into corporate risk management, planning and performance measurement.

These guidelines may be applied at any stage of an activity, function, project, product or asset involving information. While information security management is usually applied to complete information systems and facilities, it can also focus on individual system components or services where this is practicable and useful.