Creating an information security policy for your business

When your organization begins trying to achieve ISO 27001 certification, you will need to prove your compliance with the Standard with appropriate documentation. One of the documents you must create and maintain is an information security policy.

What is an information security policy?

An information security policy is one of the mandatory documents outlined in Clause 5.2 of ISO 27001 and sets out the requirements of your ISMS (information security management system).

The policy should be a short and simple document – approved by the board – that defines management direction for information security in accordance with business requirements and relevant laws and regulations.

Key elements of your information security policy

An information security policy needs to reflect your organization’s view on information security and must:

  • Provide information security direction for your organization
  • Include information security objectives
  • Include information on how you will meet business, contractual, legal, or regulatory requirements
  • Contain a commitment to continually improve your ISMS

The policy should help drive your approach to scoping the ISMS and implementation project.

An information security policy needs to include all employees in an organization, and may also consider customers, suppliers, shareholders, and other third parties. It’s important to consider how the policy will impact on these parties and the effect on your organization as a result.

You can find out more about an information security policy in our best-selling book Nine Steps to Success – An ISO 27001 Implementation Overview.

Help with creating an information security policy

The information security policy is one of the most important documents in your ISMS.

However, knowing where to start when compiling your information security policy can be difficult, especially in large or complex organizations where there may be many objectives and requirements to meet.

Below is an example of a customizable information security policy, available from IT Governance.

Information security policy template example

Example of the ISO 27001 Information Security Template, available to purchase from IT Governance

If you are looking for a complete set of ISO 27001 documentation templates to help with your implementation project, you may be interested in the ISO 27001 Cybersecurity Documentation Toolkit. The toolkit is designed and developed by expert ISO 27001 practitioners, and includes:

  • A complete set of easy-to-use, customizable, and fully ISO 27001-compliant documentation templates that will save you time and money
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard
  • Direction and guidance from expert ISO 27001 practitioners

Take a free trial to see how the documents and project tools can help you with your ISO 27001 project >>

ISO 27001 trial banner