NCSAM How to: Develop your information security policy and document it thoroughly

Cyber crime is one of the most prevalent, pressing issues facing organizations in all sectors today. Companies need an effective information security policy in place – a formal statement of its commitment to protect the data it maintains.

The information security policy is the driving force and guiding foundation behind an organization’s information security management system (ISMS). This policy sets the parameters for the requirements, rules, and procedures that the organization uses to safeguard its information and ensure business continuity in the event of a data breach.

When preparing information security policy documentation, project leaders should be as clear, broad, and comprehensive as possible. The documentation should also accurately describe your organization’s operational realities and strategic objectives.

The information security policy requires an organization-wide effort

Senior management, staff, third-party contractors, and almost everyone in between should be considered when creating an information security policy. The policy must apply to everyone within the secure perimeter, so even cleaners and/or security staff should be addressed when asking:

  • What impact will the information security policy have on employees, customers and other stakeholders?
  • How will the organization benefit from the policy?
  • What disadvantages will the organization have as a result of the policy?

The information security policy must meet certain obligations

Compiling your policy is not always straightforward, but your organization is your oasis. Collect information from all applicable departments long before you launch your full-scale ISMS implementation. The organization’s policy sets the parameters for the risk assessment – the scope, oversight, etc. – and the information security objectives that the risk assessment works towards.

You can compile information by:

  • Interviewing key personnel
  • Hosting focus groups
  • Observing activities and processes
  • Analyzing data security records
  • Distributing surveys

The information security policy must accomplish certain things:

  • Reflect the vested interests and requirements of the entire organization, including its business, legal and regulatory obligations.
  • Establish the overall sense of direction for information security, and set objectives or a framework for determining those objectives.
  • Support the strategic context in which the ISMS will be established.
  • Commit the organization to ongoing and continual improvement of its information security.

The information security policy must answer the who, what, where, and why of its existence:


The board and management need to be in full support of the ISMS and support must be clear. For example, the policy statement must be issued under their authority. Documented evidence such as meeting minutes will help to validate their participation.


Each part of the organization included in the policy must be identified, whether by geographic location, or corporate, divisional, or management unit.


At the heart of the information security policy and ISMS is the ISO/IEC 27001:2013 standard: That the board and management are committed to preserving the “confidentiality, integrity and availability of information.”


The policy is designed to protect private information from a wide range of threats. The policy must ensure business continuity, minimise business damage and maximise return on investment.

Establish your information security policy

If you don’t know where to start with your information security policy, we recommend reading October’s book of the month, Nine Steps to Success – An ISO 27001 Implementation Overview, North American edition. Written by Alan Calder, ISO 27001 expert, and founder and executive chairman of IT Governance Ltd, this handy guide tackles some of the most troubling obstacles you’ll face in implementing an ISO 27001-compliant ISMS. The book covers:

  • Overcoming documentation challenges
  • Structuring and resourcing your project
  • Getting management support and keeping them engaged
  • Conducting a five-step risk assessment
  • Completing an SoA and risk treatment plan

Buy before the end of October to save 10% >>

Save time and resources by using our ISO 27001 Cybersecurity Documentation Toolkit, which will provide a framework for ISO 27001-compliant ISMS documentation. The toolkit also aligns with the NYDFS Cybersecurity Requirements.

The toolkit includes dashboards and templates designed to help you meet your documentation requirements. View the complete list here.