Table of contents
- What is an Information Security Policy?
- How does it work?
- Should I write one large policy or break it down into many policies?
- Information Security Policy Template
- How to create and use the information security policy video
- How to write an information security policy
- Information Security Policy in 60 Seconds
- Information Security Policy FAQ
I am Stuart Barker the ISO 27001 Ninja and in this article I am going to show you the step by step guide on how to write an information security policy.
It is easier than you think.
So sit back, and let’s go.
What is an Information Security Policy?
An information security policy is a statement of what you do for information security, not how you do it. How you do it is covered in processes documents. The information security policy is shared with employees, customers, third parties, auditors and more to show your approach to tackling information security. It includes some key elements such as management buy in, security objectives, roles and responsibilities, monitoring and legal and regulatory obligations. It is a straight forward document to write.
It is a fundamental building block of your ISO 27001 certification and your information security management system.
How does it work?
The information security policy informs the reader on what is expected for information security. You create the policy that sets out what you do, you review it and have it signed off by senior management and then you communicate it to staff and interested parties. Usually staff will sign an acknowledgement that they will adhere to the policy. If they do not then there are various options available including invoking the company disciplinary procedure.
The information security policy must be easy to read, communicated, acknowledge and readily available.
Should I write one large policy or break it down into many policies?
You can create one large document of all of your policy statements or break them out into logical documents that can be more readily shared with an appropriate audience and allocated ownership internally to maintain. It will depend on your own situation. I prefer to break it down into individual policies.
One Large Policy
Pro
Easy to maintain
Cons
Hard to assign ownership
Hard to communicate to the relevant people
Hard to satisfy client requests for specific policies
Individual Policies
Pro
Easy to assign ownership
Easy to communicate to the relevant people
Easy to satisfy client requests for specific policies
Con
Harder to maintain
Information Security Policy Template
I have prewritten and pre-populated the Information Security Policy Template to meet the requirements of ISO 27001 and other leading security frameworks to save you time and effort.
How to create and use the information security policy video
In this tutorial video I show you how to create an information security policy in around 5 minutes. This step by step tutorial walks you through policy document mark up, what is included in an information security policy, how it is used and good templated example of a good information security policy. It has been watched over 13,000 times.
How to write an information security policy
Time needed: 4 hours and 30 minutes
How to write an information security policy step-by-step guide
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the document purpose
Write the purpose of the Information Security Policy. The purpose of this policy is to protect against loss of data.
- Write the scope of the policy
Consider the scope of the information security policy. It should really apply to all employees and third party staff working for your company.
- Write the principle on which the policy is based
The principle of the Information Security Policy is the confidentiality, integrity and availability of data. It is about the security and protection of of confidential data.
- Write a chief executives statement of commitment
Write a statement from the most senior person in the organisation about the organisations commitment to information security. Provide a date for the quote.
- Define information security
Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.
- Describe the policy framework
Provide a description of the policy framework and the policies that are part of it.
- Set out the roles and responsibilities
Create a definition of each of the roles for information security and what their responsibilities are.
- Describe how you will monitor the effectiveness of information security
Layout the measures and monitors that you will use to verify that the information security is effective.
- Document your legal and regulatory obligations
Working with legal counsel set out the laws and regulations that your organisation follows
- Define policy compliance
Provide for how compliance to the policy will be acheived.
Information Security Policy in 60 Seconds
Is it possible to have an information security policy that is ready to go in 60 seconds? Let’s find out. Start the clock.
Information Security Policy FAQ
An information security policy should cover the purpose of the policy, the scope, the principles on which it is based, a chief executive statement of commitment, an introduction. It should define information security in terms of confidentially, integrity and availability. It should include the information security objectives. If part of a pack it should include the full policy framework list of policies. Roles and responsibilities are included as are the measures and monitors.
It should be reviewed at least annually.
Yes. It is easy and straightforward to do.
We find Microsoft Word is the easiest but you can use and word processing application or even have as a web page in your content management system.
About 4 hours.
You will need to know the required policies of ISO 27001 as covered in the Annex A / ISO 27002. In addition any company, client, customer specific policy requirements.
You can download a copy of the ISO 27001 information security policy template here.
This depends on your company size and your administrative needs. For a small company this can make sense. Having separate policies in a modular pack has advantages in so far as they can be assigned to owners to be maintained, they can be communicated in an effective manner with the people that need to understand them, they can be shared as required with clients and auditors based on their requests without sharing everything.
