ISO27001:2022 FAQ

Home / ISO 27001 Templates / ISO 27001 Information Security Policy Explained + Template

ISO 27001 Information Security Policy Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Information Security Policy

The information security policy is the cornerstone of any information security management system and a requirement of the ISO 27001 standard.

ISO 27001 Information Security Policy
What is It?
Applicability to Small Businesses, Tech Startups, and AI Companies
ISO 27001 Information Security Policy Template
Why You Need It
When You Need It
Who Needs It?
Where You Need It
How to Write It
How to Implement It
Examples of using it for small businesses
Examples of using it for tech startups
Examples of using it for AI companies
How the ISO 27001 Toolkit Can Help
Information Security Standards That Need It
List of Relevant ISO 27001:2022 Controls
ISO 27001 Information Security Policy Example
ISO 27001 Topic Specific Policies
ISO 27001 Information Security Policy Framework
Why is an information security policy important?
Information Security Policy Mapped to ISO 27001
One large policy vs many policies?
ISO 27001 Information Security Policy FAQ

What is It?

An Information Security Policy is your company’s rulebook for keeping information safe. Think of it as your game plan. It tells everyone what to do and what not to do to protect sensitive data. It’s a formal document that shows your commitment to security.

Applicability to Small Businesses, Tech Startups, and AI Companies

This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

Small Businesses: You need this policy to set clear expectations. It helps your team understand security without a full-time security expert. It can be simple and focus on your main risks, like protecting customer lists or financial data.
Tech Startups: Your policy proves to clients and investors that you take security seriously. It helps you manage risks related to new technology and rapid growth. It’s a way to build trust from day one.
AI Companies: For you, the policy must address unique risks like data privacy, ethical use of data, and the security of your AI models. It’s your public statement that you’re committed to responsible AI.

ISO 27001 Information Security Policy Template

The ISO 27001:2022 Information Security Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.

Download Information Security Policy Template

Why You Need It

You need an Information Security Policy because it’s a required document for ISO 27001 certification. It’s the central piece of your Information Security Management System (ISMS). Without it, your security efforts would be a jumble of random actions, not a clear, organised system. It also shows customers and partners that you’re a trustworthy business.

When You Need It

You need to write this policy early in your ISO 27001 journey, right after you’ve defined your Context of the Organisation. It sets the tone for all the security work that follows. You should also review and update it at least once a year, or whenever your business changes.

Who Needs It?

Everyone in your company needs to follow this policy. It’s a document written for and approved by top management, but it applies to all employees, contractors, and even temporary workers who handle your information.

Where You Need It

You need to have this policy documented and available to your team. It should be a formal document that’s stored and managed as part of your ISO 27001 documentation. You’ll also need to make sure everyone can easily find and read it.

How to Write It

Start with the big picture: What are your company’s security goals?
Make it easy to understand: Use simple language and avoid technical jargon.
Define roles: Clearly state who is responsible for what. For example, “The IT team is responsible for managing firewalls.”
Cover key areas: Include sections on things like access control, data handling, and incident management.
Get it approved: Your top management must formally approve the policy.

Time needed: 1 hour and 30 minutes

How to write an information security policy

Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the ISO 27001 Information Security Policy purpose
Write the purpose of the document. The purpose of this policy is to set out the information security policies that apply to the organisation to protect the confidentiality, integrity, and availability of data.
Write the ISO 27001 Information Security Policy scope
Consider the scope of the information security policy. The scope of the policy is all employees and third party staff working for your company.
Write the ISO 27001 Information Security Policy principle
The principle of the policy is information security is managed based on risk, legal and regulatory requirements, and business need.
Write a chief executives statement of commitment
Write a statement from the most senior person in the organisation about the organisations commitment to information security. Provide a date for the quote. An example:

“As a company, information processing is fundamental to our success and the protection, availability, and security of that information is a board level priority. Whether it is employee information or customer information we take our obligations under the law seriously. We have provided the resources to develop, implement and continually improve the information security management and business continuity management system appropriate to our business.” [Chief Executive Officer Name and Date and Signature]
Write an introduction to the policy
Set out what the policy covers and why you have it. An example:

Information security protects the information that is entrusted to us. Getting information security wrong can have significant adverse impacts on our employees, our customers, our reputation, and our finances. By having an effecting information security management system, we can:

– Provide assurances for our legal, regulatory, and contractual obligations
– Ensure the right people, have the right access to the right data at the right time
– Provide protection of personal data as defined by the GDPR
– Be good data citizens and custodians
Write your information security objectives
Set the objectives for the information security management system. An example:

To ensure the confidentiality, integrity and availability of organisation information including all personal data as defined by the GDPR based on good risk management, legal regulatory and contractual obligations, and business need.

To provide the resources required to develop, implement, and continually improve the information security management system.

To effectively manage third party suppliers who process, store, or transmit information to reduce and manage information security risks.

To implement a culture of information security and data protection through effective training and awareness.
Define information security
Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.
Describe the policy framework
Provide a description of the policy framework and the policies that are part of it. An example:

The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:

DP 01 Data protection Policy
DP 02 Data Retention Policy
IS 01 Information Security Policy (this policy)
IS 02 Access Control Policy
IS 03 Asset Management Policy
IS 04 Risk Management Policy
IS 05 Information Classification and Handling Policy
IS 06 Information Security Awareness and Training Policy
IS 07 Acceptable Use Policy
IS 08 Clear Desk and Clear Screen Policy
IS 09 Mobile and Teleworking Policy
IS 10 Business Continuity Policy
IS 11 Backup Policy
IS 12 Malware and Antivirus Policy
IS 13 Change Management Policy
IS 14 Third Party Supplier Security Policy
IS 15 Continual Improvement Policy
IS 16 Logging and Monitoring Policy
Set out the roles and responsibilities
Create a definition of each of the roles for information security and what their responsibilities are. An example:

Information security is the responsibility of everyone to understanding and adhere to the policies, follow process and report suspected or actual breaches. Specific roles and responsibilities for the running of the information security management system are defined and recorded in the document Information Security Roles Assigned and Responsibilities
Describe how you will monitor the effectiveness of information security
Layout the measures and monitors that you will use to verify that the information security is effective. An example:

Compliance with the policies and procedures of the information security management system are monitored via the Management Review Team, together with independent reviews by both Internal and External Audit on a periodic basis.
Document your legal and regulatory obligations
Working with legal counsel set out the laws and regulations that your organisation follows. An example:

The organisation takes its legal and regulatory obligations seriously and these requirements are recorded in the document Legal and Contractual Requirements Register
Set out your approach to training and awareness
Define how you do training and awareness. An example:

Policies are made readily and easily available to all employees and third-party users. A training and communication plan is in place to communicate the policies, process, and concepts of information security. Training needs are identified, and relevant training requirements are captured in the document Competency Matrix.
Describe you approach to continual improvement
Describe how you go about doing continual improvement. An example:

The information security management system is continually improved. The continual improvement policy sets out the company approach to continual improvement and there is continual improvement process in place.
Define policy compliance
Provide for how compliance to the policy will be acheived.

How to Implement It

You implement the policy by making sure your team follows it. This means:

Communicating it: Share the policy with everyone.
Training your team: Teach them what the policy means for their daily jobs.
Enforcing it: Hold people accountable for following the rules.

Examples of using it for small businesses

Your policy might state, “All customer data must be stored on approved, encrypted systems.” This is a clear, actionable rule that everyone can understand and follow.

Examples of using it for tech startups

Your policy might have a section on intellectual property, saying, “All code must be stored in secure, version-controlled repositories with restricted access.” This protects your most valuable asset.

Examples of using it for AI companies

Your policy might include, “All data used for AI training must be de-identified to protect privacy,” to address a key ethical and legal risk.

How the ISO 27001 Toolkit Can Help

An ISO 27001 toolkit is like a shortcut and it includes a pre-written template for the Information Security Policy. These templates are a great starting point, saving you time and ensuring you include all the required parts of the standard.

Get the Small Business ISO 27001 Toolkit >

Information Security Standards That Need It

This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)

List of Relevant ISO 27001:2022 Controls

The Information Security Policy is a core requirement of ISO 27001:2022 , but it’s supported by many specific controls, such as:

ISO 27001 Information Security Policy Example

Below is an example ISO 27001 Information Security Policy extract of the contents page so you know what to include.

ISO27001 Information Security Policy Example 3

ISO27001 Information Security Policy Example 4

ISO 27001 Topic Specific Policies

You are going to have a pack of policies that are required by ISO 27001. This makes good, practical sense for a governance framework. It could all be in one document but there are practical benefits to having separate policies. By having separate policy documents, they are:

easy to communicate and to share with the people they are relevant to
easy to assign an owner who will keep it up to date and implement it
easy to review and sign off

ISO 27001 Information Security Policy Framework

The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:

Why is an information security policy important?

An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.

Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it.

Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information.

Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.

Information Security Policy Mapped to ISO 27001

Let’s map the information security policy template to each version of the ISO 27001 standards.

ISO 27001:2022

ISO 27001:2022 Clause 5 Leadership

ISO 27001:2022 Clause 5.1 Leadership and commitment

ISO 27001:2022 Clause 5.2 Policy

ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them

ISO 27001:2022 Clause 7.3 Awareness

ISO 27002:2022

ISO 27002:2022 Clause 5 Organisational Controls

ISO 27002:2022 Clause 5.1 Policies for information security

ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security

ISO 27002:2022 Clause 5.4 Management Responsibilities

ISO 27002:2022 Clause 6 People Controls

ISO 27002:2022 Clause 6.3 Information security awareness, education, and training

ISO 27002:2022 Clause 6.4 Disciplinary process

ISO 27001:2013/17

ISO 27001:2013/2017 Clause 5 Leadership

ISO 27001:2013/2017 Clause 5.1 Leadership and commitment

ISO 27001:2013/2017 Clause 5.2 Policy

ISO 27001:2013/2017 Clause 6.2 Information security objectives and planning to achieve them

ISO 27001:2013/2017 Clause 7.3 Awareness

ISO 27002:2013/17

ISO 27002:2013/2017 Clause 5 Information security policies

ISO 27002:2013/2017 Clause 5.1 Management direction for information security

ISO 27002:2013/2017 Clause 5.1.1 Policies for information security

ISO 27002:2013/2017 Clause 5.1.2 Review of the policies for information security

ISO 27002:2013/2017 Clause 7 Human resource security

ISO 27002:2013/2017 Clause 7.2.1 Management Responsibilities

ISO 27002:2013/2017 Clause 7.2.2 Information security awareness, education, and training

ISO 27002:2013/2017 Clause 7.2.3 Disciplinary process

One large policy vs many policies?

You can create one large document of all of your policy statements or break them out into logical documents that can be more readily shared with an appropriate audience and allocated ownership internally to maintain. It will depend on your own situation. I prefer to break it down into individual policies.

One Large Policy

Pro

Easy to maintain

Cons

Hard to assign ownership

Hard to communicate to the relevant people

Hard to satisfy client requests for specific policies

Individual Policies

Pro

Easy to assign ownership

Easy to communicate to the relevant people

Easy to satisfy client requests for specific policies

Con

Harder to maintain

ISO 27001 Information Security Policy FAQ

What is the purpose of the ISO 27001 Information Security Policy?

The purpose of the policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity and availability of data.

How often should an information security policy be reviewed?

It should be reviewed at least annually.

Can I create an information security policy myself?

Yes. It is easy and straightforward to do.

What tool should I create the policy in?

We find Microsoft Word is the easiest but you can use and word processing application or even have as a web page in your content management system.

How long does it take to write and information security policy?

About 4 hours.

What information will I need to write the information security policy?

You will need to know the required policies of ISO 27001 as covered in the Annex A / ISO 27002. In addition any company, client, customer specific policy requirements.

Should my policies all be in one document?

This depends on your company size and your administrative needs. For a small company this can make sense. Having separate policies in a modular pack has advantages in so far as they can be assigned to owners to be maintained, they can be communicated in an effective manner with the people that need to understand them, they can be shared as required with clients and auditors based on their requests without sharing everything.

What is the scope of the ISO 27001 Information Security Policy?

The scope of the policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.

What is the principle of the ISO 27001 Information Security Policy?

Information security is managed based on risk, legal and regulatory requirements and business need.

Does an ISO 27001 Information Security Policy Include Leadership Commitment?

Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.

What is an Information Security Policy?

An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.

Does ISO 27001 require an Information Security Policy?

Yes. An Information Security Policy is a key requirement of ISO 27001 forming part of ISO 27001 and ISO 27002 / Annex A.

Where can I get an ISO 27001 Information Security Policy template and best practice?

A copy of the information security policy template and best practice can be found here.

What is the definition of confidentiality?

Access to information is to those with appropriate authority.
The right people with the right access.

What is the definition of integrity?

Information is complete and accurate
The right people with the right access to the right data.

What is the definition of availability?

Information is available when it is needed
The right people with the right access to the right data at the right time.

What does CIA stand for?

CIA is the Confidentiality, Integrity and Availability of data.

Is the Information Security Policy required for ISO 27001 certification?

Yes, it is a required element of the ISO 27001 certification.

What does an Information Security Policy cover?
An information security management policy covers the following as a minimum:

Document Version Control
Document Contents Page
Purpose
Scope
Information Security Policy
Principle
Chief Executives Statement of Commitment
Introduction
Information Security Defined
Information Security Objectives
Information Security Policy Framework
Information Security Roles and Responsibilities
Monitoring
Legal and Regulatory Obligations
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement

Is the policy the same as a procedure?

No, the policy says what you do, while a procedure says how you do it.

Do I need a separate policy for every department?

No, you need one main policy for the whole company, though you can have supporting policies for specific areas.

How long should it be?

It should be concise. Don’t make it a novel.

Can I fail an audit for a bad policy?

Yes, if it’s not approved by management, doesn’t meet the standard, or isn’t communicated to employees.

Who should write it?

Someone with good writing skills who understands your business and its security needs. This is often the security manager or a consultant.

Does it have to be a physical document?

No, a digital file is fine, as long as it’s easily accessible.

What if my employees don’t read it?

It’s your job to make sure they know about it. Communication and training are key.

What if my company is small?

Your policy can be short and simple. Focus on what’s most important to your business.

Is it a secret document?

No, it’s meant to be shared with your entire team.

Does it need to be signed?

Yes, it should be approved by a member of top management.

What happens if someone violates the policy?

Your policy should mention that you have a process for handling violations, like disciplinary action.

What’s the most important part of the policy?

That it reflects your company’s real commitment to security and is put into action, not just left on a shelf.

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call

ISO 27001 Toolkit: Tech Startup Edition

ISO 27001 Toolkit: Small Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.