Introduction
In this ultimate guide I show you everything you need to know about the ISO 27001 Information Security Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Information Security Policy.
Table of contents
- Introduction
- What is an ISO 27001 Information Security Policy?
- ISO 27001 Information Security Policy Template
- What is the purpose of the ISO 27001 Information Security Policy?
- What is the ISO 27001 Information Security Policy Principle?
- Why is the ISO 27001 Information Security Policy Important?
- What should the ISO 27001 Information Security Policy Contain?
- ISO 27001 Information Security Policy Example
- How to write an ISO 27001:2022 Information Security Policy
- How to write an ISO 27001 Information Security Policy
- How to implement an information security policy?
- What are the benefits of ISO 27001 Information Security Policy?
- Who is responsible for the ISO 27001 Information Security Policy?
- How do you monitor the effectiveness of the ISO 27001 Information Security Policy?
- ISO 27001 Information Security Policy Framework
- ISO 27001 and the Information Security Policy
- ISO 27001 Information Security Policy FAQ
What is an ISO 27001 Information Security Policy?
The ISO 27001 Information Security Policy is the headline policy for information security. It sets out the organisations approach to information security management and covers the confidentiality, integrity and availability of data.
In the ISO 27001:2022 update the standard changed to include the concept of topic specific policies. These topic specific policies, based on organisational need sit under the main information security policy.
ISO 27001 Information Security Policy Template
The ISO 27001 Information Security Policy Template is pre written and ready to go. It is an ISO 27001 mandatory document and one of the required ISO 27001 Policies.
What is the purpose of the ISO 27001 Information Security Policy?
The purpose of the ISO 27001 Information Security Policy is to set out the organisations approach to information security to protect the confidentiality, integrity and availability of data.
What is the ISO 27001 Information Security Policy Principle?
Information security is managed based on risk, legal and regulatory requirements, and business need.
Why is the ISO 27001 Information Security Policy Important?
An information security policy is important because your organisation processes, stores and transmits valuable data and information that needs to be protected.
To understand the value of an information security policy, let’s break out the data we are protecting into three parts.
Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it.
Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information.
Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.
The ISO 27001 Information Security Policy is important as it sets out clearly the approach to information security management and what you expect to happen.
What should the ISO 27001 Information Security Policy Contain?
The ISO 27001 Information Security Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An exampleISO 27001 Information Security Policy table of contents would look something like this:
- Document Version Control
- Document Contents Page
- Purpose
- Scope
- Information Security Policy
- Principle
- Chief Executives Statement of Commitment
- Introduction
- Information Security Defined
- Information Security Objectives
- Information Security Policy Framework
- Information Security Roles and Responsibilities
- Monitoring
- Legal and Regulatory Obligations
- Policy Compliance
- Compliance Measurement
- Exceptions
- Non-Compliance
- Continual Improvement
ISO 27001 Information Security Policy Example
This is an example ISO 27001 Information Security Policy:
How to write an ISO 27001:2022 Information Security Policy
How to write an ISO 27001 Information Security Policy
Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the information security policy purpose
The purpose of the information security policy is to protect against loss of data.
Write the scope of the information security policy
Consider the scope of the information security policy. It should really apply to all employees and third party staff working for your company.
Write the principle on which the information security policy is based
The principle of the policy is the confidentiality, integrity and availability of data. It is about the security and protection of of confidential data.
Write a chief executives statement of commitment
Write a statement from the most senior person in the organisation about the organisations commitment to information security. Provide a date for the quote.
An examples chief executives statement of commitment:
“As a company, information processing is fundamental to our success and the protection, availability, and security of that information is a board level priority. Whether it is employee information or customer information we take our obligations under the law seriously. We have provided the resources to develop, implement and continually improve the information security management and business continuity management system appropriate to our business.”
[Chief Executive Officer Name and Date and Signature]
Define information security
Provided a definition for information security and for the terms confidentiality, integrity and availability.
An example would be:
Confidentiality: Access to information is to those with appropriate authority
Integrity: Information is complete and accurate
Availability: Information is available when it is needed
Describe the policy framework
Provide a description of the policy framework and list out the policies that are part of it.
Set out the roles and responsibilities
Create a definition of each of the roles for information security and what their responsibilities are.
Describe how you will monitor the effectiveness of information security
Layout the measures and monitors that you will use to verify that the information security is effective.
Document your legal and regulatory obligations
Working with legal counsel set out the laws and regulations that your organisation follows
Define policy compliance
Provide for how compliance to the policy will be achieved.
How to implement an information security policy?
To implement an information security policy into your organisation you are going to:
- Write your information security policy following the steps above.
- Approve and sign off the information security policy
- Communicate the information security policy to relevant people
- Have them accept the policy
- Review the policy on an annual basis.
What are the benefits of ISO 27001 Information Security Policy?
Other that your ISO 27001 certification requiring it, the following are benefits of having the ISO 27001 Information Security Policy:
- Improved Security: Information security will be implemented and managed based on the risk to the organisation and business needed targeting appropriate protection where it is needed.
- Reduced Risk: A risk based approach to information security will ensure your organisation is protected.
- Improved Compliance: Standards and regulations require an information security policy to be in place.
- Reputation Protection: In the event of a breach having effective information security management will reduce the potential for fines and reduce the PR impact of an event
Who is responsible for the ISO 27001 Information Security Policy?
Information security is the responsibility of the leadership team. The ISO 27001 Information Security Policy is also the responsibility of the senior leadership team, although they will delegate the management to the information security manager.
How do you monitor the effectiveness of the ISO 27001 Information Security Policy?
The approaches to monitoring the effectives of the information security policy include:
- Monthly management review meetings
- Internal audit of the ISMS
- External audit of the ISMS
- Review of operational processes for anomalies in operation
You can learn more by reading: How to implement ISO27001 Clause 5.2 Policy and Pass the Audit
ISO 27001 Information Security Policy Framework
The information security management system is built upon an ISO 27001 Policies. These are mandatory ISO 27001 documents. In conjunction with the information security policy, the following policies make up the policy framework:
- Data Protection Policy
- Data Retention Policy
- ISO 27001 Information Security Policy ( this policy )
- ISO 27001 Access Control Policy
- ISO 27001 Asset Management Policy
- ISO 27001 Risk Management Policy
- ISO 27001 Information Classification and Handling Policy
- ISO 27001 Information Security Awareness and Training Policy
- ISO 27001 Acceptable Use Policy
- ISO 27001 Clear Desk and Clear Screen Policy
- ISO 27001 Mobile and Teleworking Policy
- ISO 27001 Business Continuity Policy
- ISO 27001 Backup Policy
- ISO 27001 Malware and Antivirus Policy
- ISO 27001 Change Management Policy
- ISO 27001 Third Party Supplier Security Policy
- ISO 27001 Continual Improvement Policy
- ISO 27001 Logging and Monitoring Policy
- ISO 27001 Network Security Management Policy
- ISO 27001 Information Transfer Policy
- ISO 27001 Secure Development Policy
- ISO 27001 Physical and Environmental Security Policy
- ISO 27001 Cryptographic Key Management Policy
- ISO 27001 Cryptographic Control and Encryption Policy
- ISO 27001 Document and Record Policy
ISO 27001 and the Information Security Policy
The ISO 27001 Information Security Policy satisfies the following clauses in ISO 27001:2022
ISO 27001:2022
ISO 27001:2022 Clause 5 Leadership
ISO 27001:2022 Clause 5.1 Leadership and commitment
ISO 27001:2022 Clause 5.2 Policy
ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2022 Clause 7.3 Awareness
ISO 27002:2022
ISO 27002:2022 Clause 5 Organisational Controls
ISO 27002:2022 Clause 5.1 Policies for information security
ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security
ISO 27002:2022 Clause 5.4 Management Responsibilities
ISO 27002:2022 Clause 6 People Controls
ISO 27002:2022 Clause 6.3 Information security awareness, education, and training
ISO 27002:2022 Clause 6.4 Disciplinary process
ISO 27001:2013/17
ISO 27001:2013/2017 Clause 5 Leadership
ISO 27001:2013/2017 Clause 5.1 Leadership and commitment
ISO 27001:2013/2017 Clause 5.2 Policy
ISO 27001:2013/2017 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2013/2017 Clause 7.3 Awareness
ISO 27002:2013/17
ISO 27002:2013/2017 Clause 5 Information security policies
ISO 27002:2013/2017 Clause 5.1 Management direction for information security
ISO 27002:2013/2017 Clause 5.1.1 Policies for information security
ISO 27002:2013/2017 Clause 5.1.2 Review of the policies for information security
ISO 27002:2013/2017 Clause 7 Human resource security
ISO 27002:2013/2017 Clause 7.2.1 Management Responsibilities
ISO 27002:2013/2017 Clause 7.2.2 Information security awareness, education, and training
ISO 27002:2013/2017 Clause 7.2.3 Disciplinary process
ISO 27001 Information Security Policy FAQ
The scope of the information security policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.
Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.
An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.
Yes. An Information Security Policy is a key requirement of ISO 27001 forming part of ISO 27001 and ISO 27002 / Annex A.
A copy of the information security policy template and best practice can be found here: https://hightable.io/product/information-security-policy-template/
Access to information is to those with appropriate authority.
The right people with the right access.
Information is complete and accurate
The right people with the right access to the right data.
Information is available when it is needed
The right people with the right access to the right data at the right time.
CIA is the Confidentiality, Integrity and Availability of data.
Yes, it is a required element of the ISO 27001 certification.