ISO27001 Information Security Policy: Beginner’s guide

In this article we lay bare the ISO27001 information security policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is the ISO27001 information security policy

What is the ISO27001 Information Security Policy?

The information security policy is a high level policy that sets out what the management approach of the organisation is. It includes some key elements such as management and leadership buy in. As a stand alone document it can be shared with staff to explain what they should be doing and with customers and potential customers to assure them you are doing the right thing.

How does it work?

You are going to have a pack of policies that are required by ISO27001. This makes good, practical sense for a governance framework. It could all be in one document but there are practical benefits to having separate policies. By having separate policy documents, they are:

• easy to communicate and to share with the people they are relevant to
• easy to assign an owner who will keep it up to date and implement it
• easy to review and sign off

ISO27001 Information Security Policy Template

Designed to save hours of work and prewritten and prepopulated the ISO27001 Information Security Policy Template meets the requirements of ISO27001 and other leading frameworks.

ISO27001 Information Security Policy PDF Example

An extract as an ISO27001 Information Security Policy Example

Information Security Policy Mapped to ISO27001

Let’s map the information security policy template to each version of the ISO27001 standards.

Why is an information security policy important?

An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.

Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it. 

Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information. 

Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.

How to implement an information security policy?

An information security policy is a document that is created by the organisation. Usually created in Microsoft Word with the final version saved as a PDF. It will be based on best practice such as the ISO27001 the international standard for information security. It will have key common elements within it that are standard across every organisation. The information security policy will be approved by senior management and then shared with employees to let them know what is expected of them. It may form part of annual employee training. The policies will be reviewed, updated and reissued at least annually. As part of most customer tenders and bids you will be asked for a copy of your information security policy and it will be shared with them.

How can I create an information security policy?

The easiest way to create and information security policy is to download and information security policy template and tailor it your organisation. By downloading a trusted template most of the hard work has been done for you.

This video on How To Create An Information Security Policy has been viewed over 8,000 times. If you are doing it yourself watch and learn step by step how to create an information security policy in under 5 minutes.

Information Security Policy Framework

The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:

• Data Protection Policy
• Data Retention Policy
• ISO27001 Information Security Policy ( this policy )
• ISO27001 Access Control Policy
• ISO27001 Asset Management Policy
• ISO27001 Risk Management Policy
• ISO27001 Information Classification and Handling Policy
• ISO27001 Information Security Awareness and Training Policy
• ISO27001 Acceptable Use Policy
• ISO27001 Clear Desk and Clear Screen Policy
• ISO27001 Mobile and Teleworking Policy
• ISO27001 Business Continuity Policy
• ISO27001 Backup Policy
• ISO27001 Malware and Antivirus Policy
• ISO27001 Change Management Policy
• ISO27001 Third Party Supplier Security Policy
• ISO27001 Continual Improvement Policy
• ISO27001 Logging and Monitoring Policy
• ISO27001 Network Security Management Policy
• ISO27001 Information Transfer Policy
• ISO27001 Secure Development Policy
• ISO27001 Physical and Environmental Security Policy
• ISO27001 Cryptographic Key Management Policy
• ISO27001 Cryptographic Control and Encryption Policy
• ISO27001 Document and Record Policy

ISO27001 Information Security Policy FAQ

How to write an information security policy

Read Next

Eager to learn more? Check out these related articles.

• Guaranteed ISO27001 Certification up to 10x Faster and 30x Cheaper
• The Ultimate ISO27001 TOOLKIT so you can do it yourself 
• ISO27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!) 
• 25 Things You Must Know Before Going for ISO27001 Certification (Number 3 will blow your mind!)