ISO 27001 Information Security Policy
What an information security policy contains, how to write it and a downloadable template.
Estimated reading time: 6 minutes
Table of contents
- ISO 27001 Information Security Policy
- What an information security policy contains, how to write it and a downloadable template.
- What is the ISO 27001 Information Security Policy?
- How does it work?
- Information Security Policy Overview Video
- Information Security Policy Framework
- Do it yourself: a how to tutorial
- Information Security Policy FAQ
- Read Next
What is the ISO 27001 Information Security Policy?
The ISO 27001 information security policy is your main high level policy. This policy sets the principles, management commitment, the framework of supporting policies, the information security objectives and roles and responsibilities and legal responsibilities.
This is the policy that you can share with everyone and is your window to the world.
How does it work?
You are going to have a suite or pack of policies that are required by ISO 27001. This makes good, practical sense for a governance framework. It could all be in one document but there are practical benefits to having separate policies. By having separate policy documents:
- They are easy to communicate and to share with the people they are relevant to
- They are easy to assign an owner who will keep it up to date and implement it
- They are easy to review and sign off
Download the Information Security Policy.
Looking for specific policies? Search for policies in the template library.
Information Security Policy Overview Video
Information Security Policy Framework
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
- DP 01 Data protection Policy
- DP 02 Data Retention Policy
- IS 01 Information Security Policy ( this policy )
- IS 02 Access Control Policy
- IS 03 Asset Management Policy
- IS 04 Risk Management Policy
- IS 05 Information Classification and Handling Policy
- IS 06 Information Security Awareness and Training Policy
- IS 07 Acceptable Use Policy
- IS 08 Clear Desk and Clear Screen Policy
- IS 09 Mobile and Teleworking Policy
- IS 10 Business Continuity Policy
- IS 11 Backup Policy
- IS 12 Malware and Antivirus Policy
- IS 13 Change Management Policy
- IS 14 Third Party Supplier Security Policy
- IS 15 Continual Improvement Policy
- IS 16 Logging and Monitoring Policy
- IS 17 Network Security Management Policy
- IS 18 Information Transfer Policy
- IS 19 Secure Development Policy
- IS 20 Physical and Environmental Security Policy
- IS 21 Cryptographic Key Management Policy
- IS 22 Cryptographic Control and Encryption Policy
- IS 23 Document and Record Policy
Do it yourself: a how to tutorial
Information Security Policy FAQ
The purpose of the policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity and availability of data.
The scope of the policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.
Information security is managed based on risk, legal and regulatory requirements and business need.
Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.
An information security management policy covers the following as a minimum:
Document Version Control
Document Contents Page
Information Security Policy
Chief Executives Statement of Commitment
Information Security Defined
Information Security Objectives
Information Security Policy Framework
Information Security Roles and Responsibilities
Legal and Regulatory Obligations
An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.
A copy of the information security policy template and best practice can be found here: https://hightable.io/product/information-security-policy-template/
Access to information is to those with appropriate authority.
The right people with the right access.
Information is complete and accurate
The right people with the right access to the right data.
Information is available when it is needed
The right people with the right access to the right data at the right time.
CIA is the Confidentiality, Integrity and Availability of data.
Yes, it is a required element of the ISO 27001 certification.
Eager to learn more? Check out these related articles.