ISO27001 Information Security Policy Beginners Guide

ISO 27001 Information Security Policy: Beginner’s guide

In this article we lay bare the ISO 27001 information security policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 information security policy

What is the ISO 27001 Information Security Policy?

The information security policy is a high level policy that sets out what the management approach of the organisation is. It includes some key elements such as management and leadership buy in. As a stand alone document it can be shared with staff to explain what they should be doing and with customers and potential customers to assure them you are doing the right thing.

How does it work?

You are going to have a pack of policies that are required by ISO 27001. This makes good, practical sense for a governance framework. It could all be in one document but there are practical benefits to having separate policies. By having separate policy documents, they are:

  • easy to communicate and to share with the people they are relevant to
  • easy to assign an owner who will keep it up to date and implement it
  • easy to review and sign off

ISO 27001 Information Security Policy Template

Designed to save hours of work and prewritten and fully populated the ISO 27001 Information Security Policy Template meets the requirements of ISO 27001 and other leading frameworks.

ISO27001 Information Security Policy-Black

ISO 27001 Information Security Policy PDF Example

An extract as an ISO 27001 Information Security Policy Example

ISO27001 Information Security Policy Example

Information Security Policy Mapped to ISO 27001

Let’s map the information security policy template to each version of the ISO 27001 standards.

ISO 27001:2022

ISO 27001:2022 Clause 5 Leadership

ISO 27001:2022 Clause 5.1 Leadership and commitment

ISO 27001:2022 Clause 5.2 Policy

ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them

ISO 27001:2022 Clause 7.3 Awareness

ISO 27002:2022

ISO 27002:2022 Clause 5 Organisational Controls

ISO 27002:2022 Clause 5.1 Policies for information security

ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security

ISO 27002:2022 Clause 5.4 Management Responsibilities

ISO 27002:2022 Clause 6 People Controls

ISO 27002:2022 Clause 6.3 Information security awareness, education, and training

ISO 27002:2022 Clause 6.4 Disciplinary process

ISO 27001:2013/17

ISO 27001:2013/2017 Clause 5 Leadership

ISO 27001:2013/2017 Clause 5.1 Leadership and commitment

ISO 27001:2013/2017 Clause 5.2 Policy

ISO 27001:2013/2017 Clause 6.2 Information security objectives and planning to achieve them

ISO 27001:2013/2017 Clause 7.3 Awareness

ISO 27002:2013/17

ISO 27002:2013/2017 Clause 5 Information security policies

ISO 27002:2013/2017 Clause 5.1 Management direction for information security

ISO 27002:2013/2017 Clause 5.1.1 Policies for information security

ISO 27002:2013/2017 Clause 5.1.2 Review of the policies for information security

ISO 27002:2013/2017 Clause 7 Human resource security

ISO 27002:2013/2017 Clause 7.2.1 Management Responsibilities

ISO 27002:2013/2017 Clause 7.2.2 Information security awareness, education, and training

ISO 27002:2013/2017 Clause 7.2.3 Disciplinary process

Why is an information security policy important?

An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.

Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it. 

Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information. 

Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.

How to implement an information security policy?

An information security policy is a document that is created by the organisation. Usually created in Microsoft Word with the final version saved as a PDF. It will be based on best practice such as the ISO 27001 the international standard for information security. It will have key common elements within it that are standard across every organisation. The information security policy will be approved by senior management and then shared with employees to let them know what is expected of them. It may form part of annual employee training. The policies will be reviewed, updated and reissued at least annually. As part of most customer tenders and bids you will be asked for a copy of your information security policy and it will be shared with them.

How can I create an information security policy?

The easiest way to create and information security policy is to download and information security policy template and tailor it your organisation. By downloading a trusted template most of the hard work has been done for you.

This video on How To Create An Information Security Policy has been viewed over 8,000 times. If you are doing it yourself watch and learn step by step how to create an information security policy in under 5 minutes.

Information Security Policy Framework

The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:

ISO 27001 Information Security Policy FAQ

What is the purpose of the Information Security Policy?

The purpose of the policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity and availability of data.

What is the scope of the Information Security Policy?

The scope of the policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.

What is the principle of the Information Security Policy?

Information security is managed based on risk, legal and regulatory requirements and business need.

Does an Information Security Policy Include Leadership Commitment?

Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.

What is an Information Security Policy?

An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.

Does ISO 27001 require an Information Security Policy?

Yes. An Information Security Policy is a key requirement of ISO 27001 forming part of ISO 27001 and ISO 27002 / Annex A.

Where can I get an Information Security Policy template and best practice?

A copy of the information security policy template and best practice can be found here:

What is the definition of confidentiality?

Access to information is to those with appropriate authority.
The right people with the right access.

What is the definition of integrity?

Information is complete and accurate
The right people with the right access to the right data.

What is the definition of availability?

Information is available when it is needed
The right people with the right access to the right data at the right time.

What does CIA stand for?

CIA is the Confidentiality, Integrity and Availability of data.

Is the Information Security Policy required for ISO 27001 certification?

Yes, it is a required element of the ISO 27001 certification.

What does an Information Security Policy cover?
An information security management policy covers the following as a minimum:

Document Version Control
Document Contents Page
Information Security Policy
Chief Executives Statement of Commitment
Information Security Defined
Information Security Objectives
Information Security Policy Framework
Information Security Roles and Responsibilities
Legal and Regulatory Obligations
Policy Compliance
Compliance Measurement
Continual Improvement

How to write an information security policy

Time needed: 4 hours and 30 minutes.

How to write an information security policy

  1. Create your version control and document mark-up

    ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

  2. Write the document purpose

    Write the purpose of the document. The purpose of this policy is to protect against loss of data.

  3. Write the scope of the policy

    Consider the scope of the information security policy. It should really apply to all employees and third party staff working for your company.

  4. Write the principle on which the policy is based

    The principle of the policy is the confidentiality, integrity and availability of data. It is about the security and protection of of confidential data.

  5. Write a chief executives statement of commitment

    Write a statement from the most senior person in the organisation about the organisations commitment to information security. Provide a date for the quote.

  6. Define information security

    Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.

  7. Describe the policy framework

    Provide a description of the policy framework and the policies that are part of it.

  8. Set out the roles and responsibilities

    Create a definition of each of the roles for information security and what their responsibilities are.

  9. Describe how you will monitor the effectiveness of information security

    Layout the measures and monitors that you will use to verify that the information security is effective.

  10. Document your legal and regulatory obligations

    Working with legal counsel set out the laws and regulations that your organisation follows

  11. Define policy compliance

    Provide for how compliance to the policy will be acheived.

ISO 27001 Policy Templates

Imagine having every information security policy that you need, already prewritten with best practice that you could quickly and easily implement into your own organisation.

The ISO 27001 Policy Pack is designed to do just that.

ISO27001 Policy Templates Pack Black

ISO 27001 Information Security Policy Template Overview

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO 27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO 27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call

Shopping Basket