ISO 27001 Information Security Policy
The information security policy is the cornerstone of any information security management system and a requirement of the ISO 27001 standard.
In this guide you, you will learn what an ISO 27001 information security policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
- ISO 27001 Information Security Policy
- What is an ISO 27001 Information Security Policy?
- How does it work?
- Why you need an ISO 27001 Information Security Policy
- How to write an ISO 27001 Information Security Policy
- ISO 27001 Information Security Policy Template
- ISO 27001 Information Security Policy Example
- Watch the ISO 27001 Information Security Policy Tutorial
- ISO 27001 Topic Specific Policies
- ISO 27001 Information Security Policy Framework
- Why is an information security policy important?
- Information Security Policy Mapped to ISO 27001
- One large policy vs many policies?
- Information Security Policy in 60 Seconds
- ISO 27001 Information Security Policy FAQ
What is an ISO 27001 Information Security Policy?
The ISO 27001 Information Security Policy is the main information security policy. It is a high level policy that sets out the management approach to information security. It includes some key elements such as management and leadership buy in. As a stand alone document it can be shared with staff to explain what they should be doing and with customers and potential customers to assure them you are doing the right thing.
The information security policy will be approved by senior management and then shared with employees to let them know what is expected of them. It may form part of annual employee training. The policies will be reviewed, updated and reissued at least annually. As part of most customer tenders and bids you will be asked for a copy of your information security policy and it will be shared with them.
The information security policy is supported by topic specific policies.
It is one of the ISO 27001 policies required by the ISO 27001 standard for ISO 27001 certification.
How does it work?
The information security policy informs the reader on what is expected for information security. You create the policy that sets out what you do, you review it and have it signed off by senior management and then you communicate it to staff and interested parties. Usually staff will sign an acknowledgement that they will adhere to the policy. If they do not then there are various options available including invoking the company disciplinary procedure.
The information security policy must be easy to read, communicated, acknowledge and readily available.
Why you need an ISO 27001 Information Security Policy
It is a requirement of the ISO 27001 standard and an ISO 27001 mandatory document. It clearly communicates the organisations commitment and approach to information security.
How to write an ISO 27001 Information Security Policy
Time needed: 1 hour and 30 minutes
How to write an information security policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Information Security Policy purpose
Write the purpose of the document. The purpose of this policy is to set out the information security policies that apply to the organisation to protect the confidentiality, integrity, and availability of data.
- Write the ISO 27001 Information Security Policy scope
Consider the scope of the information security policy. The scope of the policy is all employees and third party staff working for your company.
- Write the ISO 27001 Information Security Policy principle
The principle of the policy is information security is managed based on risk, legal and regulatory requirements, and business need.
- Write a chief executives statement of commitment
Write a statement from the most senior person in the organisation about the organisations commitment to information security. Provide a date for the quote. An example:
“As a company, information processing is fundamental to our success and the protection, availability, and security of that information is a board level priority. Whether it is employee information or customer information we take our obligations under the law seriously. We have provided the resources to develop, implement and continually improve the information security management and business continuity management system appropriate to our business.” [Chief Executive Officer Name and Date and Signature] - Write an introduction to the policy
Set out what the policy covers and why you have it. An example:
Information security protects the information that is entrusted to us. Getting information security wrong can have significant adverse impacts on our employees, our customers, our reputation, and our finances. By having an effecting information security management system, we can:
– Provide assurances for our legal, regulatory, and contractual obligations
– Ensure the right people, have the right access to the right data at the right time
– Provide protection of personal data as defined by the GDPR
– Be good data citizens and custodians - Write your information security objectives
Set the objectives for the information security management system. An example:
To ensure the confidentiality, integrity and availability of organisation information including all personal data as defined by the GDPR based on good risk management, legal regulatory and contractual obligations, and business need.
To provide the resources required to develop, implement, and continually improve the information security management system.
To effectively manage third party suppliers who process, store, or transmit information to reduce and manage information security risks.
To implement a culture of information security and data protection through effective training and awareness. - Define information security
Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.
- Describe the policy framework
Provide a description of the policy framework and the policies that are part of it. An example:
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
DP 01 Data protection Policy
DP 02 Data Retention Policy
IS 01 Information Security Policy (this policy)
IS 02 Access Control Policy
IS 03 Asset Management Policy
IS 04 Risk Management Policy
IS 05 Information Classification and Handling Policy
IS 06 Information Security Awareness and Training Policy
IS 07 Acceptable Use Policy
IS 08 Clear Desk and Clear Screen Policy
IS 09 Mobile and Teleworking Policy
IS 10 Business Continuity Policy
IS 11 Backup Policy
IS 12 Malware and Antivirus Policy
IS 13 Change Management Policy
IS 14 Third Party Supplier Security Policy
IS 15 Continual Improvement Policy
IS 16 Logging and Monitoring Policy - Set out the roles and responsibilities
Create a definition of each of the roles for information security and what their responsibilities are. An example:
Information security is the responsibility of everyone to understanding and adhere to the policies, follow process and report suspected or actual breaches. Specific roles and responsibilities for the running of the information security management system are defined and recorded in the document Information Security Roles Assigned and Responsibilities - Describe how you will monitor the effectiveness of information security
Layout the measures and monitors that you will use to verify that the information security is effective. An example:
Compliance with the policies and procedures of the information security management system are monitored via the Management Review Team, together with independent reviews by both Internal and External Audit on a periodic basis. - Document your legal and regulatory obligations
Working with legal counsel set out the laws and regulations that your organisation follows. An example:
The organisation takes its legal and regulatory obligations seriously and these requirements are recorded in the document Legal and Contractual Requirements Register - Set out your approach to training and awareness
Define how you do training and awareness. An example:
Policies are made readily and easily available to all employees and third-party users. A training and communication plan is in place to communicate the policies, process, and concepts of information security. Training needs are identified, and relevant training requirements are captured in the document Competency Matrix. - Describe you approach to continual improvement
Describe how you go about doing continual improvement. An example:
The information security management system is continually improved. The continual improvement policy sets out the company approach to continual improvement and there is continual improvement process in place. - Define policy compliance
Provide for how compliance to the policy will be acheived.
ISO 27001 Information Security Policy Template
Designed to save hours of work and prewritten and fully populated the ISO 27001 Information Security Policy Template meets the requirements of ISO 27001 and other leading frameworks.
ISO 27001 Information Security Policy Example
Below is an example ISO 27001 Information Security Policy extract of the contents page so you know what to include.
Watch the ISO 27001 Information Security Policy Tutorial
The ISO 27001 standard was updated in 2022 and this guide shows you how to build an Information Security Policy to meet the requirements of the updated standard. Watch how to create an ISO 27001:2022 information security policy.
ISO 27001 Topic Specific Policies
ISO 27001 Information Security Policy Framework
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
- Data Protection Policy
- Data Retention Policy
- ISO 27001 Information Security Policy ( this policy )
- ISO 27001 Access Control Policy
- ISO 27001 Asset Management Policy
- ISO 27001 Risk Management Policy
- ISO 27001 Information Classification and Handling Policy
- ISO 27001 Information Security Awareness and Training Policy
- ISO 27001 Acceptable Use Policy
- ISO 27001 Clear Desk and Clear Screen Policy
- ISO 27001 Mobile and Teleworking Policy
- ISO 27001 Business Continuity Policy
- ISO 27001 Backup Policy
- ISO 27001 Malware and Antivirus Policy
- ISO 27001 Change Management Policy
- ISO 27001 Third Party Supplier Security Policy
- ISO 27001 Continual Improvement Policy
- ISO 27001 Logging and Monitoring Policy
- ISO 27001 Network Security Management Policy
- ISO 27001 Information Transfer Policy
- ISO 27001 Secure Development Policy
- ISO 27001 Physical and Environmental Security Policy
- ISO 27001 Cryptographic Key Management Policy
- ISO 27001 Cryptographic Control and Encryption Policy
- ISO 27001 Document and Record Policy
Why is an information security policy important?
An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.
Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it.
Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information.
Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.
Information Security Policy Mapped to ISO 27001
Let’s map the information security policy template to each version of the ISO 27001 standards.
ISO 27001:2022
ISO 27001:2022 Clause 5 Leadership
ISO 27001:2022 Clause 5.1 Leadership and commitment
ISO 27001:2022 Clause 5.2 Policy
ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2022 Clause 7.3 Awareness
ISO 27002:2022
ISO 27002:2022 Clause 5 Organisational Controls
ISO 27002:2022 Clause 5.1 Policies for information security
ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security
ISO 27002:2022 Clause 5.4 Management Responsibilities
ISO 27002:2022 Clause 6 People Controls
ISO 27002:2022 Clause 6.3 Information security awareness, education, and training
ISO 27002:2022 Clause 6.4 Disciplinary process
ISO 27001:2013/17
ISO 27001:2013/2017 Clause 5 Leadership
ISO 27001:2013/2017 Clause 5.1 Leadership and commitment
ISO 27001:2013/2017 Clause 5.2 Policy
ISO 27001:2013/2017 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001:2013/2017 Clause 7.3 Awareness
ISO 27002:2013/17
ISO 27002:2013/2017 Clause 5 Information security policies
ISO 27002:2013/2017 Clause 5.1 Management direction for information security
ISO 27002:2013/2017 Clause 5.1.1 Policies for information security
ISO 27002:2013/2017 Clause 5.1.2 Review of the policies for information security
ISO 27002:2013/2017 Clause 7 Human resource security
ISO 27002:2013/2017 Clause 7.2.1 Management Responsibilities
ISO 27002:2013/2017 Clause 7.2.2 Information security awareness, education, and training
ISO 27002:2013/2017 Clause 7.2.3 Disciplinary process
One large policy vs many policies?
You can create one large document of all of your policy statements or break them out into logical documents that can be more readily shared with an appropriate audience and allocated ownership internally to maintain. It will depend on your own situation. I prefer to break it down into individual policies.
One Large Policy
Pro
Easy to maintain
Cons
Hard to assign ownership
Hard to communicate to the relevant people
Hard to satisfy client requests for specific policies
Individual Policies
Pro
Easy to assign ownership
Easy to communicate to the relevant people
Easy to satisfy client requests for specific policies
Con
Harder to maintain
Information Security Policy in 60 Seconds
Is it possible to have an information security policy that is ready to go in 60 seconds? Let’s find out. Start the clock.
ISO 27001 Information Security Policy FAQ
The purpose of the policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity and availability of data.
It should be reviewed at least annually.
Yes. It is easy and straightforward to do.
We find Microsoft Word is the easiest but you can use and word processing application or even have as a web page in your content management system.
About 4 hours.
You will need to know the required policies of ISO 27001 as covered in the Annex A / ISO 27002. In addition any company, client, customer specific policy requirements.
This depends on your company size and your administrative needs. For a small company this can make sense. Having separate policies in a modular pack has advantages in so far as they can be assigned to owners to be maintained, they can be communicated in an effective manner with the people that need to understand them, they can be shared as required with clients and auditors based on their requests without sharing everything.
The scope of the policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.
Information security is managed based on risk, legal and regulatory requirements and business need.
Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.
An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.
Yes. An Information Security Policy is a key requirement of ISO 27001 forming part of ISO 27001 and ISO 27002 / Annex A.
A copy of the information security policy template and best practice can be found here.
Access to information is to those with appropriate authority.
The right people with the right access.
Information is complete and accurate
The right people with the right access to the right data.
Information is available when it is needed
The right people with the right access to the right data at the right time.
CIA is the Confidentiality, Integrity and Availability of data.
Yes, it is a required element of the ISO 27001 certification.
An information security management policy covers the following as a minimum:
Document Version Control
Document Contents Page
Purpose
Scope
Information Security Policy
Principle
Chief Executives Statement of Commitment
Introduction
Information Security Defined
Information Security Objectives
Information Security Policy Framework
Information Security Roles and Responsibilities
Monitoring
Legal and Regulatory Obligations
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement
An information security policy should cover the purpose of the policy, the scope, the principles on which it is based, a chief executive statement of commitment, an introduction. It should define information security in terms of confidentially, integrity and availability. It should include the information security objectives. If part of a pack it should include the full policy framework list of policies. Roles and responsibilities are included as are the measures and monitors.
