Information Security Policy - High Table

Information Security Policy: The Ultimate Guide (2021)

An ISO 27001 Information Security Policy is required as part of any ISO 27001 certification. It is one of the key documents. It forms part of the ISO 27001 information security policy framework and in this article we will look at an ISO 27001 information security policy template that is part of that policy framework. We will also take a look at an ISO 27001 Information Security Policy PDF example and an ISO 27001 Information Security Policy Template you can download and start using straight away.

Information Security Policy Overview

What is the ISO 27001 Information Security Policy?

The Information security policy is your main high level policy. This policy sets the principles, management commitment, the framework of supporting policies, the information security objectives and roles and responsibilities and legal responsibilities.

This is the policy that you can share with everyone and is your window to the world.

Fay Hero Image High Table ISO 27001

How does it work?

You are going to have a pack of policies that are required by ISO 27001. This makes good, practical sense for a governance framework. It could all be in one document but there are practical benefits to having separate policies. By having separate policy documents, they are:

  • easy to communicate and to share with the people they are relevant to
  • easy to assign an owner who will keep it up to date and implement it
  • easy to review and sign off

Information Security Policy Framework

The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:

ISO 27001 Information Security Policy PDF example

Download Sample Banner ISO 27001

Information Security Policy FAQ

What is the purpose of the Information Security Policy?

The purpose of the policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity and availability of data.

What is the scope of the Information Security Policy?

The scope of the policy is all employees and third-party users. This includes permanent staff, contractors, consultants and third party supplier employees working for your business.

What is the principle of the Information Security Policy?

Information security is managed based on risk, legal and regulatory requirements and business need.

Does an Information Security Policy Include Leadership Commitment?

Yes. Having a statement in the policy from the Chief Executive is a good way to record leadership commitment.

What does an Information Security Policy cover?
An information security management policy covers the following as a minimum:

Document Version Control
Document Contents Page
Information Security Policy
Chief Executives Statement of Commitment
Information Security Defined
Information Security Objectives
Information Security Policy Framework
Information Security Roles and Responsibilities
Legal and Regulatory Obligations
Policy Compliance
Compliance Measurement
Continual Improvement

What is an Information Security Policy?

An information security policy sets out what you do for information security. It covers the what you do not how you do it. How you do it is covered in process, procedure and operating documents. It sets a clear direction for the organisation.

Does ISO 27001 require an Information Security Policy?

Yes. An Information Security Policy is a key requirement of ISO 27001 forming part of ISO 27001 and ISO 27002 / Annex A.

Where can I get an Information Security Policy template and best practice?

A copy of the information security policy template and best practice can be found here:

What is the definition of confidentiality?

Access to information is to those with appropriate authority.
The right people with the right access.

What is the definition of integrity?

Information is complete and accurate
The right people with the right access to the right data.

What is the definition of availability?

Information is available when it is needed
The right people with the right access to the right data at the right time.

What is CIA?

CIA is the Confidentiality, Integrity and Availability of data.

Is the Information Security Policy required for ISO 27001 certification?

Yes, it is a required element of the ISO 27001 certification.

Eager to learn more? Check out these related articles.

Shopping Cart