An information security policy is a set of statements designed to explain how your organisation addresses the confidentiality, integrity and availability of data. It is used to inform employees about what is expected of them and to explain to customers and potential customers your approach to information security.
Why is an information security policy important?
An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.
Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it.
Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information.
Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.
How does an information security policy work?
An information security policy is a document that is created by the organisation. Usually created in Microsoft Word with the final version saved as a PDF. It will be based on best practice such as the ISO 27001 the international standard for information security.
It will have key common elements within it that are standard across every organisation.
The information security policy will be approved by senior management and then shared with employees to let them know what is expected of them.
It may form part of annual employee training.
The policies will be reviewed, updated and reissued at least annually.
As part of most customer tenders and bids you will be asked for a copy of your information security policy and it will be shared with them.
How can I create an information security policy?
The easiest way to create and information security policy is to download an information security policy template and tailor it your organisation. By downloading a trusted ISO 27001 template most of the hard work has been done for you.
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)