What is an information security policy?

what is an information security policy?

An information security policy is a set of statements designed to explain how your organisation addresses the confidentiality, integrity and availability of data. It is used to inform employees about what is expected of them and to explain to customers and potential customers your approach to information security.

Information Security Policy Template

ISO 27001 templates can fast track an implementation and the Information Security Policy template is pre populated with best practice.

Why is an information security policy important?

An information security policy is important because your organisation processes, stores and transmits valuable data and information. To understand the value of an information security policy, let’s break out the data we are protecting into three parts.

Customer Data: what ever your product or service, you are going to be handling customer data of some description. It could be customer personal information, order information, technical information. What is fundamental is that your customer cares deeply about that information. They also care about how you are taking care and protecting it.

Employee Data: you have employees and you have their most private and personal information. It is likely that you have names, address, bank details, social security and tax information, sickness information, performance data, pension information and more. Your employees care deeply about the protection of their most private information.

Company Data: you have financial data relating to your performance, you have customer databases and CRM, you potentially have intellectual property or secrets about the way you conduct business. Your owners care a lot about protecting this to protect their profits.

How does an information security policy work?

An information security policy is a document that is created by the organisation. Usually created in Microsoft Word with the final version saved as a PDF. It will be based on best practice such as the ISO 27001 the international standard for information security.

It will have key common elements within it that are standard across every organisation.

The information security policy will be approved by senior management and then shared with employees to let them know what is expected of them.

It may form part of annual employee training.

The policies will be reviewed, updated and reissued at least annually.

As part of most customer tenders and bids you will be asked for a copy of your information security policy and it will be shared with them.

How can I create an information security policy?

The easiest way to create and information security policy is to download an information security policy template and tailor it your organisation. By downloading a trusted ISO 27001 template most of the hard work has been done for you.

ISO 27001 Strategy Session
ISO 27001 ISO 27001 Toolkit
ISO 27001 Policy Bundle

ISO 27001 Templates Toolkit: Business Edition

ISO 27001 Policy Templates: Professional Edition

Stuart Barker

About the Author

Stuart Barker

Stuart is an ISO 27001 Consultant and author of the ISO 27001 Templates Toolkit. Over 20 years he has helped hundreds of organisations with the ISO 27001 standard and getting them ISO 27001 certification with a 100% success rate.

Shopping Cart