How to document your information security policy

Information security policies play a vital role in organisational security. Getting your policy right will give you an excellent framework to build on, making sure that all your efforts follow a single goal. But if you get it wrong, you risk neglecting key issues and exposing yourself to data breaches.

To make sure you get off on the right track, we’ve taken some advice from Alan Calder and Steve Watkins’ IT Governance – An International Guide to Data Security and ISO27001/ISO27002 and Calder’s Nine Steps to Success: An ISO27001 Implementation Overview

As renowned experts in ISO 27001, the international standard for information security, their guidance is invaluable for any organisation that’s serious about security.


Information security policy basics

An information security policy is a set of documents explaining an organisation expects its employees to do in order to prevent security incidents. It doesn’t need to be lengthy, but it must capture senior staff’s ideals and objectives for the organisation. 

The best way to keep the length down is to keep things as simple as possible. You should avoid anything overly prescriptive, as managers need enough freedom to adapt their policies in line with organisational changes. 


The key questions

When putting your information security policy together, there are four questions you must answer: 

  • Who is responsible for the policy? Senior staff must be completely behind the project, and that means they are ultimately accountable. Whoever puts the policy together must communicate with senior staff regularly, and they should have clear evidence (in the form of meeting minutes) showing that the policy was agreed upon. 
  • Where does the policy apply? The policy might apply to the whole organisation or only to certain parts (corporate, divisional, a specific office, etc.). This must be addressed and documented. 
  • What is the policy’s aim? ISO27001 is specifically about preserving the confidentiality, integrity and availability of information. Your policy should focus on that and only that. 
  • Why is the policy in place? There are many ways information can be compromised, and although you don’t need to go into specifics at this stage, you should have a clear understanding of the threats you are addressing. 


How to get started 

If you’re not sure what your policy should look like, or need help with any other parts of documenting your ISO 27001 compliance project, you’ll benefit from our ISO 27001 ISMS Documentation Toolkit

Developed by ISO 27001 experts and used by more than 2,000 clients worldwide, the toolkit contains a complete set of templates to help you meet the Standard’s documentation requirements. You’ll save time and money while remaining confident that you’re doing everything necessary to achieve compliance. 


Take a free trial 

You can see how the toolkit works by taking a free trial. You’ll be able to view the quick-start guide and sample files, and even be able to customise some our template documents. 

Download your ISO 27001 ISMS Documentation Toolkit trial >>