How to write an information security policy – with template example

Information security policies are one of an organisation’s most important defences, because employee error accounts for or exacerbates a substantial number of security incidents.

Whether theyre making honest mistakes, ignoring instructions or acting maliciously, employees are always liable to compromise information.

Technological defences can help mitigate the damagebut these must be accompanied by effective information security policies and procedures. 


What is an information security policy?

An information security policy establishes an organisation’s aims and objectives on various security concerns.

For example, a policy might outline rules for creating passwords or state that portable devices must be protected when out of the premises. 

Unlike processes and procedures, policies don’t include instructions on how to mitigate risks.

Instead, they acknowledge which risks the organisation intends to address and broadly explains the method that will be used. 


What an information security policy should contain

Those looking to create an information security policy should review ISO 27001, the international standard for information security management.

Although the Standard doesn’t list specific issues that must be covered in an information security policy (it understands that every business has its own challenges and policy requirements), it provides a framework that you can build around. 

If you follow ISO 27001’s advice, your information security policy will: 

  • Provide information security direction for your organisation; 
  • Include information security objectives; 
  • Include information on how you will meet business, contractual, legal or regulatory requirements; and 
  • Contain a commitment to continually improve your ISMS (information security management system).

What policies should you include?

Your policies will depend on the needs of your organisation, so it’s impossible to say which ones are mandatory.

However, there are some risks that are so common that they’re practically universal. For example, you will almost certainly need policies on: 

  • Remote access 

If you give employees the opportunity to work from home or on the road – or if give them the option of checking their work emails in their spare time – you will need a remote access policy. 

This policy addresses the vulnerabilities that occur when employees aren’t protected by the organisation’s physical and network security provisions.

For example, an employee working on a crowded train might expose sensitive information to someone peering over their shoulder. 

Likewise, an opportunist criminal might steal the employee’s device if it’s left unattended 

There’s also the risk that a criminal hacker could access information by compromising the public Wi-Fi and conducting a man-in-the-middle attack. 

The policy will therefore need to set out the organisation’s position on accessing the network remotely. It might, for instance, say that remote access is forbidden, that it can only be done over VPN, or that only certain parts of the network should be accessible remotely. 

  • Password management 

Practically every organisation gives its employees user accounts that give them access to sensitive information. 

But unless employees secure these accounts with strong passwords, criminal hackers will be able to crack them in seconds. Organisations must mitigate this risk by creating strict rules on what constitutes an acceptable password. 

But it’s no good getting everyone in the organisation to create strong passwords if they use them for multiple accounts or leave them written down where someone might see them.

Your password policy should acknowledge the risks that come with poor credential habits and establish means of mitigating the risk of password breaches. 

  • Acceptable use 

Managers often worry about staff doing non-work-related activities during office hours, but they should be more concerned about what employees are doing than when – and how long – they’re doing it.

Organisations have generally come to accept that employees will occasionally check their personal email or Facebook feed.

But they should draw the line at activities that could affect the organisation’s security, like visiting dodgy websites, installing potentially insecure apps or sharing work information with people who don’t work at the organisation. 

You can prevent much of the risk by blocking certain websites, but this isn’t a foolpoof system, so you should also include a policy prohibiting employees from visiting any site that you deem unsafe.

Information security policy template

ISO 27001 Information Security Policy TemplateDocumenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address important issues. That’s why it’s a good idea to work with trusted information security experts like us. 

Our ISO 27001 Information Security Policy Template gives you a head start on your documentation process.

Written according to the best practices outlined in ISO 27002, this template gives essential security guidance that you can customise to suit your organisation in minutes. 


A version of this blog was originally published on 5 September 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.