Documenting your information security policy

A version of this blog was originally published on 20 November 2018. 

An organisation’s ability to prevent data breaches centres on the strength of its information security policy. If you get that document wrong, you won’t recognise key issues when it comes to implementing defence measures. 

To make sure you get started on the right track, we’ve taken some advice from Alan Calder and Steve Watkins’ IT Governance – An International Guide to Data Security and ISO27001/ISO27002 and Calder’s Nine Steps to Success: An ISO 27001 Implementation Overview. 

As renowned experts in ISO 27001, the international standard for information security,  their guidance is invaluable for any organisation that’s serious about security. 

What is an information security policy? 

An information security policy is a set of documents outlining what an organisation requires its employees to do in order to prevent security incidents. It doesn’t need to be lengthy, but it has to capture senior staff’s ideals and objectives for the organisation. 

You can keep the length down by avoiding anything overly prescriptive. At this stage, it’s important to keep your documentation as simple as possible so that managers have enough freedom to adapt their policies in line with organisational changes. 

The key questions you must answer 

When putting your information security policy together, there are four questions you must answer: 

  • Who is responsible for the policy? Senior staff must be completely behind the project, and that means they are ultimately accountable. Whoever puts the policy together must communicate with senior staff regularly, and they should have clear evidence (in the form of meeting minutes) showing that the policy was agreed upon. 
  • Where does the policy apply? The policy might apply to the whole organisation or only to certain parts (corporate, divisional, a specific office, etc.). This must be addressed and documented. 
  • What is the policy’s aim? ISO 27001 is specifically about preserving the confidentiality, integrity and availability of information. Your policy should focus on that and only that. 
  • Why is the policy in place? There are many ways information can be compromised, and although you don’t need to go into specifics at this stage, you should have a clear understanding of the threats you are addressing. 

How to get started 

If you’re not sure what your policy should look like, or need help with any other parts of documenting your ISO 27001 compliance project, you’ll benefit from our ISO 27001 ISMS Documentation Toolkit. 

Developed by ISO 27001 experts and used by more than 2,000 clients worldwide, the toolkit contains a complete set of templates to help you meet the Standard’s documentation requirements. You’ll save time and money while remaining confident that you’re doing everything necessary to achieve compliance. 

Take a free trial 

You can see how the toolkit works by taking a free trial. You’ll be able to view the quick-start guide and sample files, and even be able to customise some our template documents. 

Download your ISO 27001 ISMS Documentation Toolkit trial >>