Information security policy: 4 things you must include

An information security policy is one of the required documents outlined in Clause 5.2 of ISO 27001.

There is sometimes confusion among our clients about what should be included in the policy, so to help you get started we have outlined four key elements that will help shape this important piece of documentation.

What is an information security policy?

The information security policy sets out the requirements of your ISMS (information security management system) and defines management direction for information security in accordance with business requirements and relevant laws and regulations.

Policies for companies in the GCC might acknowledge laws such as the DIFC Data Protection Law, Abu Dhabi Global Market’s Data Protection Regulations and Qatar’s Personal Privacy Protection Law.

It’s important to remember that a good information security policy should be a short and simple document, and it should be approved by the board.

How to structure your information security policy

A good information security policy will include four key elements:

  1. Information security direction for your organisation
  2. Information security objectives
  3. Commitment to meet business, contractual, legal or regulatory requirements
  4. Commitment to continually improve the ISMS

The policy will help your organisation understand the scope of the ISMS and implementation project – it’s one of the most important documents you will create in your ISMS.

It’s important to consider all employees, customers, suppliers, shareholders and other third parties, and how this policy may impact these parties and the effect on your organisation as a result.

Take a look at our international bestseller, Nine Steps to Success – An ISO 27001 Implementation Overview, for more information about information security policies and other elements of the ISO 27001 implementation process.

Information security policy example template

Knowing where to start when tackling the information security policy can be difficult, particularly in large or complex organisations where there may be many objectives and requirements to meet.

IT Governance offers a helping hand for GCC organisations with the customisable ISO 27001 Information Security Policy Template that can help you create one in minutes, enabling you to satisfy the requirements set out in Clause 5.2.

Below is an example of the template:

ISO 27001 Information Security Policy Example Template from IT Governance

Example of the ISO 27001 Information Security Template available from IT Governance

If you are searching for a comprehensive set of documentation templates to help with your ISO 27001 implementation project, you may be interested in the ISO 27001 ISMS Documentation Toolkit.

Used by more than 2,000 organisations across the world, this toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Take a free trial to see how the documents and project tools can help you with your ISO 27001 project >>


ISO 27001 Documentation Toolkit Free Trial