Professional Documents
Culture Documents
io /how-to-create-an-information-security-policy/
I am Stuart Barker the ISO 27001 Ninja and in this article I am going to show you the step by step guide on how
to write an information security policy.
An information security policy is a statement of what you do for information security, not how you do it. How you
do it is covered in processes documents. The information security policy is shared with employees, customers,
third parties, auditors and more to show your approach to tackling information security. It includes some key
elements such as management buy in, security objectives, roles and responsibilities, monitoring and legal and
regulatory obligations. It is a straight forward document to write.
It is a fundamental building block of your ISO 27001 certification and your information security management
system.
The information security policy must be easy to read, communicated, acknowledge and readily available.
Should I write one large policy or break it down into many policies?
You can create one large document of all of your policy statements or break them out into logical documents
that can be more readily shared with an appropriate audience and allocated ownership internally to maintain. It
will depend on your own situation. I prefer to break it down into individual policies.
Pro
Easy to maintain
Cons
Individual Policies
Pro
Con
Harder to maintain
ISO 27001 documents require version control of the author, the change, the date and the version as well
as document mark up such as document classification.
Consider the scope of the information security policy. It should really apply to all employees and third
party staff working for your company.
The principle of the Information Security Policy is the confidentiality, integrity and availability of data. It is
about the security and protection of of confidential data.
Write a statement from the most senior person in the organisation about the organisations commitment to
information security. Provide a date for the quote.
Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.
Provide a description of the policy framework and the policies that are part of it.
Create a definition of each of the roles for information security and what their responsibilities are.
Layout the measures and monitors that you will use to verify that the information security is effective.
Working with legal counsel set out the laws and regulations that your organisation follows
An information security policy should cover the purpose of the policy, the scope, the principles on which it is
based, a chief executive statement of commitment, an introduction. It should define information security in
terms of confidentially, integrity and availability. It should include the information security objectives. If part of a
pack it should include the full policy framework list of policies. Roles and responsibilities are included as are the
measures and monitors.
We find Microsoft Word is the easiest but you can use and word processing application or even have as a web
page in your content management system.
About 4 hours.
This depends on your company size and your administrative needs. For a small company this can make sense.
Having separate policies in a modular pack has advantages in so far as they can be assigned to owners to be
maintained, they can be communicated in an effective manner with the people that need to understand them,
they can be shared as required with clients and auditors based on their requests without sharing everything.
Read Next
Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
The Ultimate ISO 27001 TOOLKIT so you can do it yourself
ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)