hightable.

io /how-to-create-an-information-security-policy/

How to write an information security policy

High Table ⋮ 7-9 minutes ⋮ 8/12/2022

I am Stuart Barker the ISO 27001 Ninja and in this article I am going to show you the step by step guide on how
to write an information security policy.

It is easier than you think.

So sit back, and let’s go.

Table of contents
What is an Information Security Policy?
How does it work?
Should I write one large policy or break it down into many policies?
One Large Policy
Individual Policies
Information Security Policy in 60 Seconds
Information Security Policy Template
How to write an information security policy
How to create and use the information security policy video
Information Security Policy FAQ
Read Next

An information security policy is a statement of what you do for information security, not how you do it. How you
do it is covered in processes documents. The information security policy is shared with employees, customers,
third parties, auditors and more to show your approach to tackling information security. It includes some key
elements such as management buy in, security objectives, roles and responsibilities, monitoring and legal and
regulatory obligations. It is a straight forward document to write.

It is a fundamental building block of your ISO 27001 certification and your information security management
system.

How does it work?

The information security policy informs the reader on what is expected for information security. You create the
policy that sets out what you do, you review it and have it signed off by senior management and then you
communicate it to staff and interested parties. Usually staff will sign an acknowledgement that they will adhere
to the policy. If they do not then there are various options available including invoking the company disciplinary
procedure.

The information security policy must be easy to read, communicated, acknowledge and readily available.

Should I write one large policy or break it down into many policies?
You can create one large document of all of your policy statements or break them out into logical documents
that can be more readily shared with an appropriate audience and allocated ownership internally to maintain. It
will depend on your own situation. I prefer to break it down into individual policies.

One Large Policy

Pro

Easy to maintain
Cons

Hard to assign ownership

Hard to communicate to the relevant people

Hard to satisfy client requests for specific policies

Individual Policies

Pro

Easy to assign ownership

Easy to communicate to the relevant people

Easy to satisfy client requests for specific policies

Con

Harder to maintain

Information Security Policy in 60 Seconds

Is it possible to have an information security policy that is ready to go in 60 seconds? Let’s find out. Start the
clock.

Information Security Policy Template

How to write an information security policy
Time needed: 4 hours and 30 minutes.

How to write an information security policy

1. Create your version control and document mark-up

ISO 27001 documents require version control of the author, the change, the date and the version as well
as document mark up such as document classification.

2. Write the document purpose

 Write the purpose of the Information Security Policy. The purpose of this policy is to protect against loss
of data.
3. Write the scope of the policy

Consider the scope of the information security policy. It should really apply to all employees and third
party staff working for your company.

4. Write the principle on which the policy is based

The principle of the Information Security Policy is the confidentiality, integrity and availability of data. It is
about the security and protection of of confidential data.

5. Write a chief executives statement of commitment

Write a statement from the most senior person in the organisation about the organisations commitment to
information security. Provide a date for the quote.

6. Define information security

Provided a definition for information security and for the terms confidentiality, integrity and availbabilty.

7. Describe the policy framework

Provide a description of the policy framework and the policies that are part of it.

8. Set out the roles and responsibilities

Create a definition of each of the roles for information security and what their responsibilities are.

9. Describe how you will monitor the effectiveness of information security

Layout the measures and monitors that you will use to verify that the information security is effective.

10. Document your legal and regulatory obligations

Working with legal counsel set out the laws and regulations that your organisation follows

11. Define policy compliance

Provide for how compliance to the policy will be acheived.

How to create and use the information security policy video

In this tutorial video I show you how to create an information security policy in around 5 minutes. This step by
step tutorial walks you through policy document mark up, what is included in an information security policy, how
it is used and good templated example of a good information security policy.
Information Security Policy FAQ
What does an information security policy contain and cover?

An information security policy should cover the purpose of the policy, the scope, the principles on which it is
based, a chief executive statement of commitment, an introduction. It should define information security in
terms of confidentially, integrity and availability. It should include the information security objectives. If part of a
pack it should include the full policy framework list of policies. Roles and responsibilities are included as are the
measures and monitors.

How often should an information security policy be reviewed?

It should be reviewed at least annually.

Can I create an information security policy myself?

Yes. It is easy and straightforward to do.

What should I create the policy in?

We find Microsoft Word is the easiest but you can use and word processing application or even have as a web
page in your content management system.

How long does it take to write and information security policy?

About 4 hours.

What information will I need to write the information security policy?

You will need to know the required policies of ISO 27001 as covered in the Annex A / ISO 27002. In addition
any company, client, customer specific policy requirements.

Should my policies all be in one document?

This depends on your company size and your administrative needs. For a small company this can make sense.
Having separate policies in a modular pack has advantages in so far as they can be assigned to owners to be
maintained, they can be communicated in an effective manner with the people that need to understand them,
they can be shared as required with clients and auditors based on their requests without sharing everything.

Read Next
Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
The Ultimate ISO 27001 TOOLKIT so you can do it yourself 
ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!) 
25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)

FREE 30 minute ISO 27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small
businesses who are hungry to get ISO 27001 certified up to 10x faster and 30x cheaper.