ISO 27001 says that you must document an information security policy.
What is an information security policy?
An information security policy is one of the mandatory documents outlined in Clause 5.2 of ISO 27001 and sets out the requirements of your information security management system (ISMS).
The policy should be a short and simple document – approved by the board – that defines management direction for information security in accordance with business requirements and relevant laws and regulations.
Key elements of your information security policy
An information security policy needs to reflect your organisation’s view on information security and must:
- Provide information security direction for your organisation;
- Include information security objectives;
- Include information on how you will meet business, contractual, legal or regulatory requirements; and
- Contain a commitment to continually improve your ISMS.
The policy should help drive your approach to scoping the ISMS and implementation project.
An information security policy needs to include all employees in an organisation, and may also consider customers, suppliers, shareholders and other third parties. It’s important to consider how the policy will impact on these parties and the effect on your organisation as a result.
You can find out more about information security policies in our bestselling book Nine Steps to Success – An ISO 27001 Implementation Overview.
Help with creating an information security policy template
The information security policy is one of the most important documents in your ISMS.
Knowing where to start when compiling your information security policy can be difficult, especially in large or complex organisations where there may be many objectives and requirements to meet.
Developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, the ISO 27001 ISMS Documentation Toolkit contains a customisable information security policy template (see below) for you to easily apply to your organisation’s ISMS.
Using the toolkit can help speed up what can be a time-consuming task in your ISO 27001 project.
The ISO 27001 ISMS Documentation Toolkit includes:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.