How to document your information security policy

entrepreneur-593378_960_720Organisations of all sizes must have policies in place to state and record their commitment to protecting the information that they handle.

Let’s take a look at exactly what documents you need to protect your organisation, and how you can simplify the process with an information security policy template.

What is an information security policy?

Your information security policy is the driving force for the requirements of your ISMS (information security management system): it sets out the board’s policy on, and requirements in respect of, information security.

It doesn’t need to be a long document (a couple pages should do), but it has to capture the requirements of the board requirements and the realities of your organisation. Meanwhile, it also has to meet the requirements of ISO 27001 if you’re looking to achieve certification.

From a practical point of view, it is worth keeping the policy statement as simple, comprehensive and as broad as possible to allow managers adequate freedom to respond to changing business and security circumstances.

Consider your shareholders

The policy statement will also require all employees in the organisation to participate, and might also require participation from customers, suppliers, shareholders and other third parties.

The board must consider how your policies will affect these stakeholders, and the benefits and disadvantages that the business will experience as a result.

It’s therefore a good idea to start thinking these issues through before you begin designing and deploying your ISMS.

Compiling your information security policy

Compiling your information security policy is not always as straightforward as it seems, especially in large or complex organisations, and the final policy may have to reflect the final risk assessment and the Statement of Applicability.

The policy must:

  • Set objectives or include a framework for setting its objectives, and establish the overall sense of direction;
  • Take into account all relevant business, legal, regulatory and contractual security requirements;
  • Embellish the strategic context for within which the ISMS will be established;
  • Understand the criteria for the evaluation of security risks and the structure of the risk assessment.

The policy statement must answer:

Who? – The board and management have to be completely behind and committed to the ISMS. The policy statement must therefore be issued under their authority, and there should be clear evidence (in the form of written minutes) that the policy was debated and agreed.

Where? – You must clearly identify the parts of the organisation where the policy is applies (corporate, divisional, management or geographic location).

What? – The overall goal of the policy – to protect the organisation from security breaches – and specific issues that you will address, such as remote access, password management and network security.

Why? – To protect sensitive information from a wide range of threats in order to ensure business continuity, minimise business damage and maximise return on investment.

Getting help with your information security policy

ISO 27001:2013 ISMS Documentation ToolkitIf you’re unsure what your policy should look like, or need help with any other parts of documenting your ISMS, then take a look at the ISO 27001 ISMS Documentation toolkit.

Developed by ISO 27001 experts, and used by thousands of organisations worldwide, this toolkit contains a complete set of security policy templates to meet your mandatory and supporting documentation requirements.

Proven to save you time and money, this toolkit will provide you with a framework for consistent, ISO 27001-compliant ISMS documentation that can be easily customised and tailored to your business’s needs and objectives.