What is an information security policy?

People are the weakest part of any organisation’s security defences. You can spend months designing flawless processes and investing in state-of-the-art technology, but these both only work if the people using them know what they’re doing.

That’s why information security policies are among the most crucial element of an organisation’s defence.

They contain a list of instructions for staff to follow in various scenarios and cover a range of topics, such as acceptable passwords and how often to back up data.

What do information security policies do?

Information security policies are usually the result of risk assessments, in which vulnerabilities are identified and safeguards are chosen.

Each policy will address a specific risk and define the steps that the organisation must take to mitigate it.
Where relevant, the policy will also explain how employees will be trained to become better equipped to deal with the risk.

For the threat of phishing, for example, the policy should explain what phishing is and instruct employees on who to contact if they suspect they’ve received a phishing scam.

It will also detail whether the organisation covers phishing as part of its staff awareness training and when those courses take place.

If the organisation has access to an e-learning staff awareness course, the policy should include a link to the relevant module.

What you should include in your information security policy

Policy can include anything that’s relevant to your organisation. But as starting point, you should include the following sections:

1. Scope

Where do you store sensitive information – both physical and digital? How can people gain access to it?

Your information security policy should address any sensitive information, program, systems, facilities or other infrastructure that will have a detrimental effect on your organisation if compromised.

The first requirement, therefore, is to document each of those so you know which parts of your organisation needs to be protected.

2. Objectives

To determine whether your information security policy works as intended, you need to set objectives for success.

Where possible, these should be measurable, as individual judgement will potentially lead to inaccurate reporting and possibly even bias – either from those who want greater investment in information security or those who claim that the existing measures are effective.

But what exactly should you be measuring, and how do you measure it? ISMS.online recommends that organisations keep the three key principles of ISO 27001 in mind: confidentiality, integrity and availability.

It writes: “[A] key measure of success for us is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.”

Other monthly objectives that it lists include having no failures in backups and no need to perform corrective actions.

The objectives you choose will vary depending on your industry and the maturity of your information security management system. They will probably also develop over time, which is why it’s important to keep track. If you are consistently meeting an objective, you should update it accordingly or focus on other areas.

3. Access control policy

An information security policy is usually structured hierarchically. Senior employees have greater freedom and responsibilities regarding sensitive information, whereas lower-level employees have fewer responsibilities.

Organisations must therefore create access control policies to ensure that only approved users can view and amend certain records.

Access controls should be used to protect information wherever it is stored. This is most likely to cover digital records, which can be protected with passwords or other technical defences, but controls should also be implemented to protect physical records.

Further reading: How to write an ISO 27001 access control policy

4. Information classification

Information classification is the process of determining the level of protection that should be given to data.

Organisations usually classify information in terms of confidentiality, with a typical system containing four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

Further reading: What is information classification and how is it relevant to ISO 27001?

5. Staff awareness training

Employees are always susceptible to mistakes. This might simply be carelessness, or they might be exploited by cyber criminals.

For examples, attackers often target organisations using phishing emails. Doing so circumvents many of the measures that organisations adopt to protect their organisation, instead relying on employees’ inability to spot a bogus message.

Your information security policy must include provisions to provide staff awareness training to employees.

Further reading: ISO 27001 staff awareness training – meeting the requirements


In addition to these, you might also decide to include information regarding:

Need help creating your policies?

Documenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address critical issues.

However, you can avoid those problems with our bestselling Information Security Policy Template.

This customisable tool enables you to create an information security template that aligns with the best practices outlined in ISO 27001.

Whether you want to make sure you have complete coverage of your information security concerns or simply want to speed up the documentation process, this template is an ideal resource.


A version of this blog was originally published on 11 January 2019.

No Responses