What is an information security policy?

People are the weakest part of any organisation’s security defences. You can spend months designing flawless processes and investing in state-of-the-art technology, but these both only work if the people using them know what they’re doing.

That’s why information security policies are among the most crucial element of an organisation’s defence.

They outline an organisation’s overall approach to information security, with individual policies addressing specific practices and areas of the business.

What do information security policies do?

The central information security policy provides a broad overview of the organisation’s requirements. It also dictates some of the parameters of the information security risk assessment, such as the organisation’s risk acceptance criteria.

Specific information security policies result from the risk assessments, in which vulnerabilities are identified and safeguards are chosen.

Each policy will address a risk, or group of related risks, and define the organisation’s approach to mitigating it.

For the threat of phishing, for example, the policy should explain what phishing is and instruct employees on who to contact if they suspect they’ve received a phishing scam.

It will also detail whether the organisation covers phishing as part of its staff awareness training and when those courses take place.

If the organisation has access to an e-learning staff awareness course, the policy should include a link to the relevant module.

What you should include in an information security policy

Policies should include relevant information about organisation and its practices. As starting point, you should include the following sections:

1. Scope

The scope of an information security policy should address – at a high level – where information is and who can access it.

It should emphasise that information can be stored in programs, systems, facilities or other infrastructure.

2. Policy statement

This is the part of the policy that explains the organisation’s approach to information security. It might explain the environment in which the organisation operates, the laws and regulations it is bound by, or even the types of information it handles. It should use this context to explain how seriously the organisation takes the security of its information and information systems.

3. Objectives

To determine whether your information security programme works as intended, you need to set objectives for to ensure that it works effectively and in accordance with laws, regulations and contracts.

Where possible, these should be measurable, as individual judgement will potentially lead to inaccurate reporting and possibly even bias – either from those who want greater investment in information security or those who claim that the existing measures are effective.

Organisations should keep the three key principles of ISO 27001 in mind: confidentiality, integrity and availability.

The objectives you choose will vary depending on your industry and the maturity of your information security management system.

They will probably also develop over time, which is why it’s important to keep track. If you are consistently meeting an objective, you should update it accordingly or focus on other areas.

What about specific information security policies?

In addition to your overall information security policy, you should also include documentation on specific issues.

The topics you address will depend on the nature of your organisation and the risks that you have identified. However, most organisations should have a policy on the following:

1. Access control

Organisations must create access control policies to ensure that only approved users, applications and systems can view and amend specific information, or access resources.

Access controls should be used to protect information wherever it is stored, as well as the information systems that can access it.

This is most likely to cover digital records, which can be protected with passwords or other technical defences, but controls should also be implemented to protect physical records.

Further reading: How to write an ISO 27001 access control policy

2. Information classification

Information classification is the process of determining the level of protection that should be given to data.

Organisations usually classify information in terms of confidentiality, with a typical system containing four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

Further reading: What is information classification and how is it relevant to ISO 27001?

3. Staff awareness training

Employees are always susceptible to mistakes. This might simply be carelessness, or they might be exploited by cyber criminals.

For example, attackers often target organisations using phishing emails. Doing so circumvents many of the measures that organisations adopt to protect their organisation, instead relying on employees’ inability to spot a bogus message.

A training policy must include provisions to provide staff awareness training to employees.

Further reading: ISO 27001 staff awareness training – meeting the requirements


In addition to these, you might also decide to include information regarding:

Need help creating your policies?

Documenting your policies takes a lot of time and effort, and you might still overlook key policies or fail to address critical issues.

However, you can avoid those problems with our bestselling Information Security Policy Template.

This customisable tool enables you to create an information security template that aligns with the best practices outlined in ISO 27001.

Whether you want to make sure you have complete coverage of your information security concerns or simply want to speed up the documentation process, this template is an ideal resource.


A version of this blog was originally published on 11 January 2019.

No Responses