Developing an ISO 27001 Information Security Policy

The information security policy is a central component of the ISMS; it provides a high-level view of what your organisation does in respect of protecting its data and assets by documenting what is expected and who has responsibility for information security.  It is important to ensure the policy is appropriate for your organisation and the policy can, therefore, be tailored to your organisation’s needs.  For example, you may benefit from the policy focusing on specific areas, such as customer data, or may need it to extend across the entire organisation.  An information security policy can be developed to meet the needs of any size of organisation, operating in any sector, but what will you need need to include when looking to implement an effective policy that is appropriate for your organisation and meets the requirements of ISO 27001?

Clause 5.2 of the Standard provides a useful list of elements that a conformant information security policy should include.  One such element is a consideration of current and upcoming legislations and regulations that are relevant to information security and the organisation, such as the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

An effective and conformant information security policy should also satisfy the following key requirements:

The purpose of the information security policy is to set out why it is needed and what the priorities are.  The policy needs to be aligned with your organisation’s existing goals and strategy, for instance the policy could be aligned with a goal to protect customers’ data or aligned to a strategy to reduce information security risks and incidents.  

The information security policy should include your organisation’s information security objectives or provide a framework for setting these objectives.  The majority of organisations URM works with reference high-level objectives within their policies.  These high-level objectives are aligned to 3 key foundational principles of information security: Confidentiality, Integrity and Availability (to learn more about these principles, read our blog on What is the CIA Triad? Confidentiality, Integrity and Availability Explained).  Some organisations choose to include a complete list of their information security objectives, however many instead decide to just include the framework for setting their objectives.  Generally, this simply involves stating that objectives are reviewed and set annually during a management review or senior leadership meetings, and that the objectives are monitored regularly, e.g., monthly or quarterly.  Using the statement for setting objective helps with producing and delivering a concise yet effective information security policy.

Another requirement for the information security policy is a commitment to continual improvement of the ISMS, which is often included as a statement in the policy.  However, it’s important to keep in mind that continual improvement will be checked during internal and external audits, and should also be an agenda item for management review.  Some organisations may choose to add more detail here, and state how continual improvement is embedded in the ISMS.  Usually, this will be via regular internal audits, analysis and review of audit findings and recorded incidents, or employee consultation to identify areas to improve the ISMS and increase its effectiveness.

Generally, we would recommend creating a high-level information security policy that is no longer than a couple of pages, and, where appropriate, includes links to more detailed, topic-specific policies.  Your information security policy needs to be as accessible as possible and read by everyone in your organisation, and a lengthy, highly detailed policy will be at risk of not being read.  

The information security policy will also, generally, be reviewed and approved by top management (e.g., the CEO, the Board, or similar).  Meanwhile, topic-specific policies are typically owned, reviewed and approved by managers that sit at the departmental level (e.g., a cryptography policy would be owned and approved by an IT director or similar, an HR security policy by an HR director, and so on).  If the information security policy includes detail that would normally be in those supporting policies, then any time they are updated or changed, the information security policy will need to be reviewed and approved by the CEO.  CEOs may not understand the technical elements that are usually included in topic-specific policies, and, therefore, may not feel knowledgeable to perform such a review.  They are also unlikely to have the time to continuously review policy documents.  As such, the information security policy should be written in such a way that it does not need to be changed or updated very often.

The information security policy must be available as documented information.  Most of URM’s clients choose to have an electronic version of the policy located in the ISMS which is available to all employees.  Displaying the policy around the business on notice boards or in entrance lobbies/reception areas is becoming less common, however this is still an effective means of meeting this requirement.

The policy must also be communicated within your organisation, and an effective way to achieve this is to include the information security policy in all new employee induction/onboarding processes, and to also regularly (at least annually) re-communicate it to existing employees to ensure they remain aware and understand the importance of the policy.  

Finally, you will need to consider who the audience of the information security policy is, and whether it can it be made available to your organisation’s and ISMS’ interested parties.  Here, it’s important to understand who the policy applies to; it will, of course, apply to employees, but if your organisation works with other suppliers or third parties, such as a cloud provider or IT provider, then it is likely that certain processes and policies will need to be applied to them too. Some organisations create a ‘sanitised’ version of their information security policy that is provided to interested parties upon request, or available via its website as publicly available information. Alongside this externally facing version of the policy, there will also be a more organisation-specific policy for internal use only.  Both approaches are acceptable; your organisation will simply need to decide which is more appropriate for its specific needs and requirements.

Establishing, documenting and communicating an information security policy is a mandatory requirement for conformance or certification to ISO 27001.   However, beyond this, an effective policy will enable you to define and communicate your expectations for information security to all members of your organisation (and, where applicable, to relevant external parties), helping you to develop an information security conscious culture and avoid unauthorised disclosures of information.