How to create an information security policy for ISO 27001

Organisations that are serious about preventing data breaches must create an information security policy.

They contain a list of guidelines on how to handle with various incidents that might result in data breaches.

Ideally, your information security policy should be written in line with ISO 27001, the international standard for information security. The Standard provides comprehensive advice on the issues you must address.

In this blog, we take a look at how you can get started creating your information security policy.

What should your information security policy contain?

Every organisation is structured differently and has its own requirements. That said, there will be some similarities that all information security policies.

For example, the policy must address the information’s security objectives, including how they are proposed, approved and reviewed.

It should also include a framework for setting its objectives; consider all relevant business, legal, regulatory and contractual security requirements; improve the strategic context within which the ISMS will be established; and understand the criteria for the evaluation of risk and its structure.

Additionally, the policy must answer the ‘who’, ‘what’ and ‘where’ of information security. That is to say:

  • Who? The board and management must be united on the ISMS. The policy statement must be debated, agreed and published under their authority and in the form of written minutes.
  • Where? Identify clearly all the parties of your organisation where the policy is going to apply.
  • What? The statement that the board and management “are committed to preserving the confidentiality, integrity and availability of information”.

How to create an information security policy

Although information security policies must be unique to each organisation, there are certain things all organisations must do when getting started.

For example, you policies should be the result of risk assessments, DPIAs (data protection impact assessments) and a review of your regulatory requirements.

You can find out more about how these processes inform your information security policy, and how you can get started, with our CyberComply Tool.


A version of this blog was originally published on 15 May 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.