How to create an information security policy for ISO 27001

What is an information security policy for ISO 27001?

Your company’s information security policy is the driving force for the requirements of your information security management system (ISMS).

The policy needs to capture board requirements and, organisational reality, and meet the requirements of the ISO 27001 standard if you’re looking to achieve certification.

It is better to keep the policy statement as simple but as comprehensive as possible to allow managers adequate freedom to respond to changing business and security circumstances.

What information should your information security policy contain?

Every information security policy is different, so you can’t just copy another company’s document, it must be adapted to your organisation. The policy needs to define your information security objectives:

  • How they are proposed,
  • How they are approved,
  • How they are reviewed.

The policy document must show the commitment of top management to complete the requirements of all interested parties and improve the ISMS. You must communicate it within the company and to interested parties. You also need to review your policy regularly. For that, you can define a person who keeps the policy up to date.

How to create an information security policy

The information security policy must:

  • Include a framework for setting its objectives;
  • Consider all relevant business, legal, regulatory and contractual security requirements;
  • Improve the strategic context within which the ISMS will be established; and
  • Understand the criteria for the evaluation of risk and its structure.

The initial policy statement must answer these questions:

  • Who? The board and management must be united on the ISMS. The policy statement must be debated, agreed and published under their authority and in the form of written minutes.
  • Where? Identify clearly all the parties of your organisation where the policy is going to apply.
  • What? The statement that the board and management “are committed to preserving the confidentiality, integrity and availability of information”.
  • Why? For the protection of information to ensure business continuity, minimise business damage and maximise return on investment.


If you would like to know more about ISO 27001, purchase our Documentation Toolkit which fully integrates with vsRisk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.