Citation ISO Certification
Get A Quote Atlas logo - Red capital A logoLogin 0333 344 3646

ISO 27001 Policies Guide

ISO 27001 policies

Policies outlined

Develop & Implement

Reviewing & Maintaining

Benefits

Templates & Tools

Introduction

ISO 27001 policies sit at the heart of your Information Security Management System (ISMS). These are the high-level, formal documents that set out how your organisation manages information security day-to-day, in line with Clause 5.2 and Annex A 5.1 of ISO 27001:2022. In practice, they define the rules everyone needs to follow, from how data is accessed and shared, to how incidents are reported and how systems are used, so that security becomes part of your culture rather than something bolted on as an afterthought.

Well-designed ISO 27001 policies do far more than meet a minimum standard. They help you demonstrate compliance with legal and regulatory requirements, reduce the likelihood and impact of data breaches, and build real confidence with customers, partners and regulators. For UK organisations, clear information security policies support your obligations under the UK GDPR and the Data Protection Act 2018, and contribute to meeting expectations around appropriate technical and organisational measures to protect personal data. In a landscape where data breaches can easily cost hundreds of thousands of pounds, including potential ICO penalties and remediation costs, robust and up-to-date policies are both a practical line of defence and a powerful assurance tool.

For smaller and growing businesses, using proven templates and guidance can make it much quicker and easier to put the right ISO 27001 policies in place, tailored to your specific risks and operations. Providers like Citation ISO Certification can help you move from generic, ad‑hoc documentation to a structured, audit-ready policy set that supports both certification and everyday security.

ISO certification woman in data centre server room, quality management system compliance, professional auditor, certification process, IT security standards, quality assurance, compliance audit, data centre standards, business quality improvement, professional certification.

Policies at a glance

  • Standard: ISO/IEC 27001:2022
  • Key focus: Define rules for information security management
  • Number of policies: 20+ mandatory and topic-specific (based on your risks)
  • UK relevance: Supports UK GDPR Article 32, often required for tenders
  • Review frequency: Annual, or after changes
  • What helps: Templates and structured guidance for faster implementation

What are ISO 27001 policies?

ISO 27001 policies are the formal documents that set out what your organisation expects when it comes to information security. They define the rules, responsibilities and principles that everyone must follow, and they sit at the top of your information security management system. Underneath these ISO 27001 policy documents, you have directives and working instructions that explain how those rules are carried out in practice. Together, your ISO 27001 policies and procedures create a layered framework — from high-level intent right through to the specific steps your team follows day-to-day.

For most UK organisations, ISO 27001:2022 will include a main ISO 27001 information security policy, supported by a suite of topic‑specific “aspects” policies and directives that go deeper into key risk areas such as access control, data protection, suppliers and incident management. Together, they create a coherent, audit‑ready framework that links business objectives, legal duties (including UK GDPR and the Data Protection Act 2018) and day‑to‑day working practices.

With the 2022 update of ISO/IEC 27001, there’s a stronger emphasis on keeping your policies aligned with your current risks, technology and regulatory landscape. That means reviewing them regularly, making sure they reflect changes in your organisation and the threat environment, and ensuring they support legal duties and good‑practice expectations from customers, regulators and the ICO.

Policies vs directives

A simple way to distinguish them is:

  • Policies = the “what” and “why” (rules, principles, intent).
  • Directives = the “how” and “who” (steps, responsibilities, sequence).
Aspect Policies (the “what”) Directives (the “how”)
Purpose Set rules, intent and direction for information security Describe detailed steps to follow the policy
Level High‑level, strategic Operational, task‑level
Audience All staff, management, interested parties Staff who perform specific tasks or processes
Change frequency Reviewed at least annually or on major change Can change more often as processes/tools evolve
Examples Information Security Policy, Access Control Aspects Policy User access provisioning directive, incident handling directive
Role in ISO 27001 Demonstrate commitment and governance Demonstrate consistent, repeatable implementation

Together, well‑structured policies and clear directives give UK organisations a defensible position: they show regulators, customers and auditors not only that security rules exist, but that they are translated into day‑to‑day action within an ISO 27001‑aligned ISMS.

List of ISO 27001 policies

Below is the focused set of ISO 27001:2022-aligned policies you’ll need. These cover the core information security themes expected by auditors, customers and regulators, and can be tailored to your organisation’s specific risks and operations.

5. Organisational

Information Security Policy – The overarching document that sets your organisation’s commitment, objectives and guiding principles for information security, and links the ISMS to business and legal requirements.

Access Control Aspects Policy & Directive – Defines how access to systems, applications and data is granted, reviewed and revoked, based on least privilege and business need, including joiners, movers and leavers.

Threat Intelligence Aspects Policy & Directive – Explains how your organisation gathers, evaluates and uses threat intelligence (e.g. vendor alerts, CERT advisories) to anticipate and respond to emerging risks.

Asset Management & Disposal Aspects Policy & Directive – Sets rules for identifying, classifying, tracking and securely disposing of information assets, including end‑of‑life hardware and media.

Data Protection Aspects Policy & Directive – Describes how personal data is collected, processed, stored and shared in line with UK GDPR and the Data Protection Act 2018, including lawful bases and data subject rights.

Information Classification Aspects Policy & Directive – Establishes classification levels (e.g. public, internal, confidential) and handling rules to ensure information is protected appropriately throughout its lifecycle.

Information Transfer Aspects Directive – Governs how information is securely shared inside and outside the organisation (email, file transfer, messaging, physical media), including encryption and approval requirements.

Supplier Relationship Aspects Policy & Directive – Sets expectations and controls for suppliers and third parties, including due diligence, contracts, ongoing monitoring and exit arrangements.

Cloud Computing Aspects Policy & Directive – Defines security requirements for cloud services and platforms, covering data location, shared responsibility, configuration, access and monitoring.

Security Incident Management Aspects Policy & Directive – Describes how security incidents and data breaches are identified, reported, assessed and resolved, including escalation and communication, and links to ICO reporting obligations.

Security Incident Management Aspects Policy & Directive – Describes how security incidents and data breaches are identified, reported, assessed and resolved, including escalation and communication, and links to ICO reporting obligations.

Business Continuity Aspects Policy & Directive – Outlines how critical activities, systems and data will be maintained or recovered during disruption, and how business continuity and disaster recovery are planned and tested.

6. People

Human Resources Aspects Policy & Directive – Covers pre‑employment checks, onboarding, role changes and exit processes to ensure people‑related risks are managed throughout the employment lifecycle.

Acceptable Use Aspects Policy & Directive – Sets clear rules for how staff and contractors may use company devices, email, internet, cloud services and removable media, including prohibited behaviours.

Remote Working (Teleworking) Aspects Policy & Directive – Defines security expectations for home and remote working, including device security, network connections, privacy and handling of physical documents.

7. Physical

Physical Security Aspects Policy & Directive – Establishes controls for securing offices, server rooms and other sensitive areas, including access control, visitor management and protection of equipment.

8. Technological

Secure Systems & Development Aspects Policy – Sets principles for secure design, development and maintenance of applications and systems, including coding practices, testing and change management.

Cryptography Aspects Policy & Directive – Defines when and how cryptographic controls (encryption, key management, certificates) are used to protect data at rest and in transit.

Malware & Vulnerability Aspects Policy & Directive – Describes how the organisation prevents, detects and responds to malware, and how vulnerabilities are identified, prioritised and remediated.

Backup & Recovery Aspects Policy & Directive – Specifies backup scope, frequency, storage, protection and testing, and sets expectations for restoring data and systems within agreed timeframes.

Network Security & Network Systems Monitoring Aspects Policy & Directive – Covers secure design, segmentation and protection of networks, as well as logging, monitoring and alerting to identify suspicious activity.

 

All of these policies and directives are included within Citation ISO Certification ISO 27001 consultancy product, giving you a complete, ready‑to‑customise framework that aligns with ISO/IEC 27001:2022 and UK data protection law. Instead of starting from a blank page, your team can adapt proven, auditor‑friendly documents to your business, speeding up ISO 27001 implementation, reducing internal effort and helping you move confidently toward certification.

How to develop and implement ISO 27001 policies

If you’re wondering how to write ISO 27001 policies, the good news is that it doesn’t need to be overwhelming, especially if you follow a clear, structured approach and make smart use of templates. For UK organisations, it’s also vital that your policies reflect ICO guidance and GDPR requirements as well as ISO/IEC 27001:2022.

1. Assess your risks and define your scope

  • Identify the information, systems, locations and services you need to protect.
  • Consider legal and regulatory drivers such as UK GDPR, the Data Protection Act 2018 and sector‑specific requirements.
  • Map out your main risks (e.g. data breaches, ransomware, supplier failures) so each policy has a clear purpose.

2. Draft policies using proven templates

  • Start from ISO 27001‑aligned templates rather than a blank page to save time and ensure coverage.
  • Tailor each policy and directive to your size, culture and technology – avoid copy‑and‑paste text that nobody will follow.
  • For UK data protection topics, involve your Data Protection Officer (DPO) or privacy lead to ensure alignment with ICO guidance.

3. Secure management approval and ownership

  • Present the draft policy set to top management, highlighting how it reduces risk and supports contracts, tenders and compliance.
  • Assign clear owners for each policy/directive (e.g. IT, HR, Operations) who are accountable for keeping them accurate and applied.
  • Formally approve and version‑control your policies so you can demonstrate governance to auditors and customers.

4. Communicate, train and embed in daily work

  • Launch policies through briefings, onboarding, e‑learning and team meetings – not just an email with an attachment.
  • Translate key requirements into simple “do and don’t” guidance for staff, with examples relevant to remote work and everyday tools.
  • Build key rules into processes and systems (e.g. access requests, joiner/leaver workflows, supplier onboarding) so compliance becomes second nature where possible.

5. Review, audit and improve regularly

  • Schedule at least annual reviews, plus updates when there are major changes in systems, structure, law or risk.
  • Use internal audits, incident reviews and user feedback to refine your policies and directives over time.
  • Track and evidence reviews, approvals and updates as part of your ISO 27001 management review cycle.

UK‑specific tips and common pitfalls

  • Involve your DPO or privacy lead early for any policy touching personal data, and cross‑check against current ICO guidance and enforcement trends.
  • Keep language clear and practical. Over‑complex, legalistic wording is a common pitfall and leads to poor adoption.
  • Don’t “set and forget”. Lack of regular review is one of the main reasons policies become impossible to follow or defend.

Policy implementation timeline

Assess

  • Define ISMS scope and key information assets
  • Identify risks, legal/regulatory drivers (UK GDPR, DPA 2018, ICO guidance)

Draft

  • Use ISO 27001-aligned templates for policies and directives
  • Tailor content to your business, involve DPO/privacy lead for data protection

Approve

Present to senior management for review and sign-off Assign policy owners and put version control

Roll out

Carry out internal audits and management reviews Update policies at least annually or after major changes/incidents Train staff and embed day-to-day working

Reviewing and maintaining ISO 27001 policies

Keeping your ISO 27001 policies up to date is just as important as creating them. Regular reviews show auditors, customers and the ICO that information security is actively managed, not written once and forgotten.

How to keep policies current

1. Set a review schedule 

  • Review all core policies and directives at least once a year. 
  • Add extra reviews after major changes (new systems, mergers, outsourcing) or significant security incidents/data breaches.

2. Link reviews to audits and management reviews

  • Use findings from internal audits, external audits and penetration tests to identify where policies need tightening or clarifying.
  • Discuss policy performance and required changes in your ISO 27001 management review meetings.

3. Align with ICO and legal expectations

  • Check that policies still reflect current ICO guidance, UK GDPR and the Data Protection Act 2018 (especially for data protection, incident reporting and retention).
  • Involve your DPO/privacy lead in reviews of any policy that touches personal data.

4. Update, approve and communicate changes

  • Version‑control every update (who changed what, when, and why).
  • Get management sign-off for significant changes, then communicate updates to staff via briefings, emails or short training refreshers.

5. Evidence the review process

  • Keep a simple policy review log showing planned dates, actual review dates, reviewers, decisions, and follow-up actions.
  • This provides clear proof of continual improvement during ISO 27001 and ICO-related audits or investigations.

Benefits of ISO 27001 policies

A well-implemented ISO 27001 policy framework does more than keep auditors happy. For UK SMEs, it delivers real, measurable value across security, compliance and business development.

Stronger security posture — Clear policies reduce the risk of human error, unauthorised access and data breaches by giving everyone consistent rules to follow.

GDPR and Data Protection Act compliance — Documented policies demonstrate the "appropriate technical and organisational measures" required under UK GDPR, helping you satisfy ICO expectations and reduce the risk of enforcement action.

Competitive advantage in tenders — Many tenders and enterprise contracts require evidence of ISO 27001 certification. A robust policy framework is central to achieving and maintaining that certification.

Stakeholder and customer confidence — Customers, partners and investors are increasingly asking about information security. Certified policies give them the assurance they need.

Faster incident response — When roles, responsibilities and escalation routes are clearly documented, your team can respond to incidents quickly and consistently, reducing downtime and limiting damage.

Continual improvement built in — ISO 27001 requires regular review and improvement of your policy framework, meaning your security posture evolves alongside your business and the threat landscape.

ISO 27001 policy templates and tools

Getting your ISO 27001 policies in place is much quicker and easier when you have the right starting point. Rather than building documents from scratch, most UK organisations benefit from using pre-built, auditor-tested templates they can tailor to their own business.

How Citation ISO Certification can help

Citation ISO Certification includes a complete, ready-to-customise suite of ISO 27001:2022-aligned policies and directives as part of our consultancy product. These are documents our consultants use and refine, so they’re built to satisfy auditors and work in practice, not just on paper.

Rather than spending weeks drafting policies from scratch or adapting generic templates, your team can work from a proven framework that already reflects ISO/IEC 27001:2022 requirements and UK data protection law. Our consultants are on hand to guide you through the tailoring process, help you identify which policies are most critical for your risk profile, and support you all the way through to certification.

Certification also includes 24/7 access to Atlas, our specially developed digital management system platform. Atlas brings all your ISO compliance tools together in one place, making it straightforward to store, manage and review your policies, track actions and maintain your ISMS between audits — without the administrative headache.

ISO certification document with the QMSUK logo, symbolising quality management standards adherence and professional accreditation in compliance with international standards.

Common Questions

About ISO 27001

ISO 27001 doesn’t specify a fixed number of policies. Instead, it requires that you have sufficient documented information to support and control your ISMS, including an overarching Information Security Policy and policies that address the relevant Annex A controls within your scope.

In practice, most UK SMEs operate with a structured set of around 20–30 documents covering key areas such as access control, data protection, asset management, incident management, supplier security, business continuity, backup and recovery, network security and more. What matters is that:

  • Your policy and directive set reflects your actual risks, systems and ways of working.
  • You can clearly show auditors how each requirement is covered.
  • Your documentation supports UK legal obligations such as UK GDPR and the Data Protection Act 2018.

With Citation ISO Certification, this is simplified through a defined suite of ISO 27001:2022‑aligned “Aspects” policies and directives that collectively meet common SME needs.

These three terms often get mixed up, but they each play a different role in an ISO 27001‑aligned ISMS:

  • Policies – High‑level documents that set out the organisation’s intent, rules and expectations. They answer the “what” and “why”: what must be protected, what the rules are, and why they exist (e.g. legal, contractual, risk‑based drivers).
  • Directives – More operational documents that translate policy into clearer requirements and responsibilities. They answer the “how” and “who” at a practical, but still policy‑level (e.g. which roles approve access, which controls must be in place, what minimum standards apply).
  • Procedures – Step‑by‑step instructions for carrying out specific tasks. They answer the detailed “how exactly” – the sequence of actions, screens, forms and checkpoints someone follows.

For example:

  • An Access Control Aspects Policy sets the overall rules (e.g. least privilege, regular reviews).
  • An Access Control Directive defines how those rules apply in practice (e.g. approvals required, review frequencies, evidence to keep).
  • A User Onboarding Procedure describes the exact steps HR and IT take to create accounts, apply permissions and record approvals.

Auditors will typically want to see all three layers working together: policy for direction, directives for structure and consistency, and procedures for repeatable execution.

ISO 27001 certification itself is not a legal requirement for UK GDPR compliance. However, robust information security and data protection policies and directives are effectively essential if you want to demonstrate that you have “appropriate technical and organisational measures” in place, as required by UK GDPR and the Data Protection Act 2018.

An ISO 27001‑aligned policy framework helps you:

  • Clearly document how you manage access, retention, incident response, encryption, supplier risk and other GDPR‑relevant areas.
  • Show the ICO, customers and partners that data protection is managed systematically, not informally.
  • Reduce the likelihood and impact of personal data breaches, and support a defensible position if something does go wrong.

So while you don’t have to be ISO 27001 certified to comply with GDPR, ISO 27001‑style policies and directives are one of the strongest ways to support and evidence GDPR compliance in the UK.

ISO 27001 requires your policies to remain appropriate to your organisation and its risks, which means they must be reviewed regularly rather than left unchanged for years. Good practice for UK organisations is to:

  • Review all key ISO 27001 policies, directives and related procedures at least annually.
  • Carry out ad‑hoc reviews after major changes – such as new systems, mergers, outsourcing, structural changes or serious security incidents/data breaches.
  • Integrate policy reviews into your internal audit programme and management review meetings so improvements are driven by evidence, not guesswork.
  • For any policy touching personal data, align review cycles with your DPO/privacy lead and keep an eye on updated ICO guidance and enforcement trends.

When you certify with Citation ISO Certification, your annual surveillance audits provide a natural, structured checkpoint to confirm that policies and directives are still accurate, effective and aligned with ISO 27001, UK GDPR and wider regulatory expectations – turning ongoing compliance and continual improvement into part of your normal rhythm rather than a one‑off project.