What should be included in an information security policy?


Every organisation has information it needs to protect, both physical and digital. This means that it is necessary to set out and define your security policies, which lay out what should be done to maintain information security.

An information security policy therefore forms a high-level view of what your organisation does with regards to protecting its data and assets, documenting what is expected and who has responsibility for what.

As a key foundation of your organisation’s defence strategy, it also forms one of the categories of controls included in ISO 27001, the international Standard for information security.


Why is an information security policy useful?

An information security policy is useful because it:

  • Sets out a minimum level of data protection and IT and physical security
  • Documents security measures
  • Lays out user access controls
  • Set out how you intend to detect, respond to and minimise the impact of security risks or breaches
  • Helps to ensure compliance with the latest legislation and regulations
  • As such, it is a critical document for preventing security incidents.

Having an information security policy also means that you know what kind of information and assets your organisation holds and what level of protection they require. Its scope can also be expanded to cover third parties and suppliers, which come with their own unique risks.


What does an information security policy include?

Your information security policy should consider current and upcoming legislation and regulations, your business strategy and your current and potential level of threat.

In addition, you will need to address your facilities, data, programmes, users, infrastructure and third parties.

The following are other key elements of a strong information security policy.

The purpose

Your policy needs to set out why you need one and what your priorities are. This can be aligned with your business goals and strategy. For instance, are you creating it to protect your customers’ data? Or is it to pre-empt security breaches? Understanding the purpose of the policy will help you to define the processes you need to protect your organisation.


The key objectives of an information security policy are maintaining the confidentiality, integrity and availability of your information and systems, so think about these goals and how you plan to achieve them.


You then need to set out who your policy applies to. It could be focused on your organisation, but if you work with other suppliers or third parties (such as a cloud provider), it is very likely that they will need to have certain processes and policies applied to them too.


It is likely that you have information that shouldn’t be open for everyone to access, particularly if you are dealing with sensitive or personally identifiable information. Your policy therefore needs to consider access control and who will have the authority to manage that control. Access to networks and other systems should also be considered and what authentication is needed. This could be a strong password or an ID badge, for instance.


Not all information is equal – some will need stronger protection. Creating a system of classification is therefore an important role of your information security policy, something that is built upon in Annex 8.2 of ISO 27001. This classification will then dictate how this information is collected, handled, processed, stored and communicated.

Workers in a meeting in officeTraining

Your information security policy may also lay the foundations for any training required and how often it will take place. There may be awareness courses, for example, that would help your general staff to be able to identify risks.


A key part of your policy is to establish who is responsible for what. You need owners of your policies and processes, such as access, network security and business continuity, to ensure that they are kept up to date and improvements made. This forms another aspect of Annex 5 of ISO 27001.


An information policy lacks strength if the people working in your organisation do not know about it or understand it. Your policy should therefore also consider how you will tell workers about the processes it contains.


Your information security policy needs to be reviewed and updated at planned intervals to ensure it remains fit for purpose, which can be laid out in the policy. You should also review it should there be a significant change within your organisation, such as a switch to remote working.


Further things to consider

Remember: an information security policy is unique to your business, so you may not want to stop here. You may also want to consider your physical security, any malware processes or remote access too as part of your policy, or you can add them in as controls in a wider information security management system (ISMS)

To find out more about an ISMS, take a look at our dedicated page on ISO 27001, the international Standard for information security management. You can also see its 114 controls, which are summarised in our article.

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Claire Price

  • Company:

    Content Marketing Executive

  • Bio:

    Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only