How to Write an ISO 27001 Information Security Policy + Free Template

Security policies may seem like a major snoozefest. A bunch of formal documents to stick in a file that nobody will ever actually use, except maybe your information security auditor or someone in HR once a year. They exist just to check off a box on a list of neverending compliance tasks.

But that couldn’t be further from the truth. 

Policies are how you explain exactly what you do to keep data safe — to your employees, vendors, partners, customers, and auditors. They’re a critical part of your security program and the backbone of your information security management system (ISMS).

Good policies provide clarity and consistency for your business operations. They help your team understand their role in risk management and maintaining compliance. And they help ensure your methods for protecting sensitive information assets from vulnerabilities are effective and efficient. 

While ISO 27001 requires organizations to define a whole series of policies (over two dozen, in fact), one of the key policies for ISO 27001 is the information security policy. 

Keep reading for more information and best practices for writing your ISO 27001 information security policy, plus get an ISO 27001 information security policy template with all the legwork done for you.

What is an ISMS information security policy?

Think of your information security policy as an overview of how your company approaches information security. 

An ISO 27001 information security policy sets standards for the acceptable use of an organization’s information systems and technology, from networks and databases to software applications. And it defines rules and processes for protecting data confidentiality, integrity, and availability (often abbreviated as CIA).

Confidentiality: Protecting confidential information by limiting its access, storage, and use 

Your information security policy should explain how you control access to information and how you prevent data breaches and leaks.

Integrity: Verifying that company systems operate as intended

When writing your information security policy, you should think about how you establish change control processes, keep unauthorized users from changing information, prevent human error, and ensure technology is configured properly to avoid errors. 

Availability: Ensuring employees and clients can rely on your systems to do their work

Your information security policy needs to discuss how you ensure data availability, including how you account for natural disasters and storage erosion, how you protect domain integrity, etc. 

ISO 27001 requirements: Clause A.5.1

Annex A Clause 5 states that an organization must have a set of information security policies that are approved by management and communicated to employees and third-party users.

Policies must be led by business needs and any applicable regulations or legislation affecting the organization, such as HIPAA and GDPR. Policies also form an important part of the employee education and awareness training described in Annex A.7.2.2 of the international standard. 

All of these policies are summarized into a high-level master information security policy, which outlines the organization’s overall approach to information security. According to the ISO 27001 standard, this policy must:

• Be tailored to the organization
• Demonstrate management’s commitment to the ISMS
• Define how information security objectives are proposed, reviewed, and approved
• Be communicated to employees, stakeholders, and other interested parties, such as vendors and business partners
• Have a defined owner who is responsible for keeping the policy up to date
• Be reviewed on a regular basis (at least annually), or when significant changes occur such as changes to technologies, legislation, or business processes

What should be in an ISO 27001 information security policy?

Oftentimes, people think their information security policy needs to include every single thing about their organization’s cybersecurity. But that’s not the intention. The information security policy is intended to achieve three things: 

1. Force management to thoughtfully consider their goals for information security
2. Formalize management’s commitment to continual improvement of the ISMS
3. Provide a general overview of the ISMS so that management understands how it works without having to track the minute details of every risk assessment, access control, or internal audit. They know what the ISMS is designed to do, how it works, and who is responsible for it. 

Here’s what’s covered in an ISO 27001 information security policy:

• Purpose: Define the organization’s information security objectives and the purpose of the ISMS
• Requirements: List any applicable legal, contractual, or regulatory requirements 
• Roles & responsibilities: Specify who is responsible for implementing, maintaining, and monitoring performance of the ISMS
• Communication: Clarify who the policy needs to be shared with, internally or with contractors and third-party vendors (if applicable) 
• Support: Define the resources and supplemental policies that will support information security Tips for Writing an Information Security Policy from ISO 27001 Auditors

Assign an owner who’s responsible for keeping the information security policy up to date and ensuring it gets reviewed at least annually.

Changes should be recorded and approved by senior management. 

Download: ISO 27001 Information Security Policy template

Still unsure of what to include in your information security policy? Use our template as a foundation to quickly create your own. 

Quickly create ISO 27001 polices with Secureframe

The information security policy is just the tip of the iceberg for the ISO 27001 standard, which has 25 base policies. With Secureframe, you can save yourself a ton of time and effort with our policy library. Get 40+ policy templates written by compliance experts and vetted by dozens of auditors, ready for you to customize for your business. 

Request a demo to learn more about how our compliance automation platform can streamline ISO 27001 certification.