How to Write an ISO 27001 Information Security Policy + Free Template
Emily Bonnie
Cavan Leung
Security policies may seem like a major snoozefest. A bunch of formal documents to stick in a file that nobody will ever actually use, except maybe your information security auditor or someone in HR once a year. They exist just to check off a box on a list of neverending compliance tasks and security requirements.
But that couldn’t be further from the truth.
Policies are how you explain exactly what you do to keep data safe — to your employees, vendors, partners, customers, and auditors. They’re a critical part of your security program and the backbone of your information security management system (ISMS).
Good policies provide clarity and consistency for your business operations. They help your team understand their role in information security risk management and maintaining compliance. And they help ensure your security measures for protecting sensitive information assets from vulnerabilities are effective and efficient.
ISO 27001 requires organizations to define a whole series of policies, including an ISMS scope statement, data retention policy, and over two dozen others. Of these dozens, one of the most important is the ISO 27001 information security policy.
Keep reading for more information and best practices for writing your ISO 27001 information security policy, plus get an ISO 27001 information security policy template with all the legwork done for you.
What is an ISMS information security policy?
Think of your information security policy as an overview of how your company approaches data security.
An ISO 27001 information security policy sets standards for the acceptable use of an organization’s information systems and technology, from networks and databases to software applications. And it defines rules and processes for protecting data confidentiality, integrity, and availability (often abbreviated as CIA).
Confidentiality: Protecting confidential information by limiting its access, storage, and use
Your information security policy should explain how you control access to information and how you prevent data breaches and leaks.
Integrity: Verifying that company systems operate as intended
When writing your information security policy, you should think about how you establish change control processes, keep unauthorized users from changing information, prevent human error, and ensure technology is configured properly to avoid errors.
Availability: Ensuring employees and clients can rely on your systems to do their work
Your information security policy needs to discuss how you ensure data availability, including how you account for natural disasters and storage erosion, how you protect domain integrity, etc.
ISO 27001 requirements: Clause A.5.1
Annex A Clause 5 states that an organization must have a set of information security policies that are approved by management and communicated to employees and third-party users.
Policies must be led by business needs and any applicable regulations or legal requirements affecting the organization, such as HIPAA and GDPR. Policies also form an important part of the employee education and security awareness training described in Annex A.7.2.2 of the information security standard.
All of these policies are summarized into a high-level master information security policy, which outlines the organization’s overall approach to information security and asset management. According to the ISO 27001 standard, this policy must:
- Be tailored to the organization
- Demonstrate management’s commitment to the ISO 27001 ISMS
- Define how information security objectives are proposed, reviewed, and approved
- Be communicated to employees, stakeholders, and other interested parties, such as vendors and business partners
- Have a defined owner who is responsible for keeping the policy up to date
- Be reviewed on a regular basis (at least annually), or when significant changes occur such as changes to information security controls, technologies, legislation, or business/management processes
ISO 27001 Information Security Policy template
To help you understand exactly what this policy might include, how it might be organized, and how long it may be, we've created this ISO 27001 Information Security Policy Template. This can help you if you're preparing for an audit or just determining if ISO 27001 compliance is the right choice for your organization.
Download Information Security Policy template
Use this auditor-approved template and then tailor it to your organization to meet the ISO 27001 5.2 requirement.
What should be in an ISO 27001 information security policy?
Oftentimes, people think their information security policy needs to include every single thing about their organization’s cybersecurity and data protection practices. But that’s not the case. The information security policy is intended to achieve three things:
- Force management to thoughtfully consider their goals for information and IT security
- Formalize management’s commitment to continual improvement of the ISMS
- Provide a general overview of the ISMS so that management understands how it works without having to track the minute details of every information security risk assessment, access control, or internal audit. They know what the ISMS is designed to do, how it works, and who is responsible for it.
Here’s what’s covered in an ISO 27001 information security policy:
- Purpose: Define the organization’s information security objectives and the purpose of the ISMS
- Requirements: List any applicable legal, contractual, or regulatory requirements
- Roles & Responsibilities: Specify who is responsible for implementing, maintaining, and monitoring performance of the ISMS
- Communication: Clarify who the policy needs to be shared with, internally or with contractors and third-party vendors (if applicable)
- Support: Define the resources and supplemental policies that will support information security
Tips for writing an Information Security Policy from ISO 27001 auditors
Our team of experienced auditors and compliance specialists shared their essential tips and best practices for writing an information security policy that meets ISO 27001 requirements.
- Assign an owner who’s responsible for keeping the information security policy up to date and ensuring it gets reviewed at least annually.
- Corrective changes and updates should be recorded and approved following senior management review.
The Ultimate Guide to ISO 27001
Creating and maintaining an InfoSec policy is just one ISO 27001 requirement. If you’re looking to meet all the requirements to build and maintain a compliant ISMS and achieve ISO 27001 certification, this guide has all the details you need to get started.
Quickly create ISO 27001 policies with Secureframe
The information security policy is just the tip of the iceberg for the ISO 27001 standard, which has 25 base policies. With Secureframe, you can save yourself a ton of time and effort with our policy library. Get 40+ policy templates written by compliance experts and vetted by dozens of auditors, ready for you to customize for your business.
Request a demo to learn more about how our compliance automation platform can streamline ISO 27001 certification.
Use trust to accelerate growth
FAQs
What are the 3 key elements of information security in ISO 27001?
ISO/IEC 27001:2022 (formerly ISO/IEC 27001:2013) is an international standard that covers 3 elements of information security:
- Confidentiality: Data can only be accessed by authorized users
- Integrity: Data can only be modified or deleted by authorized users
- Availability: Data must be accessible to authorized users when needed
What is ISO 27001 5.1: Policies for Information Security?
ISO 27001 Annex A Clause 5 states that organizations must have a set of information security policies in place. These policies must be led by business needs and address any applicable regulations or legal requirements affecting the organization, such as HIPAA and GDPR. Policies also form an important part of the employee education and security awareness training described in ISO 27001/ISO 27002 Annex A.7.2.2 of the information security standard. All of these policies are summarized into a high-level master information security policy.
What policies are required for ISO 27001?
ISO 27001 compliance requires the following policies:
- Clause 5.1.1: Information security policy
- Clause 6.2.1: Mobile device, BYOD, and remote work policies
- Clause 7.5: Document control process and controls for managing records
- Clause 8.2.1: Information classification policy
- Clauses 8.3 and 11.2: Data retention and disposal policy
- Clauses 9.2, 9.3, 9.4: Password policy
- Clause 9.1.1: Access control policy
- Clause 11.1.5: Procedures for working in secure areas
- Clause 11.2: Clear desk and clear screen policies
- Clauses 12.1 and 14.2: Change management policy
- Clause 12.3: Data backup policy
- Clause 13.2: Data transfer policy
- Clause 14.2.5: Secure software development/engineering principles
- Clause 15.1.1: Supplier security policy
- Clause 16.1.5: Information security incident management procedure
- Clause 17.1: Business continuity procedures
- Clause 18.1.1: Statutory, regulatory, and contractual requirements
Which clause of ISO 27001 includes requirements related to information security policy?
According to ISO 27001 Annex A Clause 5.1, organizations must have a set of information security policies. The information security policy must:
- Be tailored to the organization, approved by management, and communicated to employees and third-party users
- Demonstrate management’s commitment to the ISO 27001 ISMS
- Define how information security objectives are proposed, reviewed, and approved
- Have a defined owner who is responsible for keeping the policy up to date
- Be reviewed on a regular basis (at least annually), or when significant changes occur such as changes to information security controls, information technologies, supplier relationships, legislation, or business/management processes