Information Security Policy

The information security policy is the top-level document that establishes management's vision and commitment to information security within the organisation. It is a mandatory requirement in ISO 27001 (Clause 5.2) and serves as the highest governing document in the ISMS.

Back to Dictionary

What is the information security policy?

The information security policy is a concise, high-level document that articulates the organisation's stance on and ambitions for information security. It must be approved and issued by top management, underscoring that information security is a management responsibility.

The policy is not a detailed technical instruction but a strategic statement that sets the framework for all underlying policies, procedures and controls in the ISMS.

Content requirements

ISO 27001 Clause 5.2 requires that the information security policy:

Is appropriate to the purpose and context of the organisation
Includes information security objectives or provides a framework for setting them
Includes a commitment to satisfy applicable requirements
Includes a commitment to continual improvement of the ISMS

Keep it concise: An effective information security policy is typically 1-2 pages long. It should communicate clearly to employees and stakeholders, not delve into technical details. Technical requirements belong in specific policies and procedures.

Communication and availability

ISO 27001 requires that the information security policy:

Is available as documented information
Is communicated to all relevant parties within the organisation
Is made available to interested parties such as customers and partners (relevant parts)

In practice, this means that all employees should have access to and awareness of the policy, and it is typically available on the intranet and in onboarding materials.

Maintenance and review

The policy must be reviewed at regular intervals, at least once per year, or when significant changes occur in the organisation's context, risk environment or legislation. The review should be discussed as part of the management review.

Frequently Asked Questions about Information Security Policy

What is an information security policy?

An information security policy is the top-level document that establishes management's vision and commitment to information security. It is a mandatory requirement in ISO 27001 (Clause 5.2) and serves as the highest governing document in the ISMS.

What must an information security policy contain?

According to ISO 27001 Clause 5.2, the policy must be appropriate to the organisation's purpose, include information security objectives or a framework for setting them, contain a commitment to satisfying applicable requirements, and include a commitment to continual improvement of the ISMS.

Who should approve the information security policy?

The information security policy must be approved and issued by top management. This demonstrates that information security is a leadership responsibility and ensures organisational commitment at the highest level.

How often should the information security policy be reviewed?

The policy should be reviewed at least once per year, or whenever significant changes occur in the organisation's context, risk environment or applicable legislation. Reviews are typically discussed during the management review.

How long should an information security policy be?

An effective information security policy is typically 1-2 pages long. It should be a concise, strategic document that communicates clearly to all stakeholders. Detailed technical requirements belong in supporting policies and procedures.