How to create an ISO 27001-compliant information security policy – with example template

Our previous blog post, The documents you need for ISO 27001 compliance, listed the documents you need to produce to comply with ISO 27001.

One of these documents is an information security policy.

What is an information security policy?

Clause 5.2 of the Standard specifies the requirements for organisations to produce an information security policy that sets out the requirements of your ISMS (information security management system).

The information security policy should be a short, simple document – approved by the board – that defines management direction for information security in accordance with business requirements and relevant laws and regulations.

What to include in your information security policy

The policy needs to reflect your organisation’s view on information security, and must:

  • Provide information security direction;
  • Include information security objectives;
  • Include information on meeting business, contractual, legal or regulatory requirements; and
  • Contain a commitment for continual improvement of the ISMS.

The policy needs to include all of your organisation’s employees, and may also consider other third parties such as customers or suppliers.

You can find out more about ISO 27001 and information security policies in July’s book of the month, The ISO 27001 Expertise Bundle.

Creating an information security policy – with example template

Knowing where to start when creating your information security policy can be challenging, particularly in larger, complex organisations where there may be many objectives and requirements to meet.

If you are unsure what your information security policy should include or where to start, the ISO 27001 Information Security Policy Template (example below) can help you create one in minutes.

Example of the ISO 27001 Information Security Template, available to purchase from IT Governance

Example of the ISO 27001 Information Security Template, available to purchase from IT Governance

Created by ISO 27001 practitioners, this customisable template will help you fulfil the requirements set out in Clause 5.2.

ISO 27001 documentation templates

If you are looking for a complete set of ISO 27001 documentation templates to help with your implementation project, you may be interested in the ISO 27001 ISMS Documentation Toolkit. The toolkit is designed and developed by expert ISO 27001 practitioners, and has been used by more than 2,000 clients worldwide. It includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Take a free trial to see how the documents and project tools can help you with your ISO 27001 project >>