{"id":9308,"date":"2016-05-30T21:25:51","date_gmt":"2016-05-30T21:25:51","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=9308"},"modified":"2025-04-11T08:46:57","modified_gmt":"2025-04-11T08:46:57","slug":"what-should-you-write-in-your-information-security-policy-according-to-iso-27001","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/05\/30\/what-should-you-write-in-your-information-security-policy-according-to-iso-27001\/","title":{"rendered":"What is the ISO 27001 Information Security Policy, and how can you write it yourself?"},"content":{"rendered":"<p><em>Update 2022-04-08.<\/em><\/p>\n<p>The content of an <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information Security Policy<\/a> is certainly one of the biggest myths related to <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> \u2013 very often, the purpose of this document is misunderstood, and in many cases, people tend to think they need to write everything about their security in this document.<\/p>\n<p>Well, this is not what ISO 27001 requires. So, let\u2019s see what this is all about. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/01\/24\/5-greatest-myths-about-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">5 greatest myths about ISO 27001<\/a>)<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">Content of a top-level ISO 27001 <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information Security Policy<\/a><\/div>\n<div class=\"post-featured--content\">\n<ul>\n<li>objectives: the general and specific objectives to be achieved by information security<\/li>\n<li>requirements section: reference to legal, statutory, and contractual requirements that must be fulfilled<\/li>\n<li>risk management: reference to the process to select the information security controls<\/li>\n<li>responsibilities: responsibilities for implementation, maintenance, and reporting of ISMS performance<\/li>\n<li>communication: to whom this policy needs to be communicated<\/li>\n<li>support: commitment with resources to implement and improve information security<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<h2>What is the Information Security Policy according to ISO 27001?<\/h2>\n<p>The ISO 27001 <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=information-security-policy\" target=\"_blank\" rel=\"noopener\">Information Security Policy<\/a> is a mandatory document used to define the leadership and commitment of an organization\u2019s top management to the Information Security Management System (ISMS).<\/p>\n<h2>The purpose of Information Security Policy<\/h2>\n<p>In many cases the executives have no idea as to how information security can help their organization, so the main purpose of the policy is that the top management defines what it wants to achieve with information security.<\/p>\n<p>The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS \u2013 they don\u2019t need to know the details of, say, risk assessment, access control management, or backup copies, but they do need to know who is responsible for the ISMS, and what to expect from it.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>What are the requirements for an ISO 27001 Information Security Policy?<\/h2>\n<p>ISO 27001 doesn\u2019t say too much about the policy, but it does say the following:<\/p>\n<ul>\n<li>The policy needs to be adapted to the organization \u2013 this means you cannot simply copy the policy from a large manufacturing company and use it in a small IT company.<\/li>\n<li>It needs to define the framework for setting information security objectives \u2013 basically, the policy needs to define how the objectives are proposed, how they are approved, and how they are reviewed. See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/04\/10\/iso-27001-control-objectives-why-are-they-important\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 control objectives \u2013 Why are they important?<\/a><\/li>\n<li>The policy must show the commitment of top management to fulfill the requirements of all interested parties, and to continually improve the ISMS \u2013 this is normally done through a kind of a statement within the policy.<\/li>\n<li>The policy must be communicated within the company, but also \u2013 where appropriate \u2013 to interested parties (e.g., customer and suppliers); best practice is to define who is responsible for such communication, and then that person is responsible for doing it continuously.<\/li>\n<li>The policy must be regularly reviewed (e.g., annually) \u2013 the owner of the policy should be defined, and this person is responsible for keeping the policy up to date.<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"alignleft size-full wp-image-21549\" src=\"\/wp-content\/uploads\/\/sites\/5\/2016\/05\/is-policy-iso-27001.jpg\" alt=\"ISO 27001 Information Security Policy \u2013 How to write it yourself\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2016\/05\/is-policy-iso-27001.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2016\/05\/is-policy-iso-27001-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2016\/05\/is-policy-iso-27001-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2>ISO 27001 information security framework to use in the policy<\/h2>\n<p>You can take a step forward from the ISO 27001 requirements, and define the basic ISO 27001 information security framework in your top-level Information Security Policy. The framework can include the following elements:<\/p>\n<ul>\n<li>objectives: the general and specific objectives to be achieved by information security<\/li>\n<li>requirements section: reference to legal, statutory, and contractual requirements that must be fulfilled<\/li>\n<li>risk management: reference to the process to select the information security controls<\/li>\n<li>responsibilities: responsibilities for implementation, maintenance, and reporting of ISMS performance<\/li>\n<li>communication: to whom this policy needs to be communicated<\/li>\n<li>support: commitment with resources to implement and improve information security<\/li>\n<\/ul>\n<p>Although it is not mandatory, if you are a smaller company, you may also include the following (for larger companies, these issues are usually documented separately):<\/p>\n<ul>\n<li><strong>The scope<\/strong><strong> of the ISMS<\/strong> \u2013 this way the\u00a0scope\u00a0doesn\u2019t have to exist as a separate document.<\/li>\n<li><strong>Measurement<\/strong> \u2013 who will measure whether the information security objectives have been achieved, to whom the results need to be reported, how often, etc. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/06\/08\/how-to-perform-monitoring-and-measurement-in-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to perform monitoring and measurement in ISO 27001<\/a>)<\/li>\n<\/ul>\n<p>In some larger companies I\u2019ve seen the Information Security Policy merge with the Enterprise Risk Management Policy. Although this is not wrong, I think it is better to keep these policies as separate documents \u2013 the focus remains much clearer.<\/p>\n<p>In the example below, see what filling out the Information Security Policy in your company could look like when guided with the help of <a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\">Conformio<\/a> document wizard, the leading ISO 27001 compliance software.<\/p>\n<p><img decoding=\"async\" class=\"alignleft size-full wp-image-78464\" src=\"\/wp-content\/uploads\/\/sites\/5\/2016\/05\/conformio-wizard.png\" alt=\"-\" width=\"1199\" height=\"897\" srcset=\"\/wp-content\/uploads\/sites\/5\/2016\/05\/conformio-wizard.png 1199w, \/wp-content\/uploads\/sites\/5\/2016\/05\/conformio-wizard-300x224.png 300w, \/wp-content\/uploads\/sites\/5\/2016\/05\/conformio-wizard-768x575.png 768w, \/wp-content\/uploads\/sites\/5\/2016\/05\/conformio-wizard-1024x766.png 1024w\" sizes=\"(max-width: 1199px) 100vw, 1199px\" \/><\/p>\n<h2>Inputs that are needed<\/h2>\n<p>There are a couple of inputs you have to take into account when writing the policy:<\/p>\n<ul>\n<li>Top management intentions with information security \u2013 the best thing would be to schedule an interview with your CEO and go through all the elements of the policy; you might send him an email a couple of days before the meeting, so that he has time to think about it.<\/li>\n<li>Legislation and contractual requirements \u2013 your policy should reflect those.<\/li>\n<li>Existing system for setting objectives \u2013 if such system exists, you should refer to it.<\/li>\n<\/ul>\n<h2>What is the role of security policies in ISO 27001?<\/h2>\n<p>As you saw in this article, the ISO 27001 Information Security Policy doesn\u2019t have to be a very lengthy document. And no, you don\u2019t have to include all the information security rules in this document. This will only make the document unnecessarily long and too complex to use and manage.<\/p>\n<p>To cover all other information security rules that will guide and help your company protect information, you should develop detailed policies like <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=access-control-policy\" target=\"_blank\" rel=\"noopener\">Access Control Policy<\/a>, Classification Policy, Acceptable Use Policy, etc. See also the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/11\/03\/how-to-structure-the-documents-for-iso-27001-annex-a-controls\/\" target=\"_blank\" rel=\"noopener\">How to structure the documents for ISO 27001 Annex A controls<\/a>.<\/p>\n<h2>Start looking at this policy in a different way<\/h2>\n<p>So the point is \u2013 the Information Security Policy should actually serve as a main link between your top management and your information security activities, especially because ISO 27001 requires the management to ensure that ISMS and its objectives are compatible with the strategic direction of the company (clause 5.2 of ISO 27001). Such top-level\u00a0policy is probably the best way to do this.<\/p>\n<p>So, you should keep this policy short and understandable for your top management. And please do not write lengthy documents of 80 pages trying to explain all the information security rules \u2013 this is the best way to create a document that no one will ever read.<\/p>\n<p><em>To get the templates for all mandatory documents and the most common non-mandatory documents, along with the wizard that helps you fill out those templates,\u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener noreferrer\">sign up for a 14-day free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2022-04-08. The content of an Information Security Policy is certainly one of the biggest myths related to ISO 27001 \u2013 very often, the purpose of this document is misunderstood, and in many cases, people tend to think they need to write everything about their security in this document. Well, this is not what ISO &#8230;<\/p>\n","protected":false},"author":26,"featured_media":21549,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1902],"class_list":["post-9308","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-information-security-policy-iso-27001"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=9308"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9308\/revisions"}],"predecessor-version":[{"id":103877,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/9308\/revisions\/103877"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/21549"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=9308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=9308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=9308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}