Skip to content

How Long Should Your Information Security Policy Be?

Andrew Robinson Aug 05, 2022
How Long Should Your Information Security Policy Be?

An Information Security Policy is at the centre of the information security program at an organization. It is also an important requirement for ISO 20071 certification.

Sometimes, companies spend a lot of time to include all the details about information security right from the high-level strategy to granular information on best practices to be adopted by the users. On the other hand, some companies treat this document just as a mandatory requirement they need to fulfil and use readymade templates to fill in the information and be done with it.

Both these approaches are wrong and will not add any value to the company’s information security program.

Why are these approaches wrong?

The purpose of an information security policy is to serve as an aid for the top management to control the company’s Information Security Management System (ISMS) effectively. It should help them to enforce information security and also share the security measures with clients, auditors, and partners.

Some companies make the policy too exhaustive including a wide range of potential issues and use cases. Such a policy will be too impractical to actually implement. Also, a very detailed policy that runs into 50 or more pages will not be useful to refer to for operational purposes.

Similarly, a policy created just as a formality will not capture the strategic view of information security. It will end up just being another document created for the sake of audit and will not really be of any use.

How Long Should an Information Security Policy be?

In order for policy documents to be informational as well as practical, ISO 27001 defines two levels of documents.

  1. High-level documents such as the Information Security Policy should contain the below information in brief:
  • Principles of information security
  • Strategic intentions
  • Management commitment
  • Objectives of information security
  • Roles & responsibilities of stakeholders
  • Legal responsibilities
  • Framework of supporting policies

This high-level policy should ideally be between 2 to 5 pages.

  1. Detailed documents which focus on a selected security area should contain information such as:
  • Policy on acceptable use of assets including clear desk and clear screen policies,
  • Access control policies to define various levels of user access to confidential and sensitive information,
  • Backup policy,
  • Classification policy for classifying all information that is stored or exchanged,
  • Password policy,
  • Policy for mobile users to access information, etc.

Please note that the information in the detailed policy will depend on the Risk Assessment Report which will determine which controls need to be implemented. The detailed policy is longer than the high-level policy and should be around 10 pages long. If it is much longer, it might again pose the same problem of being unusable on account of being too lengthy.

Writing an effective Information Security Policy

Is it really worth it to spend a lot of time creating the Information Security Policy? The answer is yes.

As mentioned above, a policy document created just for the sake of audit will not be useful. But creating a well-written document will make it easy for you to control the company’s ISMS.

Here are the important elements of an Information Security Policy.

  1. Scope: The scope of the Information Security Policy should define the data, processes, networks, systems, users, etc. that will be covered in the policy.
  2. Management objectives: These could be legal and contractual obligations and regulatory objectives.
  3. Context of other documents: The policy should be in line with other directives and supplementary documents.
  4. Classification of information: All information must be classified based on its level of confidentiality and sensitivity.
  5. Mandates: Security mandates to access information, authentication, etc. should be documented.
  6. Consequences of non-compliance: The consequences of non-compliance with the policy should be unambiguously mentioned.

Below are the tips to write an effective Information Security Policy.

  • Write the policy with the intention of mitigating potential risks
  • Include end-to-end processes for information security
  • Review and update the policy in line with changes in business and the threat landscape
  • Keep the policy enforceable and practical in order to ensure compliance
  • Keep the business goals in mind while writing the policy
  • Include a security incident response plan

A well-drafted and updated Information Security Policy will certainly be a valuable document for any company. Even if you are not able to immediately quantify the benefits, you will certainly see a drop in security risks and a well-managed ISMS in due time. You can read more about the ISO 20071 certification in The Complete Guide to ISO 27001. If you are preparing for your first audit, read through the 9 Steps to Prepare for Your First ISO 27001 Audit.

Leave a Comment

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


CEO | VAR & MSP

"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"


CEO | Startup

6clicks Risk Registers and Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC

 

Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial
intelligence

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?