The Information Security policy is an important and mandatory document for ISO 27001 implementation. Several organisations struggle with creating a useful information security policy. The process is often deemed way too complicated than it actually is. The key is to understand the purpose and requirement of the document as per ISO 27001.
Why is the information security policy needed?
The information security policy is a document that demonstrates the commitment of the top management to information security. It serves the important purpose of clearly defining the organisational goals with respect to information security. The policy needs to be useful in terms of defining the actions needed to manage the ISMS effectively and the responsibilities of the stakeholders in ISMS.
Perhaps the best way to sum up the purpose of the policy is to say that it needs to be a policy working in practice. Your customers and clients might want to see the information security policy and also verify whether it is backed by evidence of organisational practices in line with the policy. Hence, this document needs to be actionable and a useful reference to everyone in the company.
Do note that even though the policy is a mandatory requirement of ISO 27001, treating it as just a box to check is not recommended. Doing this will not solve any purpose and will be detrimental to the overall success of ISO 27001 implementation.
What does ISO 27001 expect from the information security policy?
As per Clause 5.2, ISO 27001 requires that an information security policy is established by the top management of an organisation. Below are the high-level requirements for the policy.
- The policy should be set according to the specific objectives and requirements of your organisation.
- The policy should have a statement that demonstrates the commitment of the top management to information security and its continuous improvement.
- The policy must define the persons responsible for communicating the contents of the policy to the relevant stakeholders.
- It needs to outline how the information security objectives are set, approved, and reviewed.
- The information security policy should have an assigned owner whose job is to review the policy and update it as required so that it remains a working document.
Further information to be included in the policy
You can include the following information in the policy.
- The information security objectives of the organisation as well as the relevant overall objectives
- Information about risk management in brief, specifically about the controls that are used
- Responsible persons for implementation, maintenance, review, and reporting of the safeguards being used
- How information security would be supported by making essential resources available
- References to legal and contractual requirements that are relevant to ISMS
The scope of the ISMS is not required to be included in the information security policy. However, for small businesses, it might make sense to include the scope in the information security policy. This also removes the need to maintain a separate document for the ISMS scope. Read more about defining the scope in The Best Way to Define the Scope in ISO 27001. The policy can also define who will be responsible for monitoring the performance of ISMS and the persons with whom the monitoring reports should be shared.
What to keep in mind while writing the policy?
Since the policy needs to demonstrate the commitment of the top management to effective ISMS, it is important that they are involved in setting the policy. A good way to get their insights for the police is to schedule interviews with members of the top management. You will also need to include legislative and contractual requirements for which you might need inputs from the senior executives and the legal department. If you have a system in place to define security objectives, it must be mentioned in the policy.
Final thoughts on the information security policy
While it is important to make the information security policy a useful document, it should not be very lengthy. A document that is too long will not be useful as a reference and a working document. It should be short and easy to understand. While writing the policy, you always need to keep in mind that the policy needs to connect the top management with the information security activities being carried out at the ground level.
Take a tour of the 6clicks platform and know more about how automation can make ISO27001 implementation easier.
Related useful resources
10 benefits of choosing ISO 27001 for information security
Statement of applicability in ISO 27001 – What is it and why does it matter?
How long should your Information Security policy be?