The Information Security policy is an important and mandatory document for ISO 27001 implementation. Several organisations struggle with creating a useful information security policy. The process is often deemed way too complicated than it actually is. The key is to understand the purpose and requirement of the document as per ISO 27001.
The information security policy is a document that demonstrates the commitment of the top management to information security. It serves the important purpose of clearly defining the organisational goals with respect to information security. The policy needs to be useful in terms of defining the actions needed to manage the ISMS effectively and the responsibilities of the stakeholders in ISMS.
Perhaps the best way to sum up the purpose of the policy is to say that it needs to be a policy working in practice. Your customers and clients might want to see the information security policy and also verify whether it is backed by evidence of organisational practices in line with the policy. Hence, this document needs to be actionable and a useful reference to everyone in the company.
Do note that even though the policy is a mandatory requirement of ISO 27001, treating it as just a box to check is not recommended. Doing this will not solve any purpose and will be detrimental to the overall success of ISO 27001 implementation.
As per Clause 5.2, ISO 27001 requires that an information security policy is established by the top management of an organisation. Below are the high-level requirements for the policy.
You can include the following information in the policy.
The scope of the ISMS is not required to be included in the information security policy. However, for small businesses, it might make sense to include the scope in the information security policy. This also removes the need to maintain a separate document for the ISMS scope. Read more about defining the scope in The Best Way to Define the Scope in ISO 27001. The policy can also define who will be responsible for monitoring the performance of ISMS and the persons with whom the monitoring reports should be shared.
Since the policy needs to demonstrate the commitment of the top management to effective ISMS, it is important that they are involved in setting the policy. A good way to get their insights for the police is to schedule interviews with members of the top management. You will also need to include legislative and contractual requirements for which you might need inputs from the senior executives and the legal department. If you have a system in place to define security objectives, it must be mentioned in the policy.
While it is important to make the information security policy a useful document, it should not be very lengthy. A document that is too long will not be useful as a reference and a working document. It should be short and easy to understand. While writing the policy, you always need to keep in mind that the policy needs to connect the top management with the information security activities being carried out at the ground level.
Take a tour of the 6clicks platform and know more about how automation can make ISO27001 implementation easier.
Statement of applicability in ISO 27001 – What is it and why does it matter?