What is an Information Security Policy in ISO 27001?
Overview
An Information Security Policy is a high-level documented statement that defines your organization's commitment to information security and provides strategic direction for the ISMS. Required by ISO 27001:2022 Clause 5.2, it's approved by top management and serves as the foundation for all security policies, procedures, and controls.
This policy demonstrates leadership commitment and sets the tone for your organization's security culture.
Information Security Policy in Practice
ISO 27001:2022 Clause 5.2 requires top management to establish an information security policy that:
Is appropriate to the purpose of the organization
Includes information security objectives or provides the framework for setting them
Includes a commitment to satisfy applicable information security requirements
Includes a commitment to continual improvement of the ISMS
The policy must be documented, communicated within the organization, and made available to interested parties as appropriate.
The Information Security Policy is a strategic document, not a detailed procedure. It sets direction; specific controls and processes are defined in supporting policies and procedures.
Required Elements
1. Organizational Context and Purpose
The policy should reflect your organization's business objectives, industry, and risk environment.
Example: "As a healthcare provider handling sensitive patient data, [Organization] is committed to protecting the confidentiality, integrity, and availability of health information in compliance with HIPAA and industry best practices."
2. Information Security Objectives Framework
Either state specific objectives or provide the framework for defining them.
Example: "We will maintain ISO 27001 certification, achieve 99.9% system availability, and respond to security incidents within 4 hours."
3. Commitment to Applicable Requirements
Reference legal, regulatory, and contractual obligations you must meet.
Example: "We commit to compliance with GDPR, SOC 2 Type II requirements, and customer contractual security obligations."
4. Commitment to Continual Improvement
State your dedication to ongoing enhancement of the ISMS.
Example: "We will continuously improve our information security practices through regular risk assessments, internal audits, and management reviews."
The policy must be approved and signed by top management (CEO, Managing Director, or equivalent). Delegation to lower levels results in a non-conformity.
Structure and Content
While ISO 27001:2022 doesn't mandate a specific format, effective policies typically include:
Header Section
Document title and version
Approval authority and signature
Effective date and review cycle
Purpose and Scope
Why the policy exists
What it covers (aligned with ISMS scope from Clause 4.3)
Who it applies to (employees, contractors, partners)
Policy Statements
Core information security principles
Roles and responsibilities at a high level
Framework for objectives
Commitments to requirements and improvement
Related Documents
References to supporting policies (e.g., Acceptable Use, Access Control, Incident Response)
Link to risk assessment and treatment processes
Keep the Information Security Policy concise (typically 2-4 pages). Detailed rules belong in supporting policies and procedures, not the top-level policy.
Communication Requirements
Clause 5.2 requires the policy to be:
Documented: Maintained as controlled information
Communicated: Made available to all personnel through training, intranet, handbooks
Available to interested parties: Shared with customers, auditors, regulators as needed (may be a public or confidential version)
Example communication methods:
Include in employee onboarding training
Publish on company intranet
Reference in employment contracts
Provide to customers during security questionnaires
Review and Maintenance
The policy should be reviewed and updated:
At planned intervals (annually is common practice)
When significant changes occur (mergers, new regulations, major incidents)
As part of management review (Clause 9.3)
Following internal or external audit findings
Use ISMS Copilot to generate a draft Information Security Policy tailored to your industry, organizational context, and compliance requirements. The tool can suggest appropriate objectives and commitment language.
Supporting Policies vs. Information Security Policy
The Information Security Policy is the top-level strategic document. Supporting policies provide detailed requirements for specific areas:
Information Security Policy (Clause 5.2): High-level commitment and direction
Access Control Policy: Details authentication, authorization, privilege management
Acceptable Use Policy: Defines permitted use of IT resources
Incident Response Policy: Specifies incident handling procedures
Business Continuity Policy: Addresses availability and recovery
Common Mistakes to Avoid
Making the policy too technical or detailed (should be strategic)
Not obtaining top management approval and signature
Failing to communicate the policy to all employees
Setting objectives that aren't measurable or achievable
Not reviewing the policy regularly
Copying generic templates without customizing to your organization
Example Policy Statement
"[Organization Name] is committed to protecting the confidentiality, integrity, and availability of information assets critical to our business operations and customer trust. This Information Security Policy establishes our framework for identifying, assessing, and managing information security risks in accordance with ISO 27001:2022 and applicable regulatory requirements including GDPR and SOC 2. We are committed to continual improvement of our ISMS through regular risk assessments, internal audits, management reviews, and corrective actions."
Related Terms
ISMS – Governed by the Information Security Policy
Interested Parties – Policy made available to relevant stakeholders
CIA Triad – Core principles typically referenced in policy
Management Review – Reviews policy effectiveness and updates