What should you write in your Information Security Policy according to ISO 27001?
Content of an Information Security Policy is certainly one of the biggest myths related to ISO 27001 – very often the purpose of this document is misunderstood, and in many cases people tend to think they need to write everything about their security in this document.
Well, this is not what ISO 27001 requires. So, let’s see what this is all about. (See also: 5 greatest myths about ISO 27001)
The purpose of the Information Security Policy
In many cases, the executives have no idea as to how information security can help their organization, so the main purpose of the policy is that the top management defines what it wants to achieve with information security.
The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS – they don’t need to know the details of, say, risk assessment, but they do need to know who is responsible for the ISMS, and what to expect from it.
What should the Information Security Policy contain?
ISO 27001 doesn’t say too much about the policy, but it does say the following:
- The policy needs to be adapted to the organization – this means you cannot simply copy the policy from a large manufacturing company and use it in a small IT company.
- It needs to define the framework for setting information security objectives – basically, the policy needs to define how the objectives are proposed, how they are approved, and how they are reviewed. See also: ISO 27001 control objectives – Why are they important?
- The policy must show the commitment of top management to fulfill the requirements of all interested parties, and to continually improve the ISMS – this is normally done through a kind of a statement within the policy.
- The policy must be communicated within the company, but also – where appropriate – to interested parties; best practice is to define who is responsible for such communication, and then that person is responsible for doing it continuously.
- The policy must be regularly reviewed – an owner of a policy should be defined, and this person is responsible for keeping the policy up to date.
So, as you can see, the policy doesn’t have to be a very lengthy document. And no, you don’t have to include all the information security rules in this document – for that purpose you’ll write detailed policies like Access Control Policy, Classification Policy, Acceptable Use Policy, etc. See also: How to structure the documents for ISO 27001 Annex A controls.
What you can also include
Although it is not mandatory, if you are a smaller company you may also include the following (for larger companies, these issues are usually documented separately):
- The scope of the ISMS – this way the scope doesn’t have to exist as a separate document.
- Responsibilities for key parts of the ISMS – e.g., who is responsible for the day-to-day operations and coordination, who is responsible on the executive level, who is responsible for risk assessment, for incidents, for internal audits, etc.
- Measurement – who will measure whether the information security objectives have been achieved, to whom the results need to be reported, how often, etc. (See also: How to perform monitoring and measurement in ISO 27001)
In some larger companies I’ve seen the Information Security Policy merge with the Enterprise Risk Management Policy. Although this is not wrong, I think it is better to keep these policies as separate documents – the focus remains much clearer.
Inputs that are needed
There are a couple of inputs you have to take into account when writing the policy:
- Top management intentions with information security – the best thing would be to schedule an interview with your CEO and go through all the elements of the policy; you might send him an email a couple of days before the meeting, so that he has time to think about it.
- Legislation and contractual requirements – your policy should reflect those.
- Existing system for setting objectives – if such system exists, you should refer to it.
Start looking at this policy in a different way
So the point is – the Information Security Policy should actually serve as a main link between your top management and your information security activities, especially because ISO 27001 requires the management to ensure that ISMS and its objectives are compatible with the strategic direction of the company (clause 5.2 of ISO 27001). The policy is probably the best way to do this.
So, you should keep this policy short and understandable for your top management. And please do not write lengthy documents of 80 pages trying to explain all the information security rules – this is the best way to create a document that no one will ever read.