What Should an ISO 27001 Information Security Policy Include?

What Should an ISO 27001 Information Security Policy Include?

ISO 27001 is the information security management standard used the world over by assorted businesses, companies, and organisations. First published in 2005, this popular standard was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) – its full title being ISO/IEC 27001. The standards main purpose is to help organisations keep their information assets secure and a key part of its framework is the creation of an information security policy for the business that implements ISO 27001.

What to consider when developing your information security policy

There are several elements to consider when creating a security policy for your organisation.

Build the policy around what you do

Firstly, you should recognise the policy must be written for your business and your business alone. This may sound obvious, but if you’re unsure where to begin, it is very tempting to borrow from a policy created for an entirely different size and type of company.

Decide on your objectives

Next, think about what you want your information security management system to achieve. What makes sense for your business? What is currently lacking? Remember not to restrict this to computer, phone and internet requirements; information in paper and other forms should also be secured. By developing your goals for the system, you have the knowledge required to add them to your policy.

Identify who will be responsible for the system

There should also be some indication of the commitment to this policy and to the aims and elements that are included within it. For instance, it should identify the people whose job it is to make sure the aims of the information security management system are met. This could be you, in the case of a small business, or it could be several people on the management board. Either way, identifying these people within the document helps keep everything in order.

Review what you do and look for improvements

Initiating ongoing reviews of the security policy would also be a smart move. Plan how often you would like to review it, and be prepared to adjust timings if it helps. For example, you may find that reviewing it once a month is too much if you have a small business. Conversely, a large multinational organisation may find this is not often enough to suit their needs.

Keep the policy strategic

Finally, make sure the document isn’t too wordy.  ISO 27001 allows for other documents to be created that go into greater detail on certain topics, such as acceptable use of information, for example. Think of it as an overview of your information security management system – how it should work, the goals you want to achieve, and the need to monitor results and take ownership of it.

Don’t procrastinate… it’s important to make a start and then keep on track

While creating an information security policy can be challenging to start with, if it is done properly it becomes far easier to keep on track with the implementation of the system.

World-class ISO 27001 information security frameworks

Quality Management Systems deliver a comprehensive range of world-class management systems including the development and implementation of ISO 27001 based information security frameworks, auditing, training and software solutions to organisations wishing to improve their data security protocols, build resilience, safeguard business-critical information, and achieve ISO 27001 certification quickly and efficiently.

If you would like to learn more about our data management systems, and how we can help you develop world-class information security processes please get in touch today.

Further reading…

More information about ISO 27001 and information security systems … here →