The implementation of an ISO 27001-conformant information security management system (ISMS) can seem somewhat daunting, and, particularly in light of all the mandatory clauses and controls, it can be difficult to know where to start and what to prioritise. For many organisations, the creation of an information security policy is one of the most effective ways to begin this process.
Having an information security policy in place is a mandatory requirement of the Standard, with Clause 5.2 of ISO 27001:2022 stating that ‘Top management shall establish an information security policy’, and Annex A Control 5.1 (Policies for information security) stating ‘Information security policy and topic specific policies shall be defined’. As such, it is made clear by the Standard that creating and implementing security policies, especially an information security policy, is extremely important.
What is an ISO 27001 Information Security Policy?
The information security policy is a central component of the ISMS; it provides a high-level view of what your organisation does in respect of protecting its data and assets by documenting what is expected and who has responsibility for information security. It is important to ensure the policy is appropriate for your organisation and the policy can, therefore, be tailored to your organisation’s needs. For example, you may benefit from the policy focusing on specific areas, such as customer data, or may need it to extend across the entire organisation. An information security policy can be developed to meet the needs of any size of organisation, operating in any sector, but what will you need need to include when looking to implement an effective policy that is appropriate for your organisation and meets the requirements of ISO 27001?
What to Include in Your ISO 27001 Information Security Policy
Clause 5.2 of the Standard provides a useful list of elements that a conformant information security policy should include. One such element is a consideration of current and upcoming legislations and regulations that are relevant to information security and the organisation, such as the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
An effective and conformant information security policy should also satisfy the following key requirements:
The purpose of the information security policy is to set out why it is needed and what the priorities are. The policy needs to be aligned with your organisation’s existing goals and strategy, for instance the policy could be aligned with a goal to protect customers’ data or aligned to a strategy to reduce information security risks and incidents.
The information security policy should include your organisation’s information security objectives or provide a framework for setting these objectives. The majority of organisations URM works with reference high-level objectives within their policies. These high-level objectives are aligned to 3 key foundational principles of information security: Confidentiality, Integrity and Availability (to learn more about these principles, read our blog on What is the CIA Triad? Confidentiality, Integrity and Availability Explained). Some organisations choose to include a complete list of their information security objectives, however many instead decide to just include the framework for setting their objectives. Generally, this simply involves stating that objectives are reviewed and set annually during a management review or senior leadership meetings, and that the objectives are monitored regularly, e.g., monthly or quarterly. Using the statement for setting objective helps with producing and delivering a concise yet effective information security policy.
Another requirement for the information security policy is a commitment to continual improvement of the ISMS, which is often included as a statement in the policy. However, it’s important to keep in mind that continual improvement will be checked during internal and external audits, and should also be an agenda item for management review. Some organisations may choose to add more detail here, and state how continual improvement is embedded in the ISMS. Usually, this will be via regular internal audits, analysis and review of audit findings and recorded incidents, or employee consultation to identify areas to improve the ISMS and increase its effectiveness.
How Long Should an ISO 27001 Information Security Policy Be?
Generally, we would recommend creating a high-level information security policy that is no longer than a couple of pages, and, where appropriate, includes links to more detailed, topic-specific policies. Your information security policy needs to be as accessible as possible and read by everyone in your organisation, and a lengthy, highly detailed policy will be at risk of not being read.
The information security policy will also, generally, be reviewed and approved by top management (e.g., the CEO, the Board, or similar). Meanwhile, topic-specific policies are typically owned, reviewed and approved by managers that sit at the departmental level (e.g., a cryptography policy would be owned and approved by an IT director or similar, an HR security policy by an HR director, and so on). If the information security policy includes detail that would normally be in those supporting policies, then any time they are updated or changed, the information security policy will need to be reviewed and approved by the CEO. CEOs may not understand the technical elements that are usually included in topic-specific policies, and, therefore, may not feel knowledgeable to perform such a review. They are also unlikely to have the time to continuously review policy documents. As such, the information security policy should be written in such a way that it does not need to be changed or updated very often.
Documenting and Communicating an ISO 27001 Information Security Policy
The information security policy must be available as documented information. Most of URM’s clients choose to have an electronic version of the policy located in the ISMS which is available to all employees. Displaying the policy around the business on notice boards or in entrance lobbies/reception areas is becoming less common, however this is still an effective means of meeting this requirement.
The policy must also be communicated within your organisation, and an effective way to achieve this is to include the information security policy in all new employee induction/onboarding processes, and to also regularly (at least annually) re-communicate it to existing employees to ensure they remain aware and understand the importance of the policy.
Finally, you will need to consider who the audience of the information security policy is, and whether it can it be made available to your organisation’s and ISMS’ interested parties. Here, it’s important to understand who the policy applies to; it will, of course, apply to employees, but if your organisation works with other suppliers or third parties, such as a cloud provider or IT provider, then it is likely that certain processes and policies will need to be applied to them too. Some organisations create a ‘sanitised’ version of their information security policy that is provided to interested parties upon request, or available via its website as publicly available information. Alongside this externally facing version of the policy, there will also be a more organisation-specific policy for internal use only. Both approaches are acceptable; your organisation will simply need to decide which is more appropriate for its specific needs and requirements.
Closing Thoughts
Establishing, documenting and communicating an information security policy is a mandatory requirement for conformance or certification to ISO 27001. However, beyond this, an effective policy will enable you to define and communicate your expectations for information security to all members of your organisation (and, where applicable, to relevant external parties), helping you to develop an information security conscious culture and avoid unauthorised disclosures of information.
How URM can Help?
Having supported over 400 organisations to achieve and maintain ISO 27001 certification over the course of nearly 2 decades, URM is ideally positioned to assist you in the development, implementation, and maintenance of a robust ISMS. Our ISO 27001 consultants are experts in the information security field and can support you through each stage of establishing the ISMS, including with the development of an information security policy that meets the requirements of the Standard. Meanwhile, at the beginning of the ISO 27001 implementation process, we can conduct a gap analysis of your current security practices against the requirements for conformance to determine both where you are already aligned with the Standard and any areas for improvement. Using our proven risk assessment tool, Abriska 27001, we can also help you conduct your risk assessment, identifying potential threats to your information assets as well as the likelihood of them occurring. Following the risk assessment, we will work with you to develop and implement policies, processes and ISMS infrastructure which will not only enable you to achieve conformance, but that are also appropriate for your organisation’s unique style, culture, and needs.
Once your ISMS has been implemented, our consultants can conduct an ISO 27001 internal audit on your behalf to ensure it is functioning effectively ahead of any certification assessments. URM can also offer your organisation a range of outsourced audit services, from planning and implementing a full 3-year ISO 27001 audit programme, to conducting more specific audits against any aspect of the ISMS or particular controls as required.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.
If your organisation is looking to transition to ISO 27001:2022, URM’s blog provides practical and invaluable guidance on meeting the new requirements.
URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.