How to create an information security policy for ISO 27001

Organisations that are serious about preventing data breaches must create an information security policy.

They contain a list of guidelines on how to handle with various incidents that might result in data breaches.

Ideally, your information security policy should be written in line with ISO 27001, the international standard for information security. The Standard provides comprehensive advice on the issues you must address.

In this blog, we take a look at how you can get started creating your information security policy.

What should your information security policy contain?

Every organisation is structured differently and has its own requirements. That said, there will be some similarities that all information security policies.

For example, the policy must address the information’s security objectives, including how they are proposed, approved and reviewed.

It should also include a framework for setting its objectives; consider all relevant business, legal, regulatory and contractual security requirements; improve the strategic context within which the ISMS will be established; and understand the criteria for the evaluation of risk and its structure.

Additionally, the policy must answer the ‘who’, ‘what’ and ‘where’ of information security. That is to say:

  • Who? The board and management must be united on the ISMS. The policy statement must be debated, agreed and published under their authority and in the form of written minutes.
  • Where? Identify clearly all the parties of your organisation where the policy is going to apply.
  • What? The statement that the board and management “are committed to preserving the confidentiality, integrity and availability of information”.

How to create an information security policy

Although information security policies must be unique to each organisation, the similarity with which they can be structured means that it’s possible to develop yours with the help of a policy document.

That’s where our ISO 27001 Toolkit comes in handy. Created by expert practitioners, this framework contains everything you need to develop an information security policy in line with the requirements of ISO 27001, the international standard for information security management.

It comprises a comprehensive set of documentation templates containing every ISO 27001-compliant policy, procedure, work instruction and record you need.

Using this will not only ensure that your policy covers everything you need but it will also save you months of work.

A version of this blog was originally published on 15 May 2018.

The post How to create an information security policy for ISO 27001 appeared first on Vigilant Software – Compliance Software Blog.

*** This is a Security Bloggers Network syndicated blog from Vigilant Software – Compliance Software Blog authored by Ingrid Then-Guiraut. Read the original post at: