Information security policy template and tips

Ask the Expert

Information security policy template and tips

I've been assigned to write an enterprise security standard. Where do I start, what is the procedure, and what are some common mistakes?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
  • By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

  • Safe Harbor

I assume that you mean how to write a security policy. One of the key controls in ISO 27001, a technology-neutral information security standard, is having an organisational security policy endorsed by senior management. In my experience, if you want to get senior management to sign something that the whole organisation can see, it's best to keep it short! It should cover the organisation's commitment to security, including who is responsible for infosec tasks. The security policy should also provide a pointer to more detailed documentation and guidance, and cover the key security requirements that the organisation is going to meet, like the Data Protection Act, for example.

Beyond that, policy documentation is very specific to the organisation. I do not believe that one set of documentation fits all organisations, but the security policies and procedures need to fit the organisation's culture if they are going to have any effect.

However you decide to frame the security policy template, here are key questions that you need to consider:


  • What are your security objectives, and how do you measure them?
  • What types of information do you handle, and how do the different types of information need to be protected?
  • How do you assess risks and select security controls?
  • How do you manage and report incidents, and learn from them?
  • Who is responsible for security?
  • What is acceptable employee use for Internet, email and other communication channels?

More tips and information security policy templates

This was first published in October 2009


COMMENTS powered by Disqus  //  Commenting policy