Information security policy template and tips

Information governance expert Neil O'Connor reviews the key considerations that must be made before framing an information security policy.

I've been assigned to write an enterprise security standard. Where do I start, what is the procedure, and what are some common mistakes?

I assume that you mean how to write a security policy. One of the key controls in ISO 27001, a technology-neutral information security standard, is having an organisational security policy endorsed by senior management. In my experience, if you want to get senior management to sign something that the whole organisation can see, it's best to keep it short! It should cover the organisation's commitment to security, including who is responsible for infosec tasks. The security policy should also provide a pointer to more detailed documentation and guidance, and cover the key security requirements that the organisation is going to meet, like the Data Protection Act, for example.

Beyond that, policy documentation is very specific to the organisation. I do not believe that one set of documentation fits all organisations, but the security policies and procedures need to fit the organisation's culture if they are going to have any effect.

However you decide to frame the security policy template, here are key questions that you need to consider:


  • What are your security objectives, and how do you measure them?
  • What types of information do you handle, and how do the different types of information need to be protected?
  • How do you assess risks and select security controls?
  • How do you manage and report incidents, and learn from them?
  • Who is responsible for security?
  • What is acceptable employee use for Internet, email and other communication channels?

More tips and information security policy templates

  • Gathering and documenting your Windows desktop security policies
  • How to refine an enterprise database security policy

Read more on Security policy and user awareness