What is an information security policy?
An information security policy – also known as an IT policy – is a fundamental component of an organisation’s information security efforts. Here's what it involves, and how to create one.
.webp)
Gry Josefine Løvgren er content specialist hos Wired Relations, hvor hun formidler viden om GRC, databeskyttelse og cybersikkerhed på vores blog og sociale medier. Med en journalistuddannelse fra Roskilde Universitet og solid erfaring gør hun komplekse emner både engagerende og letforståelige.
Læs mere fra forfatterenAn information security policy serves as the foundation for managing information security within the organisation.
The purpose of the policy is to establish a shared understanding of what information security entails, and to define objectives and responsibilities in relation to this work. In short, it outlines how the organisation protects sensitive information and data assets from security threats.
Ideally, the policy should align with ISO 27001, the international management standard for information security. The policy is described in Clause 5.2, which states that: “Top management shall establish an information security policy,” which must:
- Be documented
- Be approved by top management
- Be communicated to all employees
- Be reviewed and updated as necessary
What should an information security policy cover?
An information security policy – or IT policy – should cover several key areas such as objectives and responsibilities. Below are elements that are sensible to include:
Purpose
Set out a simple and concise aim, such as establishing the framework for the organisation’s information security work.
Definitions
Clarify the key terms used in the policy – for example, what is meant by "information security" and "data".
Target audience
The target audience will typically be all employees within the organisation.
Objectives
This section is crucial, as it outlines the organisation’s goals. Objectives might include achieving specific certifications, fostering a strong culture of information security in the workplace, or adopting a risk-based approach.
Objectives are usually grounded in the core principles of information security: confidentiality, integrity, and availability.
What matters most is to define objectives that are both clear and realistic for the organisation to achieve.
Responsibilities
To ensure compliance with the policy, responsibilities must be assigned across the organisation.
Management holds overall responsibility for ensuring that the company meets the objectives set out in the policy, while day-to-day management of information security typically lies with the organisation’s internal compliance team in collaboration with the IT department.
There may also be designated system owners who assist the compliance team in matters related to specific systems.
Each employee is responsible for following the guidelines set out in the policy and must also report any breaches – or suspected breaches – of information security to management.
Follow-up
Specify how often the contents of the policy and the overall security level are to be reviewed, and by whom.
Breaches
Define the consequences of any breaches of the policy.
Exceptions
Exceptions may be evaluated by management, but wherever possible, deviations from the policy should be avoided.
Supporting guidelines, policies, and procedures
State which additional documents are derived from the policy.
Documentation
Mention that the organisation documents its information security efforts and compliance with data protection regulations.
Contact
Specify who within the organisation should be contacted with questions about information security.
Also read: Information security, cybersecurity and IT security: What’s the difference?
