Font size: +
6 minutes reading time (1148 words)

ISO27001 & The Information Security Policy

Clause 5.2 of ISO27001:2013 is all about your Information Security Management Policy and it is pretty insistent that you have one, in fact its Mandatory. That is a pretty good thing since everything else in your entire Information Security Management System happens because of this policy which make sense if you think about it.

Policies sit at the top of your Management Systems, it doesn't matter if it's 9001 for quality, 14001 for environmental, 27001 information security or 45001 for Occupational Health & Safety the policy is the top level document that sets the tone and direction for every other part of your Management System. Flowing out from the policy you set will be objectives for you to meet, in order to meet these you need to set up procedures on how to do things, which then drives what other things you need like forms, SOP's, training and of course records. Throughout all of these lower levels you should be able to trace the impact on them that the policy has. The reason for that is simple, the Policy sets direction and needs to give a really clear vision of what you are trying to achieve with your Information Security management system.

Elements of your ISMS Policy 

The clause itself has 7 points that you need to tick off and your auditor is going to be looking for them when they come to visit you.

a) Is appropriate to the purpose of the organisation

There is no point brining the policy you had at the last company or creating a policy that an international organisation of 5000 people would be proud of if you are a 50-person company. The Policy has to be yours; it should mean something to your company, and it should be developed by you and a team. Typically, you would include the snr managers of your organisation since they are going to be the people working with it. Remember you want to implement, not inflict your ISMS.

b) Includes information security objectives or provides the framework for setting information security Objectives.

I'm a fan of setting a framework rather than objectives that way your policy needs less updating, that said you do need to keep reviewing your policy to ensure that it is still valid. By creating a framework however you give a great structure for objectives at every level of your organisation.

c) Includes a commitment to satisfy applicable requirements related to information security

This one seems rather obvious doesn't it? Yet you would be surprised that number of companies who forget that they need to think about what the applicable requirements are (these may be legal, corporate, industry and so forth).

d) Includes a commitment to continual improvement of the information security management system

The theme of continuous improvement runs through all ISO Management Systems. Remembering that this policy is setting the tone of your entire ISMS creating an expectation of continuous improvement at the top level policy is important. Setting up on going reviews, changing things as you need to when you find a better way of working just makes sense.

e) Be available as Documented Information

This means you do have to write it down, which again seems like an obvious and smart thing to do yet many try not to. The standard makes it explicit that you need to make it available as documented information, so that means it needs to be written down but also means that it has to be able to be accessed by those who need to know about it, so you can't hide it away in a dusty folder on the top shelf in a dark room in the basement only to be brought out for the auditor.

f) Be communicated within the Organisation

Much in line with what we just said, you cannot hide it away, what is the point of having a policy and then not telling anyone about it? How do you expect it to be followed and implemented if it is a secret? The standard expects you to roll it out properly which means you need to train people on what the policy means. If you cast your eye back up a bit we mentioned that you needed to involve your snr management in the development, this is where it comes in handy as they also get to ensure that it is communicated to the organisation, that's made a lot easier if they have had input to the policy and have bought into it.

g) Be available to Interested Parties, as appropriate

Again, this means you must be able to provide the policy to interested parties e.g. auditors, customers, suppliers, employees, banks, or investors. The qualifier however is 'as appropriate' which is means there will be some people who you should not make your policy available to, that is for you to decide.

Policy Mistakes 

There are a range of things that can go wrong when creating your policy. When you have a policy that just doesn't work for the organisation then it's going to have some pretty big impacts further down the system. Typical examples are when you create a policy that just isn't right for your company or you create a policy without gaining any input from the users and the result is an ISMS policy that actually cripples your organisation rather than helps it.

Instead of creating a policy you create a process, i.e. you create a document that tells you how to do things, that's not the point of the policy, remember it's a top level vision not a detail step by step document.

Then of course you have the obvious things, not communicating it with the employees, making it way to complex by stuffing it with clauses and buzzwords and the typical one where the top management are really not committed to it, or believe that it is applicable to the rest of the organisation but not to them.


Creating your policy is a critical part of your Information Security Management Policy, it's going to set the tone for everything else and so if you get it wrong then there will be problems. Ensure that you involve the management in developing it so that they can get behind it and can help roll it out to the rest of the organisation. Once you have it finalised then ensure everyone is aware of it and it is available to those who need to know about it (hint all of your employees are in this group!). Keep it clear and avoid buzzwords remembering you are trying to communicate a structure and a framework that can be used to develop the ISMS objectives. Finally, remember that all important continuous improvement requirement by continuously looking at your policy and asking how can we make it better?

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting Ltd | All Rights Reserved

ISO27001 & The Roles, Responsibilities and Authori...
ISO27001 Leadership and Commitment

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 30 September 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to