Cyber security policies 101 – information security policy

Information security policy

Cybersecurity and data protection can seem overwhelming. There’s a glut of advice on the internet, but it’s difficult to know where to start. At CyberSmart, we believe cybersecurity should be accessible and easy for everyone. So we’ve compiled a series of useful policies and procedures to help you find your way through the cyber-compliance jungle. This time, we’re looking at how to set up an information security policy.

We know policies aren’t exciting and few people enjoy reading or writing them.  However, they are crucial for building a strong information security management system (ISMS). At CyberSmart we see them as guidelines to know what we can, should or shouldn’t do.

A few key points before we look at the information security policy:

1. Policies don’t have to be long or wordy
2. You don’t need to have 100s of policies, some can be combined, and others omitted
3. Policies should say what you do, and then you should do what you say – in other words, policies should reflect the state of the ISMS
4. Policies should be as unique as your business. Don’t just download a template and change the name. Think about every paragraph and how it can be applied to your business.
5. Policies should reflect your company culture and someone should have clear ownership.

Information Security Policy

Purpose: To lay the foundation for the information security management system (ISMS); It should cover people, process and technology at a high level. Sometimes it can be seen as a collection or summary of all the other policies a company may have rolled out.

General: The information security policy might look something like this. Its purpose is to define the management, personnel and technology structure of the ISMS.

A crucial part of this policy is to answer questions around responsibility. “Who is the single point of contact responsible for information security” Is it the CEO or the IT manager or do you need to appoint someone? Also, it is important to define the scope of the policy, i.e. the policy could be applicable for the entire HQ in London or maybe just a few departments at another office.

A. Purpose & Policy Aims

B. Scope

C.Information Security Responsibilities

D. Legislation

E. Policy Framework

  • Personnel Security
  • Asset Management
  • Access Management
  • Cyber Essentials

Once you have created your first draft – or downloaded our free version here (for companies who are already Cyber Essentials certified), remember that the policy is never complete. It should be reviewed on a regular basis and updated to reflect any changes in the IT system or the business.

If you have any questions around policies or Cyber Security in general or just want to have a chat, drop us a line at

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button