Free preview: Information Security Policy

Leadership Commitment and Mandate

Executive management of [Company Name] directs that an information security management system be established, operated, and continually improved in line with ISO/IEC 27001:2022. The [Role, e.g. Chief Executive Officer] is the executive sponsor of the ISMS and approves this policy. The [Role, e.g. Information Security Lead] is appointed to operate the ISMS day to day and reports to the executive sponsor on ISMS performance at least quarterly.

Management must ensure that information security requirements are integrated into business processes, that the resources needed to operate the ISMS are budgeted and provided, and that security responsibilities are assigned and communicated as described in the Information Security Roles and Responsibilities policy. Management must require all personnel to apply information security in accordance with this policy and the topic-specific policies listed in this document, and must hold personnel accountable when they do not.

• Approve this policy and each topic-specific policy before publication, and re-approve after every material change.
• Review ISMS performance, objectives, risks, and audit results at least annually through the Management Review Procedure.
• Fund and resource the security objectives in this policy, including training, tooling, and external assessments.
• Communicate visibly and consistently that security is a condition of doing business at [Company Name].

Information Security Principles

All security decisions at [Company Name] must be guided by the following principles. Where a topic-specific policy is silent on an issue, personnel must apply these principles and consult the [Role, e.g. Information Security Lead] before acting.

• Risk-based: controls are selected and prioritized based on the Risk Assessment and Treatment Procedure, not on habit or vendor marketing.
• Confidentiality, integrity, and availability: information must be protected against unauthorized disclosure, unauthorized or accidental modification, and loss of access, in proportion to its classification under the Asset Management and Information Classification Policy.
• Least privilege: every person, account, and system receives only the access required for its documented purpose, as governed by the Access Control Policy.
• Defense in depth: no single control is relied on alone; preventive, detective, and corrective controls are layered.
• Secure by default: new systems, services, and suppliers must meet security requirements before go-live, per the Change Management Procedure and the Supplier and Cloud Services Security Policy.
• Accountability: actions on company systems must be attributable to an identified individual, supported by the Logging and Monitoring Policy.

Information Security Objectives

The following measurable objectives give effect to this policy. The [Role, e.g. Information Security Lead] must measure each objective at the stated frequency, record results in the [ISMS metrics workbook or tool name], and report them at management review. Objectives and targets must be re-evaluated at least annually and updated when business priorities or risks change.

Policy Framework Overview

This policy is the parent document of the [Company Name] ISMS. Detailed requirements are set out in topic-specific policies, procedures, and plans, each owned by the [Role, e.g. Information Security Lead] unless otherwise stated and approved by the executive sponsor. Where documents conflict, this policy prevails, and the conflict must be reported to the [Role, e.g. Information Security Lead] for correction within 30 days.