policy
Information Security Policy Template
A top-level information security policy template aligned to ISO/IEC 27001:2022 clause 5.2, covering objectives, roles, key controls and continual improvement.
Related service: ISO 27001
This template provides a top-level information security policy suitable for organisations building an Information Security Management System (ISMS), including those working towards ISO/IEC 27001:2022 (which requires a documented policy under clause 5.2). It sets direction; detailed rules sit in supporting policies and procedures. Replace every [bracketed] field, tailor the content to your organisation, and have it approved at management level. For background, see our guide on what an ISMS is.
1. Purpose
[Organisation name] relies on information to deliver its services. This policy sets out our commitment to protecting the confidentiality, integrity and availability of the information we hold, whether it belongs to us, our staff, our service users or our partners.
2. Scope
This policy applies to all staff, contractors, volunteers and third parties who access [Organisation name]‘s information or systems. It covers all information assets within the scope of our ISMS, in any format and location. [State the ISMS scope or reference the scope document.]
3. Policy statement
[Organisation name] is committed to:
- Protecting information against unauthorised access, loss, damage and disclosure
- Meeting our legal, regulatory and contractual obligations, including the UK GDPR and the Data Protection Act 2018
- Managing information security risks through a structured, ongoing process
- Providing staff with the training and guidance they need to work securely
- Reporting, investigating and learning from information security incidents
- Continually improving our ISMS
4. Information security objectives
We set and review measurable information security objectives, which may include [examples: reducing the number of incidents, achieving and maintaining certification, completing staff training, meeting patching targets]. Objectives are reviewed at management review.
5. Roles and responsibilities
- Senior management owns this policy, provides resources and reviews performance
- [Information security lead / ISMS manager] maintains the ISMS and reports on risks and incidents
- [Data Protection Officer, if appointed] advises on data protection compliance
- All staff must follow this policy and supporting procedures, and report incidents promptly
6. Key control areas
Detailed requirements are set out in supporting policies, which typically cover:
- Access control and user account management
- Acceptable use of systems and devices
- Secure configuration and patching
- Malware protection
- Encryption and key management
- Physical and environmental security
- Backup, logging and monitoring
- Supplier and third-party security
- Incident management, including breach notification to the ICO within 72 hours where required
- Business continuity
7. Risk management
We identify, assess and treat information security risks using a documented process, and record decisions in a risk treatment plan and Statement of Applicability where we operate an ISO 27001-aligned ISMS.
8. Compliance and consequences
Failure to comply with this policy may result in disciplinary action and, for third parties, action under the relevant contract. Suspected breaches of law will be handled accordingly.
9. Review
This policy is reviewed at least annually and after any significant change or major incident.
- Version: [x.x]
- Approved by: [name / role]
- Date approved: [date]
- Next review due: [date]
Need a full set of aligned policies ready for a certification audit? We can produce and tailor them as part of a fixed-fee engagement — see our ISO 27001 support service. Our Annex A controls guide explains how the controls behind this policy fit together.