This template is designed to help you create an information security policy for an ISMS that

aligns with ISO/IEC 27001. It includes placeholders and guidance to customize the policy to
meet your organization’s specific requirements.

How to use this template

1. Review Each Section: Assess each policy statement to determine its relevance to your
organization. Remove or modify any sections that do not apply, replacing them with
requirements that better align with your business objectives.
2. Customize Placeholders: Replace all text in angled brackets [ ] and highlighted in yellow
with your organization’s specific information. Text highlighted in grey provides
supplementary details and can be deleted once reviewed.
3. Adapt Language: Adjust the policy language to accurately reflect your organization’s
culture, ensuring acceptance and support.
4. Proofread and Finalize: Check for spelling and grammar errors, confirm that all
placeholders have been replaced, and verify that the policy content aligns with your
organization’s practices.
5. Brand and Format: Add your company’s letterhead, logo, and any other necessary
branding or formatting elements.
6. Remove Instructions: Delete this instruction page before submitting the document for
approval.

More Questions?
If you’re unsure about certain sections, the ISO/IEC 27001 Lead Implementer course or our
blog at grclab.com provide excellent resources for quick support. If you still have questions,
consider consulting an expert for further clarification.

This template was developed in close collaboration with Kertos, the all-in-one compliance
solution for GDPR, ISO27001, SOC2, NIS2, TISAX®, ISO27701, AI Act or ISO42001.

Copyright © 2024, Aron Lange (GRC Lab). All rights reserved.

 Document ID: Owner: Document Type: Language: Version:
POL-001 <OWNER> Policy EN <VERSION>
Title:
INFORMATION SECURITY POLICY
Status: Name: Function: Date: Signature:
Created <NAME> <FUNCTION> <DATE> <SIGNATURE>
Reviewed
Approved

REVISION HISTORY
VERSION DATE CREATED BY DESCRIPTION OF CHANGES
<V> <DATE> <NAME> <COMMENT>

Table of Contents
1 PURPOSE ............................................................................................................................. 3
2 SCOPE .................................................................................................................................. 3
3 TERMS AND DEFINITIONS .................................................................................................... 3
4 RELATED DOCUMENTS ......................................................................................................... 3
5 ROLES & RESPONSIBILITIES .................................................................................................. 3
5.1 Top Management ............................................................................................................3
5.2 Chief Information Security Officer ...................................................................................4
5.3 Information Security Officer ............................................................................................5
5.4 Additional Roles ...............................................................................................................5
6 POLICY ................................................................................................................................. 6
6.1 Commitment....................................................................................................................6
6.2 Information security objectives .......................................................................................7
6.3 Communication ...............................................................................................................8
7 COMPLIANCE ....................................................................................................................... 9
7.1 Measurement ..................................................................................................................9
7.2 Exceptions........................................................................................................................9
7.3 Violations .........................................................................................................................9

[Classification] Page 2 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

1 PURPOSE
The purpose of this Information Security Policy is to establish rules for protecting the
confidentiality, integrity, and availability of the organization’s information assets. This policy
provides the highest level of authority in guiding the establishment, implementation,
maintenance, and continuous improvement of the Information Security Management System
(ISMS).

2 SCOPE
This policy applies to all members of the organization as defined in the scope of the ISMS.
If applicable, add external entities, such as suppliers, service providers, etc.

3 TERMS AND DEFINITIONS

Information Security
The preservation of confidentiality, integrity, and availability of information.

Confidentiality
The property that information is not made available or disclosed to unauthorized individuals,
entities, or processes.

Integrity
The property of accuracy and completeness.

Availability
The property of being accessible and usable upon demand by an authorized entity.

ISMS
Information security management system

CISO
Chief Information Security Officer

4 RELATED DOCUMENTS
The following documents support the purpose of this policy:

• Scope of the ISMS

• Statement of Applicability (SoA)

5 ROLES & RESPONSIBILITIES

5.1 Top Management

[Classification] Page 3 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

[Top Management] is committed to ensure the protection of all information assets in the scope
of the ISMS from unauthorized disclosure, alteration and loss of availability. For that reason,
the provisioning of sufficient resources to support these efforts is guaranteed.

[Top Management] is aware of the ever-evolving threat landscape and recognizes the need to
constantly adapt to arising challenges to keep information assets secure. This circumstance
requires the continual improvement of all activities within the scope of the ISMS.

5.2 Chief Information Security Officer

Describe the responsibilities and authorities of the role who has the overall responsibility for
your ISMS. Please update the name accordingly, in case you organization does not call this
person CISO.

The [Chief Information Security Officer (CISO)] is responsible for overseeing and ensuring the
organization’s information security management systems delivers its intended results.

The [CISO’s] primary duties include:

• Strategic Leadership: Develop and maintain the organization’s information security

strategy, aligning it with business goals and regulatory requirements.
• Policy Development: Establish, review, and enforce information security policies and
procedures to protect the organization's information assets and ensure compliance
with relevant laws and regulations.
• Risk Management: Identify, assess, and mitigate information security risks across the
organization. This includes performing regular risk assessments and maintaining a risk
management framework.
• Incident Response: Lead the development and implementation of incident response
plans. Oversee investigations into security breaches and ensure proper response and
recovery procedures are followed.
• Compliance Oversight: Ensure adherence to relevant legal, regulatory, and industry
standards. Facilitate audits and assessments to demonstrate compliance with internal
and external requirements.
• Security Awareness: Promote information security awareness and training programs to
ensure all employees understand their role in protecting the organization’s information
assets.
• Stakeholder Communication: Serve as the primary point of contact for information
security matters. Communicate security issues and status to the executive team, board
of directors, and other stakeholders as appropriate.
• Resource Management: Allocate resources effectively to support the information
security program. Manage the information security team and collaborate with other
departments to integrate security practices throughout the organization.

The [CISO] has the authority to:

• Access Information: Obtain access to all necessary information and resources required
to perform information security functions.

[Classification] Page 4 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

• Enforce Policies: Implement and enforce information security policies and procedures
across the organization.
• Allocate Resources: Make recommendations for the allocation of budget and resources
necessary for the information security program.
• Engage Third Parties: Engage with third-party vendors, consultants, and other external
entities as needed to support information security initiatives.

5.3 Information Security Officer

Describe the responsibilities and authorities of the role who supports the CISO of your
organization. Please update the name accordingly, in case you organization does not call this
person ISO. In smaller organizations there might be not ISOs at all, in this case feel free to
remove this section and update the responsibilities of the CISO accordingly

The [Information Security Officer (ISO)] is supporting the [Chief Information Security Officer
(CISO)] in fulfilling its duties.

Key responsibilities include:

Please pick the appropriate responsibilities and authority of the Information Security Officer

• Policy Implementation: Assist in the development and enforcement of information

security policies and procedures.
• Risk Assessments: Conduct regular risk assessments to identify and mitigate security
vulnerabilities.
• Incident Response: Coordinate and support the response to security incidents and
breaches.
• Compliance: Ensure adherence to relevant security standards and regulations.
• Awareness Training: Promote information security awareness and training programs
across the organization.
• Collaboration: Work with various departments to integrate security practices into
organizational processes.

The [ISO] is granted the authority to:

• Access Information: Obtain access to all necessary information and resources required
to perform security functions.
• Enforce Security Measures: Implement and enforce information security controls and
measures.
• Engage with External Entities: Collaborate with third-party vendors, consultants, and
external entities to support the information security program.
• Recommend Resources: Make recommendations for the allocation of resources and
budget necessary to maintain the security program.

5.4 Additional Roles

[Classification] Page 5 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

Please add additional roles related to information security and describe their responsibilities
and authorities

Common examples include:

• Information Security Manager

• Data Protection Officer (DPO)
• Compliance Officer

6 POLICY

6.1 Commitment

Our organization is committed to maintaining the highest standards of information security by

complying with all applicable legal, regulatory, and contractual requirements related to the
protection of information assets. We pledge to continuously monitor and review our security
practices to ensure they meet or exceed the requirements set forth by relevant standards and
regulations. This commitment extends to all employees, partners, and stakeholders, who are
expected to adhere to our information security policies and procedures, ensuring the
confidentiality, integrity, and availability of our information assets are always protected.

Our organization is committed to supporting and continuously improving our Information

Security Management System (ISMS). This commitment includes:

In support of these commitments, our organization will:

• Establish and Maintain a Comprehensive Information Security Policy: We will develop,

implement, and continually update a set of policies that aligns with industry standards,
regulatory requirements, and the organization’s strategic objectives.
• Define and Communicate Security Objectives: Measurable security objectives will be
set to support our strategic goals, with clear communication to all relevant stakeholders
to ensure alignment and understanding.
• Allocate Necessary Resources: We will provide the financial, technological, and human
resources required to effectively implement and sustain our Information Security
Management System (ISMS).
• Enhance Employee Awareness and Training: All employees will receive ongoing
support and training to understand their information security responsibilities and to
contribute to a secure working environment.
• Foster a Culture of Security: A proactive security culture will be promoted throughout
the organization, encouraging all individuals to prioritize and actively participate in the
protection of information assets.
• Commit to Continuous Improvement: We will regularly review and refine our
information security policies, procedures, and controls to ensure their effectiveness and
relevance, staying responsive to emerging threats and changes in the regulatory
landscape.

[Classification] Page 6 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

• Implement Robust Risk Management: A comprehensive risk management framework

will be employed to identify, assess, and mitigate information security risks.
Appropriate controls will be applied based on regular risk assessments.
• Ensure Effective Communication: Open and effective communication channels will be
maintained to keep all stakeholders informed about our information security policies,
procedures, and any updates or changes.
• Support Information Security Management Roles: We will empower relevant
management roles by providing the necessary authority, resources, and guidance to
ensure they can effectively fulfil their responsibilities in maintaining the security of our
information assets.

6.2 Information security objectives

The organization must establish information security objectives at relevant functions and levels
in accordance with the following framework:

Setting Objectives
Top management is responsible for defining high-level information security objectives on an
annual basis. These objectives provide strategic direction for the organization’s information
security efforts and must align with:

• Business vision and objectives to ensure that information security supports overall
corporate goals and strategic priorities.
• Stakeholder requirements, including regulatory bodies, customers, partners, and internal
expectations, to maintain compliance and trust.
• Risk appetite, ensuring that security objectives reflect the organization’s tolerance for risk
and support effective risk management.
• ISMS performance, incorporating insights from previous assessments, audits, incidents, and
continual improvement initiatives to enhance security effectiveness.

Second-level management, such as department heads and security leads, must translate these
high-level objectives into specific, actionable objectives that are relevant to their areas of
responsibility. These objectives should be:

• Tailored to departmental functions, ensuring relevance to specific operational needs.

• Aligned with security priorities, addressing identified risks and compliance obligations.
• Defined using the SMART criteria, making them measurable and achievable within a
specified timeframe

All objectives must be communicated to all relevant functions and integrated into operational
processes.

Each objective is assigned an owner responsible for implementation and monitoring.

[Classification] Page 7 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

Criteria for Information Security Objectives

All information security objectives must be established using the SMART criteria to ensure they
are well-defined, effective, and achievable:

• Specific – Objectives must be clearly defined and unambiguous, addressing a distinct aspect
of information security, such as improving access controls, reducing security incidents, or
enhancing awareness training.
• Measurable – Each objective must have quantifiable criteria to track progress and
determine success. This could include metrics such as a percentage reduction in security
incidents, the number of employees trained, or compliance audit scores.
• Achievable – Objectives must be realistic given the organization’s resources, capabilities,
and constraints. They should be challenging yet attainable to ensure continuous
improvement without setting unrealistic expectations.
• Relevant – Objectives must align with the organization’s overall business goals, risk
management priorities, and legal or regulatory requirements to ensure they contribute
meaningfully to the ISMS.
• Time-bound – Each objective must have a clearly defined timeline for completion or
periodic review to ensure accountability and progress tracking.

Planning for Implementation

Each information security objective is assigned an owner, typically a designated individual or

team responsible for:

• Implementation, ensuring necessary actions are taken to achieve the objective.

• Monitoring and reporting, tracking progress using metrics and indicators.
• Review and continuous improvement, evaluating outcomes and adjusting objectives based
on changes in risk, business needs, or ISMS performance.

6.3 Communication

The information security policy shall be communicated to all persons within the scope of the
ISMS by [describe when and how to communicate or reference to a communications plan].

This policy [select from: (may, may not) be shared] and communicated with external interested
parties.

[Classification] Page 8 of 9
 INFORMATION SECURITY POL-001
POLICY <VERSION>

7 COMPLIANCE

7.1 Measurement
The organization will ensure compliance with this policy through various methods, including
management reviews, internal and external audits, and feedback from employees and
stakeholders.

7.2 Exceptions
Any exception to this policy must be approved by [organization defined role] in advance. The
process for requesting an exception involves submitting a detailed justification, including the
reasons for the exception, the potential risks, and the proposed mitigation measures. The
[organization defined role] will thoroughly evaluate the request to ensure that it does not
compromise the overall security posture of the organization. Only upon receiving explicit
approval from [organization defined role] will the exception be considered valid and
enforceable

7.3 Violations
Members of the organization found to have violated this policy may be subject to disciplinary
action. Depending on the severity of the violation, consequences may include mandatory
retraining on information security policies, formal reprimands, or suspension. The organization
will thoroughly investigate any suspected policy violations to ensure fairness and accuracy in
the disciplinary process.

[Classification] Page 9 of 9