How to Write an Information Security Policy (With ISO 27001 in Mind)
An information security policy is the top-level document that sets out your organisation's approach to protecting information. It is a requirement under ISO 27001 (Clause 5.2), referenced in NIS2 governance obligations, and expected as a foundational control under GDPR.
Most SMEs either don't have one or have a generic template they downloaded years ago that bears no relation to how the business actually operates. This guide explains what an information security policy must contain, how to write one that works in practice, and the mistakes that make most policies ineffective.
What an Information Security Policy Is — and Is Not
An information security policy is a short, strategic document — typically two to four pages — that states management's commitment to information security, defines what the policy covers, assigns high-level responsibilities, and establishes the principles that govern more detailed policies beneath it.
It is not a technical manual. It does not list every security control, configuration standard, or procedure. Those belong in supporting policies (acceptable use, access control, incident response, etc.). The information security policy is the document that authorises and frames everything else.
What ISO 27001 Requires
ISO 27001 Clause 5.2 specifies that the information security policy must:
- Be appropriate to the purpose of the organisation
- Include information security objectives or provide a framework for setting them
- Include a commitment to satisfy applicable requirements (legal, contractual, regulatory)
- Include a commitment to continual improvement of the ISMS
- Be available as documented information
- Be communicated within the organisation
- Be available to interested parties as appropriate
These are the minimum requirements. A policy that ticks these boxes but says nothing meaningful about how your organisation actually treats information security has limited practical value.
Structure: What to Include
1. Purpose and scope What the policy exists to achieve and what it covers — systems, data, people, physical locations. Be specific about scope boundaries.
2. Management commitment A clear statement that senior management supports the information security programme, authorises the resources needed to implement it, and holds leadership accountable for it. This should be signed by a named director or equivalent.
3. Information security objectives High-level security objectives the organisation is working toward — for example: maintain the confidentiality, integrity and availability of information assets; achieve and maintain ISO 27001 certification; meet obligations under NIS2 and GDPR.
4. Roles and responsibilities Who is responsible for information security at the strategic, operational, and user level. Does not need to be exhaustive — a summary with reference to the full RACI elsewhere.
5. Risk management approach A statement that the organisation takes a risk-based approach to information security, assesses risk regularly, and treats risk in accordance with its risk appetite.
6. Compliance obligations Reference to applicable legal and regulatory requirements: GDPR, NIS2, DORA (where applicable), ISO 27001, contractual obligations to customers or partners.
7. Consequences of non-compliance A clear statement that breaches of information security policy may result in disciplinary action, up to and including termination or legal proceedings.
8. Review and maintenance How frequently the policy is reviewed (at minimum annually, and following significant changes to the business or threat environment) and who owns the review.
Common Mistakes That Undermine Policies
Too long. A policy that runs to 20 pages will not be read. Keep the top-level policy concise and push detail into supporting documents.
No management signature. A policy that is not visibly authorised by leadership has no organisational weight. Someone with authority needs to sign it.
Generic language. Phrases like "the organisation will take all reasonable steps to protect information" communicate nothing. State your actual commitments and how you will meet them.
Never reviewed. A policy that references a GDPR compliance obligation and was last updated in 2019 has become a liability rather than an asset. Set a formal review date and keep to it.
No acknowledgement process. If employees are not required to read and acknowledge the policy, you cannot demonstrate that your workforce is aware of its obligations. Acknowledgement should be recorded.
How ShieldIQ Supports Policy Management
ShieldIQ's AI Policy Drafter generates a starting information security policy tailored to your organisation — built from your assessment results and the frameworks you are working against. Policies are version-controlled, linked to your controls, and employees can acknowledge them directly in the platform. You review and approve everything before it becomes official.
Run a free ISO 27001 assessment and get your starting policy suite →