Information Security Policy Template

Home / Services / Virtual CISO / Policies / Information Security Policy Template

Information Security Policy
The purpose of this document is to clearly define the boundaries of the Information Security Management System (ISMS) in {{company_name}}.
This document is applied to all documentation and activities within the ISMS.
Users of this document are members of the firm management, members of the project team implementing the ISMS.
Reference documents
  • ISO/IEC 27001 standard
  • List of legal, regulatory, contractual and other requirements
Information security policy statement
As a leading firm, {{company_name}}, and our clients demand information systems meet high standards of confidentiality, availability and integrity. These standards can only be achieved by ensuring that we have a practical and pro-active system for managing our information security. The purpose of the information security policy is to protect {{company_name}}, its employees and clients from all information security threats, whether internal or external, deliberate or accidental.
The information security policy is characterised here as the preservation of:



ensuring that information is accessible only to those authorised to have access
safeguarding the accuracy and completeness of information and processing methods
ensuring that authorised users have access toinformation and associated assets when required
ensuring that {{company_name}} meets itsregulatory and legislative requirements

{{company_name}} has nominated a Chief Information Security Officer (CISO) to introduce and maintain policy and to provide advice and guidance in its implementation.

{{company_name}} requires that all breaches of information security, actual or suspected, will be reported in accordance with the Notification and Reporting Policy.

{{company_name}} undertakes to provide appropriate information security training for all employees through our online learning platform, available at https://______________.

Third party suppliers providing services to {{company_name}} are required to ensure that the confidentiality, integrity, availability, and regulatory requirements of all business systems are met.

It is the responsibility of all users to adhere to the policy.
Information Security Commitments & Objectives
  • Communicate to our employees, suppliers and other stakeholders the critical importance of information security to {{company_name}} and our clients.
  • Protect our information assets, clients and employees from existing and emerging threats and vulnerabilities relating to the confidentiality, integrity and availability of our information and the information assets.
  • Support business objectives by ensuring information exchange is facilitated effectively and securely and without undue disruption to business operations.
  • Protect the firm’s technological and intellectual capital.
  • Ensure access to our information assets is maintained on a ‘need to know’ basis.
  • Ensure that information is only kept for the absolute minimal duration of time required.
  • Ensure {{company_name}} fulfils statutory, contractual, regulatory and best practice requirements relating to information security including maintaining compliance with the international ISO27001 (Information Security Management Systems) standard.
  • Make sure appropriate information security controls and resources are planned, implemented and embedded in the most efficient and timely way, including ensuring that our employees, contractors and third parties understand and apply these controls correctly.
  • Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing. Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing.
  • Ensure that Information Security Requirements are captured in all projects; and
  • Continually develop and improve the Information Security program within {{company_name}}.
About our policies
Our policies apply to all employees, partners, contractors, consultants, students, temporary staff, visitors and all other people that make use of the firm’s assets. You MUST:
  • read, understand and comply with all relevant information security policies, procedures and standards;
  • ensure all our information assets are handled according to their level of classification;
  • behave professionally and responsibly when dealing with our IT systems and with our clients; and
  • report all security concerns or incidents in line with the Notification and Reporting Policy to the management team.
Our core policies are:
  • Acceptable Use Policy
  • Applicable Legislation and Regulation Policy
  • Clear Desk and Screen Policy
  • Client Data Handling Policy
  • Data Classification Policy
  • Data Protection Policy
  • Data Transmission Policy
  • Digital Access Control Policy
  • Encryption Policy
  • Information Retention Policy
  • Information Backup Policy
  • Incident Reporting Policy
  • IT Patching Policy
  • Notification and Reporting Policy
  • Physical Access Control Policy
  • Remote Working Policy
  • Security Audit Policy
  • Third Party Security Policy
Compliance Measurement
{{company_name}} will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
  • All