Professional Documents
Culture Documents
ISMSPoloicy 1
ISMSPoloicy 1
ISMSPoloicy 1
[Insert classification]
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from
the final version of the document. For more details on replacing the logo, yellow highlighted
text and certain generic terms, see the Completion Instructions document.
The Information Security Policy is a required document which commits the organization to
ensuring adequate information security.
• 5 Leadership
o 5.1 Leadership and commitment
o 5.2 Policy
• A.5 Organizational controls
o A.5.1 Policies for information security
General guidance
The information security policy must be approved by Top Management (normally defined as
the "person or group of people who direct and control the organization at the highest
level"} as evidence of their commitment.
Section 5.2 of the standard sets out some of what the policy must contain, and these areas
are covered by the template document. We would therefore recommend that no section
headings are removed.
Prior to the certification audit you must ensure that this policy, and any relevant supporting
policies have been communicated to relevant staff, that they have understood their
contents and that these facts are evidenced for example via meeting minutes. The inviting
and answering of questions during such a meeting is likely to show evidence of
understanding.
We would also recommend that the document is made available via the intranet if you have
one or via any other appropriate means.
Review frequency
We would recommend that this document is reviewed as part of an annual exercise which
also covers key documents such as the risk assessment and training plan. This exercise
should include significant business involvement to ensure that changed requirements are
captured and customer feedback obtained.
Document fields
This document may contain fields which need to be updated with your own information,
including a field for Organization Name that is linked to the custom document property
"Organization Name".
To update this field (and any others that may exist in this document):
1. Update the custom document property "Organization Name" by clicking File> Info>
Properties> Advanced Properties> Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select,
Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that
they are no longer updateable, you wil I need to click into each occurrence of the field and
press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File> Options> Advanced>
Show document content> Field shading and set this to "Always". This can be useful to check
you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions.
This document also contains guidance on working with the toolkit documents with an Apple
Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been
authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company
registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available
on request, or by download from our website. All other rights are reserved. Unless you have
purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the
licensee in the relevant purchase order. The standard licence terms include special terms
relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk.
Document templates are intended to be used as a starting point only from which you will
create your own document and to which you will apply all reasonable quality checks before
use.
Therefore, please note that it is your responsibility to ensure that the content of any
document you create that is based on our templates is correct and appropriate for your
needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using
this document.
Revision history
Distribution
NAME TITLE
Approval
Contents
1 Introduction............................................................................................................................8
2 Information security policy.................................................................................................10
2.1 Information security requirements............................................................................................10
Tables
1 Introduction
This document defines the information security policy of [Organization Name].
The operation of the ISMS has many benefits for the business, including:
[Organization Name] has decided to maintain full certification to ISO/IEC 27001 in order that
the effective adoption of information security best practice may be validated by an
independent third party, a Registered Certification Body (RCB).
This policy applies to all systems, people and processes that constitute the organization's
information systems, including board members, directors, employees, suppliers and other
third parties who have access to [Organization Name] systems.
The following supporting documents are relevant to this information security policy and
provide additional information about how it is applied:
• Software Policy
• Technical Vulnerability Management Policy
• Network Security Policy
• Electronic Messaging Policy
• Online Collaboration Policy
• Secure Development Policy
• Information Security Policy for Supplier Relationships
• Availability Management Policy
• IP and Copyright Compliance Policy
• Records Retention and Protection Policy
• Privacy and Personal Data Protection Policy
• Clear Desk and Clear Screen Policy
• Social Media Policy
• HR Security Policy
• Threat Intelligence Policy
• Asset Management Policy
• Acceptable Use Policy
• CCTV Policy
• Configuration Management Policy
• Information Deletion Policy
• Data Masking Policy
• Data Leakage Prevention Policy
• Monitoring Policy
• Web Filtering Policy
• Secure Coding Policy
• Information Security Whistleblowing Policy
Details of the latest version number of each of these documents is available from the ISMS
Documentation Log.
Information security objectives will be documented for an agreed time period, together with
details of how they will be achieved. These will be evaluated and monitored as part of
management reviews to ensure that they remain valid. If amendments are required, these
will be managed through the change management process.
In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard
will be adopted where appropriate by [Organization Name]. These will be reviewed on a
regular basis in the light of the outcome from risk assessments and in line with information
security risk treatment plans. For details of which Annex A controls have been implemented
and which have been excluded please see the Statement of Applicability.
In addition, enhanced and additional controls from the following codes of practice will be
adopted and implemented where appropriate:
The adoption of these codes of practice will provide additional assurance to our customers
and help further with our compliance with international data protection legislation.
Ideas for improvements may be obtained from any source including employees, customers,
suppliers, IT staff, risk assessments and service reports. Once identified they will be
recorded and evaluated as part of management reviews.
Each of these policies is defined and agreed by one or more people with competence in the
relevant area and, once formally approved, is communicated to an appropriate audience,
both within and external to, the organization.
The table below shows the individual policies within the documentation set and summarises
each policy's content and the target audience of interested parties.
Internet Access Business use of the Internet, personal use of the Users of the Internet service
Policy Internet, Internet account management, security and
monitoring and prohibited uses of the Internet service.
Cloud Computing Due diligence, signup, setup, management and Employees involved in the
Policy removal of cloud computing services. procurement and
management of cloud
services
Mobile Device Care and security of mobile devices such as laptops, Users of company-provided
Policy tablets and smartphones, whether provided by the mobile devices
organization for business use.
BYOD Policy Bring Your Own Device (BYOD) considerations where Users of personal devices for
personnel wish to make use of their own mobile restricted business use
devices to access corporate information.
Teleworking Information security considerations in establishing and Management and employees
Policy running a teleworking site and arrangement e.g. involved in setting up and
physical security, insurance and equipment maintaining a teleworking
site
Dynamic Applicability and use of dynamic access controls Asset owners and ICT team
Access Control available in specific environments.
Policy
Cryptographic Risk assessment, technique selection, deployment, Employees involved in setting
Policy testing and review of cryptography, and key up and managing the use of
management cryptographic technology and
techniques
Physical Secure areas, paper and equipment security and All employees
Security Policy equipment lifecycle management
Anti-Malware Firewalls, anti-virus, spam filtering, software Employees responsible for
Policy installation and scanning, vulnerability management, protecting the organization's
user awareness training, threat monitoring and alerts, infrastructure from malware
technical reviews and malware incident management.
Backup Policy Backup cycles, cloud backups, off-site storage, Employees responsible for
documentation, recovery testing and protection of designing and implementing
storage media backup regimes
Logging and Settings for event collection. protection and review Employees responsible for
Monitoring Policy protecting the organization's
infrastructure from attacks
Software Policy Purchasing software, software registration, installation All employees
and removal, in-house software development and use
of software in the cloud.
Network Security Network security design, including network Employees responsible for
Policy segregation, perimeter security, wireless networks and designing, implementing and
remote access; network security management, managing networks
including roles and responsibilities, logging and
monitoring and changes.
Electronic Sending and receiving electronic messages, monitoring Users of electronic messaging
Messaging Policy of electronic messaging facilities and use of email. facilities
Online Use of collaboration tools for communication, Users of online collaboration
Collaboration sharing and video conferencing. tools
Policy
Secure Business requirements specification, system design, Employees responsible for
Development development and testing and outsourced software designing, managing and
Policy development. writing code for bespoke
software developments
Information Due diligence, supplier agreements, monitoring and Employees involved in setting
Security Policy for review of services, changes, disputes and end of up and managing supplier
Supplier contract. relationships
Relationships
Availability Availability requirements and design, monitoring and Employees responsible for
Management reporting, non-availability, testing availability plans designing systems and
Policy and managing changes. managing service delivery
IP and Copyright Protection of intellectual property, the law, penalties All employees
Compliance Policy and software license compliance.
Records Retention period for specific record types, use of Employees responsible for
Retention and cryptography, media selection, record retrieval, creation and management of
Protection Policy destruction and review. records
Privacy and Applicable data protection legislation, definitions Employees responsible for
Personal Data and requirements. designing and managing
Protection Policy systems using personal data
Clear Desk and Security of information shown on screens, printed out All employees
Clear Screen and held on removable media.
Policy
Social Media Guidelines for how social media should be used when All employees
Policy representing the organization and when discussing
issues relevant to the organization.
Asset This document sets out the rules for how assets must All employees
Management be managed from an information security perspective.
Policy
CCTV Policy The use of CCTV in physical security, including siting Employees responsible for
and data protection issues and considerations. CCTV
Data Leakage The configuration of relevant software tools to detect Employees responsible for
Prevention Policy and prevent leakage of data. designing systems and
managing service delivery
Monitoring Policy The monitoring of the ICT environment to detect Employees responsible for
anomalous activity. designing systems and
managing service delivery
Web Filtering Restricting access to Internet sites that are deemed Employees responsible for
Policy inappropriate. designing systems and
managing service delivery
Secure Coding The principles that will be used when developing Employees responsible for
Policy secure code. designing, managing and
writing code for bespoke
software developments
Threat The collection and use of threat intelligence at the Employees responsible for
Intelligence Policy strategic, tactical and operational levels. protecting the organization's
infrastructure from attacks
Information The raising of issues about information security All employees and other
Security within the organization. interested parties
Whistleblowing
Policy
The policy statements made in this document and in the set of supporting policies listed in
Table 1 have been reviewed and approved by the top management of [Organization Name]
and must be complied with. Failure by an employee to comply with these policies may result
in disciplinary action being taken in accordance with the organization's Employee
Disciplinary Process.
Questions regarding any [Organization Name] policy should be addressed in the first
instance to the employee's immediate line manager.