Information Security Policy

[Insert classification]

Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from
the final version of the document. For more details on replacing the logo, yellow highlighted
text and certain generic terms, see the Completion Instructions document.

Purpose of this document

The Information Security Policy is a required document which commits the organization to
ensuring adequate information security.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• 5 Leadership
o 5.1 Leadership and commitment
o 5.2 Policy
• A.5 Organizational controls
o A.5.1 Policies for information security

General guidance
The information security policy must be approved by Top Management (normally defined as
the "person or group of people who direct and control the organization at the highest
level"} as evidence of their commitment.

Section 5.2 of the standard sets out some of what the policy must contain, and these areas
are covered by the template document. We would therefore recommend that no section
headings are removed.

Prior to the certification audit you must ensure that this policy, and any relevant supporting
policies have been communicated to relevant staff, that they have understood their
contents and that these facts are evidenced for example via meeting minutes. The inviting
and answering of questions during such a meeting is likely to show evidence of
understanding.

We would also recommend that the document is made available via the intranet if you have
one or via any other appropriate means.

Version 1 Page 2 of 14 [Insert date]

 Information Security Policy
[Insert classification]

Review frequency

We would recommend that this document is reviewed as part of an annual exercise which
also covers key documents such as the risk assessment and training plan. This exercise
should include significant business involvement to ensure that changed requirements are
captured and customer feedback obtained.

Document fields

This document may contain fields which need to be updated with your own information,
including a field for Organization Name that is linked to the custom document property
"Organization Name".

To update this field (and any others that may exist in this document):

1. Update the custom document property "Organization Name" by clicking File> Info>
Properties> Advanced Properties> Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select,
Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that
they are no longer updateable, you wil I need to click into each occurrence of the field and
press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File> Options> Advanced>
Show document content> Field shading and set this to "Always". This can be useful to check
you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions.
This document also contains guidance on working with the toolkit documents with an Apple
Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been
authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company
registered in England and Wales with company number 6432088.

Version 1 Page 3 of 14 [Insert date]

 Information Security Policy
[Insert classification]

Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available
on request, or by download from our website. All other rights are reserved. Unless you have
purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the
licensee in the relevant purchase order. The standard licence terms include special terms
relating to any third-party copyright included in this document.

Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk.
Document templates are intended to be used as a starting point only from which you will
create your own document and to which you will apply all reasonable quality checks before
use.

Therefore, please note that it is your responsibility to ensure that the content of any
document you create that is based on our templates is correct and appropriate for your
needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using
this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or

adequacy of our document templates; assumes no duty of care to any person with respect
its document templates or their contents; and expressly excludes and disclaims liability for
any cost, expense, loss or damage suffered or incurred in reliance on our document
templates, or in expectation of our document templates meeting your needs, including
(without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1 Page 4 of 14 [Insert date]

 Information Security Policy
[Insert classification]

YOUR LOGO HERE

Information Security Policy

DOCUMENT CLASSIFICATION [Insert classification)

DOCUMENT REF ISMS-DOC-05-4
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name)
DOCUMENT OWNER [Insert name/role]

Version 1 Page 5 of 14 [Insert date]

 Information Security Policy
[Insert classification]

Revision history

VERSION DATE REVISION AUTHOR I SUMMARY OF CHANGES

Distribution

NAME TITLE

Approval

NAME POSITION SIGNATURE DATE

Version 1 Page 6 of 14 [Insert date]

 Information Security Policy
[Insert classification]

Contents
1 Introduction............................................................................................................................8
2 Information security policy.................................................................................................10
2.1 Information security requirements............................................................................................10

2.2 Framework for setting objectives..............................................................................................10

2.3 Continual improvement of the ISMS........................................................................................11

2.4 Information security policy areas..............................................................................................11

2.5 Application of information security policy..............................................................................14

Tables

Table 1: Set of policy documents................................................................................................................14

Version 1 Page 7 of 14 [Insert date]

 Information Security Policy
[Insert classification]

1 Introduction
This document defines the information security policy of [Organization Name].

As a modern, forward-looking business, [Organization Name] recognises at senior levels

the need to ensure that its business operates smoothly and without interruption for the
benefit of its customers, shareholders and other stakeholders.

In order to provide such a level of continuous operation, [Organization Name] has

implemented an Information Security Management System (ISMS) in line with the
International Standard for Information Security, ISO/IEC 27001. This standard defines the
requirements for an ISMS based on internationally recognised best practice.

The operation of the ISMS has many benefits for the business, including:

• Protection of revenue streams and company profitability

• Ensuring the supply of goods and services to customers
• Maintenance and enhancement of shareholder value
• Compliance with legal and regulatory requirements

[Organization Name] has decided to maintain full certification to ISO/IEC 27001 in order that
the effective adoption of information security best practice may be validated by an
independent third party, a Registered Certification Body (RCB).

This policy applies to all systems, people and processes that constitute the organization's
information systems, including board members, directors, employees, suppliers and other
third parties who have access to [Organization Name] systems.

The following supporting documents are relevant to this information security policy and
provide additional information about how it is applied:

• Risk Assessment and Treatment Process

• Statement of Applicability
• Supplier Information Security Evaluation Process
• Internet Access Policy
• Cloud Services Policy
• Mobile Device Policy
• BYOD Policy
• Remote Working Policy
• Access Control Policy
• Dynamic Access Control Policy
• User Access Management Process
• Cryptographic Policy
• Physical Security Policy
• Anti-Ma/ware Policy
• Backup Policy
• Logging and Monitoring Policy

Version 1 Page 8 of 14 [Insert date]

 Information Security Policy
[Insert classification]

• Software Policy
• Technical Vulnerability Management Policy
• Network Security Policy
• Electronic Messaging Policy
• Online Collaboration Policy
• Secure Development Policy
• Information Security Policy for Supplier Relationships
• Availability Management Policy
• IP and Copyright Compliance Policy
• Records Retention and Protection Policy
• Privacy and Personal Data Protection Policy
• Clear Desk and Clear Screen Policy
• Social Media Policy
• HR Security Policy
• Threat Intelligence Policy
• Asset Management Policy
• Acceptable Use Policy
• CCTV Policy
• Configuration Management Policy
• Information Deletion Policy
• Data Masking Policy
• Data Leakage Prevention Policy
• Monitoring Policy
• Web Filtering Policy
• Secure Coding Policy
• Information Security Whistleblowing Policy

Details of the latest version number of each of these documents is available from the ISMS
Documentation Log.

Version 1 Page 9 of 14 [Insert date]

 Information Security Policy
[Insert classification]

2 Information security policy

2.1 Information security requirements

A clear definition of the requirements for information security within [Organization Name]
will be agreed and maintained with the internal business so that all ISMS activity is focussed
on the fulfilment of those requirements. Statutory, regulatory and contractual requirements
will also be documented and input to the planning process. Specific requirements about the
security of new or changed systems or services will be captured as part of the design stage
of each project.

It is a fundamental principle of the [Organization Name] Information Security Management

System that the controls implemented are driven by business needs and this will be
regularly communicated to all staff through team meetings and briefing documents.

2.2 Framework for setting objectives

A regular cycle will be used for the setting of objectives for information security, to coincide
with the budget planning cycle. This will ensure that adequate funding is obtained for the
improvement activities identified. These objectives will be based upon a clear understanding
of the business requirements, informed by the management review process during which
the views of relevant interested parties may be obtained.

Information security objectives will be documented for an agreed time period, together with
details of how they will be achieved. These will be evaluated and monitored as part of
management reviews to ensure that they remain valid. If amendments are required, these
will be managed through the change management process.

In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard
will be adopted where appropriate by [Organization Name]. These will be reviewed on a
regular basis in the light of the outcome from risk assessments and in line with information
security risk treatment plans. For details of which Annex A controls have been implemented
and which have been excluded please see the Statement of Applicability.

In addition, enhanced and additional controls from the following codes of practice will be
adopted and implemented where appropriate:

• ISO/IEC 27002 - Code of practice for information security controls

• ISO/IEC 27017 - Code of practice for information security controls based on ISO/IEC
e7002 for cloud services
• ISO/IEC 27018- Code of practice for protection of personally identifiable
·nformation (PII) in public clouds acting as PII processors

Version 1 Page 10 of 14 [Insert date]

 Information Security Policy
[Insert classification]

The adoption of these codes of practice will provide additional assurance to our customers
and help further with our compliance with international data protection legislation.

2.3 Continual improvement of the ISMS

[Organization Name] policy regarding continual improvement is to:

• Continually improve the effectiveness of the ISMS

• Enhance current processes to bring them into line with good practice as defined
within 15O/IEC 27001 and related standards
• Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
• Increase the level of proactivity (and the stakeholder perception of proactivity) with
regard to information security
• Make information security processes and controls more measurable in order to
provide a sound basis for informed decisions
• Review relevant metrics on an annual basis to assess whether it is appropriate
to change them, based on collected historical data
• Obtain ideas for improvement via regular meetings and other forms of
communication with interested parties
• Review ideas for improvement at regular management meetings in order to
prioritise and assess timescales and benefits

Ideas for improvements may be obtained from any source including employees, customers,
suppliers, IT staff, risk assessments and service reports. Once identified they will be
recorded and evaluated as part of management reviews.

2.4 Information security policy areas

[Organization Name] defines policy in a wide variety of information security-related areas

which are described in detail in a comprehensive set of policy documentation that
accompanies this overarching information security policy.

Each of these policies is defined and agreed by one or more people with competence in the
relevant area and, once formally approved, is communicated to an appropriate audience,
both within and external to, the organization.

The table below shows the individual policies within the documentation set and summarises
each policy's content and the target audience of interested parties.

Version 1 Page 11 of 14 [Insert date]

 Information Security Policy
[Insert classification]

POLICY TITLE AREAS ADDRESSED TARGET AUDIENCE

Internet Access Business use of the Internet, personal use of the Users of the Internet service
Policy Internet, Internet account management, security and
monitoring and prohibited uses of the Internet service.
Cloud Computing Due diligence, signup, setup, management and Employees involved in the
Policy removal of cloud computing services. procurement and
management of cloud
services
Mobile Device Care and security of mobile devices such as laptops, Users of company-provided
Policy tablets and smartphones, whether provided by the mobile devices
organization for business use.

BYOD Policy Bring Your Own Device (BYOD) considerations where Users of personal devices for
personnel wish to make use of their own mobile restricted business use
devices to access corporate information.
Teleworking Information security considerations in establishing and Management and employees
Policy running a teleworking site and arrangement e.g. involved in setting up and
physical security, insurance and equipment maintaining a teleworking
site

Access User registration and deregistration, provision of Employees involved in setting

Control Policy access rights, external access, access reviews, up and managing access
password policy, user responsibilities and system and control
application access control.

Dynamic Applicability and use of dynamic access controls Asset owners and ICT team
Access Control available in specific environments.
Policy
Cryptographic Risk assessment, technique selection, deployment, Employees involved in setting
Policy testing and review of cryptography, and key up and managing the use of
management cryptographic technology and
techniques

Physical Secure areas, paper and equipment security and All employees
Security Policy equipment lifecycle management
Anti-Malware Firewalls, anti-virus, spam filtering, software Employees responsible for
Policy installation and scanning, vulnerability management, protecting the organization's
user awareness training, threat monitoring and alerts, infrastructure from malware
technical reviews and malware incident management.

Backup Policy Backup cycles, cloud backups, off-site storage, Employees responsible for
documentation, recovery testing and protection of designing and implementing
storage media backup regimes

Logging and Settings for event collection. protection and review Employees responsible for
Monitoring Policy protecting the organization's
infrastructure from attacks
Software Policy Purchasing software, software registration, installation All employees
and removal, in-house software development and use
of software in the cloud.

Technical Vulnerability definition, sources of information, Employees responsible for

Vulnerability patches and updates, vulnerability assessment, protecting the organization's
Management hardening, awareness training and vulnerability infrastructure from malware
Policy disclosure.

Version 1 Page 12 of 14 [Insert date]

 Information Security Policy
[Insert classification]

POLICY TITLE AREAS ADDRESSED TARGET AUDIENCE

Network Security Network security design, including network Employees responsible for
Policy segregation, perimeter security, wireless networks and designing, implementing and
remote access; network security management, managing networks
including roles and responsibilities, logging and
monitoring and changes.
Electronic Sending and receiving electronic messages, monitoring Users of electronic messaging
Messaging Policy of electronic messaging facilities and use of email. facilities
Online Use of collaboration tools for communication, Users of online collaboration
Collaboration sharing and video conferencing. tools
Policy
Secure Business requirements specification, system design, Employees responsible for
Development development and testing and outsourced software designing, managing and
Policy development. writing code for bespoke
software developments

Information Due diligence, supplier agreements, monitoring and Employees involved in setting
Security Policy for review of services, changes, disputes and end of up and managing supplier
Supplier contract. relationships
Relationships

Availability Availability requirements and design, monitoring and Employees responsible for
Management reporting, non-availability, testing availability plans designing systems and
Policy and managing changes. managing service delivery

IP and Copyright Protection of intellectual property, the law, penalties All employees
Compliance Policy and software license compliance.
Records Retention period for specific record types, use of Employees responsible for
Retention and cryptography, media selection, record retrieval, creation and management of
Protection Policy destruction and review. records

Privacy and Applicable data protection legislation, definitions Employees responsible for
Personal Data and requirements. designing and managing
Protection Policy systems using personal data

Clear Desk and Security of information shown on screens, printed out All employees
Clear Screen and held on removable media.
Policy

Social Media Guidelines for how social media should be used when All employees
Policy representing the organization and when discussing
issues relevant to the organization.

HR Security Policy Recruitment, employment contracts, policy All employees

compliance, disciplinary process, termination
Acceptable Use Employee commitment to organizational information All employees
Policy security policies.

Asset This document sets out the rules for how assets must All employees
Management be managed from an information security perspective.
Policy
CCTV Policy The use of CCTV in physical security, including siting Employees responsible for
and data protection issues and considerations. CCTV

Version 1 Page 13 of 14 [Insert date]

 Information Security Policy
[Insert classification]

POLICY TITLE AREAS ADDRESSED TARGET AUDIENCE

Configuration The secure configuration of hardware, software, Employees responsible for

Management services and networks. designing systems and
Policy managing service delivery
Information The deletion of information stored in information Employees responsible for
Deletion Policy systems, devices or in any other storage media, when designing and managing
no longer required. systems using personal data
Data Masking The use of data masking techniques such as Employees responsible for
Policy anonymization and pseudonymization to protect designing and managing
personally identifiable information (PII). systems using personal data

Data Leakage The configuration of relevant software tools to detect Employees responsible for
Prevention Policy and prevent leakage of data. designing systems and
managing service delivery
Monitoring Policy The monitoring of the ICT environment to detect Employees responsible for
anomalous activity. designing systems and
managing service delivery

Web Filtering Restricting access to Internet sites that are deemed Employees responsible for
Policy inappropriate. designing systems and
managing service delivery
Secure Coding The principles that will be used when developing Employees responsible for
Policy secure code. designing, managing and
writing code for bespoke
software developments

Threat The collection and use of threat intelligence at the Employees responsible for
Intelligence Policy strategic, tactical and operational levels. protecting the organization's
infrastructure from attacks
Information The raising of issues about information security All employees and other
Security within the organization. interested parties
Whistleblowing
Policy

Table 1: Set of policy documents

2.5 Application of information security policy

The policy statements made in this document and in the set of supporting policies listed in
Table 1 have been reviewed and approved by the top management of [Organization Name]
and must be complied with. Failure by an employee to comply with these policies may result
in disciplinary action being taken in accordance with the organization's Employee
Disciplinary Process.

Questions regarding any [Organization Name] policy should be addressed in the first
instance to the employee's immediate line manager.

Version 1 Page 14 of 14 [Insert date]