Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
Information Security Policy Template

Information Security Policy Template

Purpose, scope and users

The purpose of this document is to clearly define the boundaries of the Information Security in the firm.

Users of this document are members of the firm management, members of the project team implementing the policies.

Reference documents

  • ISO/IEC 27001 standard, (clause 4.2.1 a)
  • List of legal, regulatory, contractual and other requirements

Introduction

Statement from our CEO

“Information security is very important to us and we want to ensure that confidential information is accessible only by those who are entitled to it.  We are also finding that clients are expecting us to be able to demonstrate our policies more than ever before.  

As part of our commitment to information security we have an Information Security Board which helps ensure our continued accreditation to the International Standard for Information Security Management (ISO 27001:2013). 

This document provides our policy statement (which has been published on our website) and our objectives.  It also gives an overview of the policies with some background information on the key concepts. “

xxxx

CEO

 

Information security policy statement

As a leading firm, {company_name}, and our clients demand information systems meet high standards of confidentiality, availability and integrity.  These standards can only be achieved by ensuring that we have a practical and pro-active system for managing our information security.  The purpose of the information security policy is to protect {company_name}, its employees and clients from all information security threats, whether internal or external, deliberate or accidental.

The information security policy is characterised here as the preservation of:

Key

Description

Confidentiality

ensuring that information is accessible only to those authorised to have access

Integrity

safeguarding the accuracy and completeness of information and processing methods

Availability

ensuring that authorised users have access to information and associated assets when required

Regulatory

ensuring that {company_name} meets its regulatory and legislative requirements

 

We have nominated a Chief Information Security Officer (CISO) to introduce and maintain policy and to provide advice and guidance in its implementation.

We requires that all breaches of information security, actual or suspected, will be reported in accordance with the Notification and Reporting Policy.

We undertake to provide appropriate information security training for all employees through our online learning platform.

Third party suppliers providing services to {{company_name}}  are required to ensure that the confidentiality, integrity, availability, and regulatory requirements of all business systems are met. 

It is the responsibility of all users to adhere to the policy.

Information Security Commitments & Objectives

  • Communicate to our employees, suppliers and other stakeholders the critical importance of information security to {{company_name}} and our clients.
  • Protect our information assets, clients and employees from existing and emerging threats and vulnerabilities relating to the confidentiality, integrity and availability of our information and the information assets.
  • Support business objectives by ensuring information exchange is facilitated effectively and securely and without undue disruption to business operations.
  • Protect the firm’s technological and intellectual capital.
  • Ensure access to our information assets is maintained on a ‘need to know’ basis.
  • Ensure that information is only kept for the absolute minimal duration of time required.
  • Ensure {{company_name}} fulfils statutory, contractual, regulatory and best practice requirements relating to information security including maintaining compliance with the international ISO27001 (Information Security Management Systems) standard.
  • Make sure appropriate information security controls and resources are planned, implemented and embedded in the most efficient and timely way, including ensuring that our employees, contractors and third parties understand and apply these controls correctly.
  • Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing. Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing.
  • Ensure that Information Security Requirements are captured in all projects; and
  • Continually develop and improve the Information Security program within {company_name}.

About our policies

Our policies apply to all employees, partners, contractors, consultants, students, temporary staff, visitors and all other people that make use of the firm’s assets. You MUST:

  • read, understand and comply with all relevant information security policies, procedures and standards;
  • ensure all our information assets are handled according to their level of classification;
  • behave professionally and responsibly when dealing with our IT systems and with our clients; and
  • report all security concerns or incidents in line with the notification and reporting policy to the management team.

Our core policies are:

  • Acceptable Use Policy
  • Data Classification
  • Clear Desk and Screen Policy
  • Data Protection Policy
  • Physical Access Control Policy
  • Remote Working Policy
  • Incident Reporting Policy
  • Information Backup Policy
  • Security Audit Policy
  • Cryptography Policy
  • Applicable Legislation and Regulation Policy
  • Digital Access Control Policy
  • Information Retention Policy
  • Data Transmission Policy
  • Client Data Handling Policy
  • Third Party Security Policy
  • IT Patching Policy

COMPLIANCE

Compliance Measurement

The {company_name} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exceptions to the policy must be approved by the CEO in advance.

Non-Compliance                                                                             

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

 

Download the Template Policy

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter