Download a free ISO 27001-compliant Information Security Policy template. Fully aligned with the 2022 standard. Ideal for SMEs and enterprise use.
[Your Organisation Name]
Version: 1.0
Approved by: [Name/Title]
Review Date: [DD/MM/YYYY]
1. Purpose
This Information Security Policy outlines the principles and requirements that guide [Your Organisation Name] in protecting the confidentiality, integrity, and availability of its information assets.
2. Scope
This policy applies to all employees, contractors, partners, and third parties who access or use [Your Organisation Name] information systems, data, or infrastructure. It covers all locations, systems, and devices within the scope of our Information Security Management System (ISMS).
3. Objectives
- Ensure appropriate protection of business-critical and personal data
- Comply with applicable legal, regulatory, and contractual obligations
- Prevent unauthorised access, disclosure, modification, or loss of information
- Support the organisation’s strategic and operational goals through secure operations
- Continually improve our ISMS in line with ISO/IEC 27001:2022
4. Leadership Commitment
Top management supports the ISMS and will:
- Ensure resources are available to maintain and improve information security
- Communicate the importance of security responsibilities
- Set clear, measurable objectives
- Promote a risk-aware culture across the organisation
5. Security Principles
We are committed to the following:
- Protecting all information assets against unauthorised access
- Ensuring business continuity and minimising damage from incidents
- Maintaining compliance with all applicable laws and regulations
- Providing training and awareness to staff
- Regularly reviewing, testing, and updating controls and policies
6. Risk Management
Risks are identified, assessed, and treated in accordance with our Risk Assessment & Treatment Methodology. Controls are selected and justified in the Statement of Applicability (SoA).
7. Responsibilities
All employees and relevant third parties are expected to:
- Follow all security policies and procedures
- Report suspected security incidents immediately
- Participate in awareness and training programmes
Managers and system owners are additionally responsible for ensuring the correct implementation of controls and for maintaining documentation.
8. Compliance
Violations of this policy may result in disciplinary action. The policy will be reviewed at least annually or following significant changes to the organisation or risk landscape.
Signed:[Name][Role, e.g. Managing Director / CEO][Date]