PoliclyPolicly
← All samples
Sample preview. Placeholders in [brackets] are replaced automatically with your answers from the post-purchase customisation form.
Sample

ISO 27001 Essentials

Information Security Policy

Document 1 of [number of documents in suite] · One-time £20 for the full suite

1. Purpose

This Information Security Policy is the top-level policy of the [Company Name] Information Security Management System (ISMS), established in accordance with ISO/IEC 27001:2022.

2. Scope

The ISMS covers [ISMS Scope Statement — e.g. all information assets supporting the delivery of [Company Name]'s services from its [Location] office and supporting cloud environments].

3. Information security objectives

[Company Name] pursues the following objectives, reviewed annually:

  • Maintain the confidentiality, integrity and availability of information assets.
  • Comply with all applicable legal, regulatory and contractual requirements.
  • Continually improve the ISMS.
  • Reduce information security incidents year on year.

    • 4. Leadership commitment

    Top management at [Company Name], represented by [Company Owner], commits to:

  • Providing resources for the ISMS.
  • Establishing security objectives compatible with the strategic direction.
  • Promoting continual improvement.
  • Holding the ISMS Manager ([ISMS Manager]) accountable for ISMS performance.

    • 5. Risk approach

    Information security risk is managed under the [Company Name] Risk Assessment & Treatment Procedure, using a 5×5 impact–likelihood matrix. The Risk Treatment Plan and Statement of Applicability (covering all 93 Annex A:2022 controls) are maintained by the ISMS Manager.

    6. Roles

  • ISMS Manager: [ISMS Manager].
  • Information Asset Owners: named in the asset register.
  • All workers: comply with this policy and report incidents promptly.

    • 7. Supporting policies

    This policy is supported by:

  • Access Control Policy.
  • Acceptable Use Policy.
  • Supplier Security Policy.
  • Cryptographic Controls Policy.
  • Information Classification & Handling Standard.
  • Incident Management Policy.
  • Business Continuity Policy.

    • 8. Compliance and audit

    The ISMS is subject to internal audit at least annually and management review at least annually. Non-conformities are tracked to closure.

    9. Communication and training

    All workers receive information security training on induction and annually. This policy is communicated to all workers and made available to interested parties on request.

    10. Review

    This policy is reviewed at least annually by [Company Owner] and the ISMS Manager.

    Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]

    Like what you see?

    Get the full ISO 27001 Essentials bundle, tailored to your business, for £20.

    Other samples

    Data Protection PolicyUK Data Protection PolicyAccess Control Policy (AC family)Export Compliance Program (ECP)Incident & Breach Response PolicyData Governance Policy (Enterprise Technology)Data Governance Policy (Operational Technology)Data Management PolicyPrivacy Notice (External)Acceptable Use Policy