How to write a Policy for ISMS ISO 27001

Information security policy ISO 27001

ISO 27001:2013 Clause 5.3 Said “Top management must establish an information security policy that is appropriate to the purpose of the organization and must include information security objectives or provides the framework for setting information security objectives. It must also include a commitment to satisfy applicable requirements related to information security and a commitment to continual improvement of the information security management system. The information security policy should be available as documented information. It must be communicated within the organization and be available to interested parties, as appropriate.”

to be an organization certified to ISO 27001, the organization shall develop an information security policy that comply with clause 5.2, the policy should in conformance with the standard requirements, here an example for the idle policy.

We strive to achieve total information security by…

  • Following good practices to protect the organization’s information assets from internal or external / deliberate or accidental information security threats
  • Aligning information security management with the organization’s strategic risk management context
  • Setting information security objectives, and, establishing a direction and principles for action
  • Establishing criteria for risk evaluation and risk acceptance
  • Controlling access to information assets (including networks) based on business and security requirements
  • Protecting information and physical media in transit
  • Protecting information associated with the interconnection of business information systems
  • Putting safeguards in information sharing
  • Observing clear desk policy for papers and removable storage media
  • Observing clear screen policy for information processing facilities
  • Implementing appropriate security measures in mobile computing and communications
  • Using appropriate cryptographic controls for protection of information
  • Ensuring proper use, protection and lifetime of cryptographic keys through their lifecycle
  • Establishing rules for the development of software and systems and applying these rules to developments within the organization
  • Ensuring protection of the organization’s assets that are accessible by suppliers
  • Prohibiting the use of unauthorized software and complying with laws on intellectual property rights
  • Protecting organizational data and safeguarding privacy
  • Taking back-up copies of information, software, and system images and testing them regularly
  • Retaining records for sufficient period before disposing them carefully
  • Taking disciplinary actions and discourage misuse of information services by personnel
  • Complying with applicable requirements related to information security, including the requirements spelt out in the ISO/IEC 27001:2013 standard
  • Reviewing the effectiveness of ISMS at regular intervals, and
  • Continually improving our ISMS.

Information security Management system Objectives

  1. To ensure that our business continues operations with minimal disruptions.
  2. To ensure absolute integrity for all information disbursed or produced by our organization.
  3. To manage all the relevant information with appropriate confidentiality.
  4. To impart information security training to all new employees within 15 days of joining.
  5. To minimize information security incidents to three or less per year.

for more information you can read:

  • ISO/IEC 27001:2013 Standard: Clauses 5.2  Policy
  • A.5 Information security policies