When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to draft or review the organization’s high-level information security policy under A.5.1 Policies for Information Security.
Document Title: Information Security PolicyDocument Owner: [CISO / ISMS Manager / Security Officer]Approved By: [CEO / CIO / Executive Committee]Version: [x.x]Effective Date: [date]Next Review Date: [date]Classification: [Internal / Public / Confidential]
1. PurposeThis policy establishes the organization's commitment to protecting information assets and maintaining an effective Information Security Management System.
2. ScopeThis policy applies to [employees, contractors, third parties, systems, locations, business units, and processes] within the ISMS scope.
3. Policy StatementThe organization is committed to protecting the confidentiality, integrity, and availability of information through risk-based controls, compliance with applicable requirements, and continual improvement of the ISMS.
4. ObjectivesThe objectives of information security are to:- protect information assets from unauthorized access, disclosure, modification, loss, or disruption;- support business objectives and legal, regulatory, and contractual obligations;- manage information security risks to acceptable levels;- ensure security responsibilities are understood and fulfilled.
5. Management CommitmentSenior management supports the ISMS and provides direction, resources, and oversight for information security.
6. ResponsibilitiesAll personnel are responsible for complying with information security policies.Managers are responsible for ensuring policy implementation within their areas.The policy owner is responsible for maintaining and reviewing this policy.
7. Risk ManagementInformation security controls shall be selected and maintained based on risk assessment, risk treatment decisions, legal and regulatory requirements, and business needs.
8. Supporting PoliciesThis policy is supported by topic-specific policies, standards, and procedures, including:- Access Control Policy- Acceptable Use Policy- Information Classification Policy- Incident Management Policy- Supplier Security Policy- Backup Policy- Logging and Monitoring Policy
9. Exceptions and Non-ComplianceExceptions must be formally requested, risk-assessed, approved, documented, and reviewed. Non-compliance may result in corrective, disciplinary, contractual, or legal action.
10. Review and MaintenanceThis policy shall be reviewed at planned intervals and when significant changes occur, including changes to risks, threats, technology, legal requirements, business operations, or the ISMS.
11. ApprovalApproved by: [name/title]Signature/Approval Record: [reference]Date: [date]- Template
- Policy
- A5 1
- Iso27001
Note Metadata
Aliases: Top-Level Information Security Policy
Source: 90 Templates/Top-Level Information Security Policy.md