Information Security Policy for ISO 27001

ISO 27001 Clause 5.2

This sub-clause requires top management to establish a documented information security policy and communicate it within the organisation and to interested parties as appropriate.

ISO 27001 Clause 5.2 - Information Security Policy

The information security policy is the central document of the ISMS. It is the statement of intent from top management - what the organisation believes about information security and what commitments it is willing to make. Clause 5.2 sets out what the policy has to contain, how it has to be made available and to whom.

What ISO 27001 Clause 5.2 Requires

Top management must establish an information security policy that is appropriate to the purpose of the organisation, includes information security objectives or provides a framework for setting them, includes a commitment to satisfy applicable requirements related to information security, and includes a commitment to continual improvement of the ISMS.

The policy must be available as documented information, communicated within the organisation and available to interested parties as appropriate. The clause does not specify the format, the length or the level of detail. What it cares about is that the four content requirements are met and the communication and availability requirements are met.

What a Good Information Security Policy Looks Like

A good policy is short, readable and aligned to the way the organisation actually operates. It usually fits on one or two pages. It states the commitments required by the standard in plain language, and it points to the supporting policies and procedures where the detail lives. Top management approves it and the date and version are visible.

The policy is not the place for detailed control descriptions. Those belong in the supporting policies - acceptable use, access control, incident response and so on - and in the procedures that sit beneath them. Mixing strategic policy with operational detail makes the policy harder to maintain and harder for staff to absorb.

Communicating the Policy

The policy has to be communicated within the organisation. Putting it on a shared drive that nobody reads is not communication. Most organisations include the policy as part of induction, refresh awareness through training or campaigns, and make it visible on the intranet. The communication needs to be effective enough that people inside the scope of the ISMS know there is a policy, what it commits the organisation to, and where to find it.

Making the policy available to interested parties usually means publishing a version on the website or providing it on request. Customers will often ask for it as part of due diligence. The policy provided to interested parties is the same one used internally, not a marketing-edited summary.

The four content requirements in Clause 5.2 are simple, but I see policies that miss them all the time. The most commonly missed is the framework for objectives - the policy needs to either include the objectives directly or commit to setting them. Just talking about commitment to security is not enough.

I check the policy for the four content requirements first. I then look at how recently it was approved and whether the version on the website matches the version on the intranet. After that I ask a few staff if they know there is a policy and what it says about their responsibilities. Communication is part of the clause, not just availability.

Practical Compliance Guidance

The information security policy is approved by top management and reviewed at planned intervals - usually annually as part of the management review. Updates are version-controlled and communicated.

The documents below provide a ready-made information security policy that meets the four content requirements of Clause 5.2.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the information security policy and all supporting policies.
P-20 Information Security Policy	Information security policy template covering the four content requirements of Clause 5.2, ready for top management to review, customise and approve.
F-Q11 Company Objectives	Companion to the policy where the information security objectives referenced in the policy are recorded and tracked.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does the information security policy need to be signed?

The standard requires the policy to be approved by top management, not signed. A signature is one way of demonstrating approval. A documented sign-off in a management meeting, an emailed approval or a version-controlled approval workflow are also acceptable.

How long should the information security policy be?

One to two pages is the usual length. The policy is a strategic statement, not an operational manual. Detail belongs in the supporting policies. Long policies tend to be ignored.

How often should the policy be reviewed?

At least annually, usually as part of the management review, and whenever there is a significant change to the organisation, the operating environment or the management system. The review cycle is recorded so it can be evidenced at audit.

UK Legislation

The following UK legislation creates obligations that the information security policy typically commits the organisation to satisfying.

Further Resources