What is an information security policy (ISO27001)?

According to ISO27001, an information security policy is a specification document that companies use to regulate their information security. An information security policy defines the organization’s overall approach to information security. This policy commits the organization to information security. The assets of the organization are identified. This is the only way to protect all values. The ISO27001:2022 standard takes a position on the information security guidelines in Chapter 5.2.

The policy applies to all employees within the scope. The core document in the ISMS defines which company areas must adhere to the guidelines contained therein. If the scope only lists the parent company and certain subsidiaries, then the ISMS does not apply to the companies in the overall organization that are missing from the list. A structural analysis helps to identify whether certain companies also absolutely need to introduce the ISMS so that the organizational units to be certified can operate in compliance with the standards.

What should be specified in the information security policy?

The following should be specified in the information security policy:

  • The scope is specified.
  • The importance that information security has for an institution is highlighted, for example by pointing out that a failure of information technology or violations of the confidentiality and integrity of information endanger the existence of the institution.
  • The responsibility of management is emphasized, both in terms of initiating the security process and its continuous improvement.
  • Relevant laws and regulatory requirements are pointed out and employees are obliged to comply with them.
  • Business processes that are particularly important for information security are mentioned, such as production processes, research procedures or personnel processing, and strict adherence to security rules is pointed out.
  • The organizational structure for information security and the tasks of the various security officers are presented.
  • It also makes sense to refer to information security training and awareness-raising measures.
Information security requires guidelines so that people know the right path

Information security guidelines are a basis for greater security

The Information Security Guideline (ISLL) represents the formal basis for introducing an ISMS. It is specified by management. It sets the security goals. The expectations and requirements of those involved are mentioned. The handling of possible risks and responsibilities should be clearly explained.

The information security policy should be created taking into account the other two pillars (organization and security concept) of the security process. It is part of the security process and is subject to a life cycle and should be updated or updated regularly. An information security guideline should address the content specified by ISO and BSI as concisely and clearly as possible, i.e. the individual points should be treated in this form.

Importance of information security and objects to be protected

Organizations base their operational processes primarily on internal and external IT systems. The information to be collected and processed by the organization is increasingly processed and stored on IT systems. This information is the essential objects to be protected in the modern management of an organization.

Relation of information security to the organization's business goals or tasks

The information security guidelines show how information security and company-specific organizational goals influence each other.

Security goals

In this section, security objectives can be listed that should be made more specific beyond the general objective (e.g. confidentiality, integrity, availability). The general goal is to achieve an appropriate level of information security. Since this is an information security guideline, one should avoid too much detail. It may also be sufficient to show how and under what conditions the organization wants to derive its own goals.

Core elements of the security strategy

This describes how the organization wants to achieve the goals. This should be done at a high level of abstraction. For example: the organization introduces security management with an ISMS and issues corresponding security guidelines.

Obligation to implement the information security policy

Management should clearly state that it supports the security goals and provides the necessary resources.


The information security policy should provide the framework for how the topic of information security is anchored in the organization. The overall responsibility for information security lies with the management. It can be helpful to delegate responsibility for information security. The IS management team and/or the IT security officer come into consideration for this. The design of the IS organization depends on the size and complexity of the organization. Under this point, the responsibility of managers and all employees for achieving safety goals can also be explicitly referred to. Disciplinary consequences can also be listed.

Commitment to continuous improvement

A clearly formulated statement on the further development of the information security strategy should be documented.


Here is an explanation of how the information security guidelines are put into effect.