How long should your Information Security policy be?

An Information Security Policy is at the centre of the information security program at an organization. It is also an important requirement for ISO 20071 certification.

Sometimes, companies spend a lot of time including all the details about information security right from the high-level strategy to granular information on best practices to be adopted by the users. On the other hand, some companies treat this document just as a mandatory requirement they need to fulfil and use readymade templates to fill in the information and be done with it.

Both these approaches are wrong and will not add any value to the company’s information security program.

Why are these approaches wrong?

The purpose of an information security policy is to serve as an aid for the top management to control the company’s Information Security Management System (ISMS) effectively. It should help them to enforce information security and also share the security measures with clients, auditors, and partners.

Some companies make the policy too exhaustive including a wide range of potential issues and use cases. Such a policy will be too impractical to actually implement. Also, a very detailed policy that runs into 50 or more pages will not be useful to refer to for operational purposes.

Similarly, a policy created just as a formality will not capture the strategic view of information security. It will end up just being another document created for the sake of audit and will not really be of any use.

How long should an Information Security Policy be?

In order for policy documents to be informational as well as practical, ISO 27001 defines two levels of documents.

1. High-level documents such as the Information Security Policy should contain the below information in brief:

• Principles of information security
• Strategic intentions
• Management commitment
• Objectives of information security
• Roles & responsibilities of stakeholders
• Legal responsibilities
• Framework of supporting policies

This high-level policy should ideally be between 2 to 5 pages.

2. Detailed documents which focus on a selected security area should contain information such as:

• Policy on acceptable use of assets including clear desk and clear screen policies,
• Access control policies to define various levels of user access to confidential and sensitive information,
• Backup policy,
• Classification policy for classifying all information that is stored or exchanged,
• Password policy,
• Policy for mobile users to access information, etc.

Please note that the information in the detailed policy will depend on the Risk Assessment Report which will determine which controls need to be implemented. The detailed policy is longer than the high-level policy and should be around 10 pages long. If it is much longer, it might again pose the same problem of being unusable on account of being too lengthy.

Writing an effective Information Security Policy

Is it really worth it to spend a lot of time creating the Information Security Policy? The answer is yes.

As mentioned above, a policy document created just for the sake of audit will not be useful. But creating a well-written document will make it easy for you to control the company’s ISMS.

Here are the important elements of an Information Security Policy.

1. Scope: The scope of the Information Security Policy should define the data, processes, networks, systems, users, etc. that will be covered in the policy.
2. Management objectives: These could be legal and contractual obligations and regulatory objectives.
3. Context of other documents: The policy should be in line with other directives and supplementary documents.
4. Classification of information: All information must be classified based on its level of confidentiality and sensitivity.
5. Mandates: Security mandates to access information, authentication, etc. should be documented.
6. Consequences of non-compliance: The consequences of non-compliance with the policy should be unambiguously mentioned.

Below are the tips to write an effective Information Security Policy.

• Write the policy with the intention of mitigating potential risks
• Include end-to-end processes for information security
• Review and update the policy in line with changes in business and the threat landscape
• Keep the policy enforceable and practical in order to ensure compliance
• Keep the business goals in mind while writing the policy
• Include a security incident response plan

A well-drafted and updated Information Security Policy will certainly be a valuable document for any company. Even if you are not able to immediately quantify the benefits, you will certainly see a drop in security risks and a well-managed ISMS in due time. You can read more about the ISO 20071 certification in the ISO 27001 guide. If you are preparing for your first audit, read through the 9 Steps to Prepare for Your First ISO 27001 Audit.

To see how an integrated content library and automation simplifies ISO 27001 implementation, get in touch with our team and take a free tour of the 6clicks platform.

Related useful resources

• Setting the information security policy for ISO 27001

• Statement of applicability in ISO 27001 – What is it and why does it matter?

• The beginner's guide to ISO 27001 compliance