Information Security Policy Template
Purpose and Use
This Information Security Policy explains how the organisation protects its information and systems from unauthorised access, loss, damage, or misuse. Information is a critical business asset, whether it relates to customers, staff, suppliers, or internal operations, and this policy sets out the high-level principles and expectations for keeping that information secure.
The policy is commonly required by frameworks and obligations such as Cyber Essentials, Cyber Essentials Plus, ISO/IEC 27001, and UK data protection law, and is often requested during customer, supplier, or insurer due-diligence. It demonstrates that information security is actively managed, that responsibilities are understood, and that security decisions are made in a consistent and considered way rather than informally or reactively.
This policy applies to all employees, contractors, and third parties who handle information or use systems on behalf of the organisation, including remote and home working arrangements. It provides a foundation for more detailed security procedures and should be approved by management, communicated to relevant staff, and reviewed regularly to ensure it remains accurate and effective.
Who This Template For
This template is intended for UK organisations seeking a clear, proportionate Information Security Policy to support Cyber Essentials, ISO/IEC 27001, or customer due-diligence requirements.
Alternative names you may see
Organisations and frameworks do not always use the same terminology. This document may be referred to by different names depending on the business, industry, or compliance framework being followed.
Common alternative names for an Information Security Policy
- Information Security Policy
- Information Security Management Policy
- Information Security & Data Protection Policy
- IT Security Policy
- Cyber Security Policy
- Information Assurance Policy
- Security Policy (high-level)
- ISMS Policy (common in ISO/IEC 27001 contexts)
Information Security Policy
Organisation: [Organisation Name]
Document Owner: [Role – e.g. Head of IT / Information Security Manager]
Version: [X.Y]
Classification: [Public / Internal / Confidential]
Effective Date: [DD/MM/YYYY]
Next Review Date: [DD/MM/YYYY]
1. Document Management
1.1 Ownership
This policy is owned by [Role / Function], who is responsible for its maintenance, review, and enforcement.
1.2 Review and Approval
This policy shall be reviewed at least annually, or sooner if there are significant changes to:
- Business operations
- Legal or regulatory requirements
- Information security risks
Approval authority: [Role / Governance Body]
1.3 Change History
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | [DD/MM/YYYY] | [Name/Role] | Initial issue |
2. Purpose
The purpose of this policy is to define the organisation’s commitment, principles, and minimum requirements for protecting information assets against unauthorised access, disclosure, alteration, or loss.
This policy supports the preservation of:
- Confidentiality
- Integrity
- Availability
of information processed, stored, or transmitted by the organisation.
3. Scope
This policy applies to:
- All employees, contractors, agency staff, and third parties
- All information assets, systems, networks, applications, and data
- All locations where organisational information is processed (on-site, remote, cloud)
4. Information Security Principles
The organisation commits to:
- Protecting information in line with business, legal, and contractual requirements
- Applying a risk-based approach to information security
- Ensuring security is proportionate to risk and business impact
- Embedding security awareness across the organisation
- Continual improvement of information security controls
5. Legal and Regulatory Compliance
Information security controls shall ensure compliance with:
- Applicable data protection legislation (e.g. UK GDPR)
- Industry and contractual obligations
- Relevant regulatory requirements
A register or documented record of applicable legal and contractual information security requirements shall be maintained.
6. Roles and Responsibilities
6.1 Senior Management
Senior management is responsible for:
- Endorsing this policy
- Providing adequate resources for information security
- Promoting a security-aware culture
6.2 Information Security Function
[Role / Team] is responsible for:
- Operating and maintaining the organisation’s information security controls (and ISMS where applicable)
- Monitoring compliance with this policy
- Reporting security performance and incidents to management
6.3 Asset Owners
Asset owners are responsible for:
- Classifying information assets
- Ensuring appropriate security controls are applied
- Reviewing access rights regularly
6.4 All Users
All users must:
- Comply with this policy and supporting policies
- Protect credentials and access rights
- Report actual or suspected security incidents promptly
7. Information Security Controls
Security controls shall be selected and implemented based on:
- Risk assessments
- Business requirements
- Legal and contractual obligations
Controls may include (but are not limited to):
- Access control
- Asset management
- Secure configuration
- Malware protection
- Backup and recovery
- Incident management
- Supplier security assurance
Detailed controls are defined in supporting policies and procedures.
8. Information Security Objectives
Measurable information security objectives shall be defined, monitored, and reviewed at least annually.
Objectives must align with organisational strategy and risk appetite.
9. Incident Management
All actual or suspected information security incidents must be reported immediately to [Incident Contact / Team].
Incidents shall be:
- Logged
- Investigated
- Managed according to the incident response process
- Reviewed for lessons learned
10. Awareness and Training
Appropriate information security awareness and training shall be provided to:
- New starters
- Existing staff on a regular basis
- Users with elevated or specialist access
11. Policy Compliance
Failure to comply with this policy may result in:
- Disciplinary action
- Contractual action
- Legal consequences
Compliance with this policy is mandatory.
12. Exceptions
Any exception to this policy must be:
- Documented
- Risk-assessed
- Approved by
[Approving Authority] - Time-limited and reviewed regularly
13. Policy Communication
This policy shall be:
- Communicated to all relevant users
- Made available via
[Intranet / Policy Portal] - Provided to third parties where appropriate
14. Supporting Policies and Documents
This policy is supported by (where applicable):
- Acceptable Use Policy
- Access Control Policy
- Incident Response Policy
- Data Protection Policy
- Risk Assessment Methodology
- Supplier Security Policy
Policy Addons
This policy provides a general information security baseline. Some frameworks and obligations require additional, more specific policy statements. The add-on sections below identify where supplementary content may be needed so the policy can be adapted without rewriting it entirely, consider including these addon sections where applicable.
PCI DSS – Payment Card Data (Add-On)
Where the organisation stores, processes, or transmits payment card data, additional controls shall be implemented to protect cardholder data and payment environments in line with applicable PCI DSS requirements.
These controls shall include appropriate access restrictions, network segmentation, monitoring and logging of access to payment systems, and secure handling and transmission of cardholder data.
Payment card data environments shall be clearly defined, documented, and protected from unauthorised access. This policy supports PCI DSS requirements but does not replace the need for PCI-specific procedures, standards, and technical controls.