This article provides an overview of, and rationale for an organisation developing an information security policy as part of  ISO 27002 compliance.

The objective of the Information Security Policy is to provide the management clear direction and support for managing information security in accordance with the organisation’s strategic objectives and relevant legal and regulatory obligations.

The information security policy is created at the highest level of the organisation and communicated by the senior leadership team to internal and external stakeholders. It sets out the organisation’s information security objectives, approach and framework. This is set in the context of business strategy, legal and regulatory requirements, and known internal and external information security threats.

The information security policy is supported by a set of low level policies that cover different information security topic areas with specific controls addressing organisational needs. Examples of these policies include:

  1. Access Management.
  2. Information Classification.
  3. Physical and Environmental Security.
  4. End user related:
    Acceptable use of Assets.
    Clear Desk.
    Information Transfer.
    Mobile Devices and Teleworking.
    Software Installations and Usage.
  5. Backup and Recovery.
  6. Secured Data Transfer.
  7. Malware Protection.
  8. Vulnerability Management.
  9. Cryptographic/Encryption.
  10. Communications Security.
  11. Privacy and Protection of Personally Identifiable Information.
  12. Supplier Relationships.

For more information please contact Morland-Austin at