📋 Template ISO 27001:2022 · Clause 5.2 · 4 pages · ISMS-POL-001

Information Security Policy

Top-level management commitment to information security with objectives, guiding principles, and responsibility assignments across all roles.

📧 Business Email Required

Verify Your Email to Access

Enter your business email to receive a one-time code. Verified once — access all 17 templates.

Go to Templates Library

Already verified? Your access should be automatic on this device.

Document ID: ISMS-POL-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Chief Information Security Officer

Purpose

This policy establishes [Organisation Name]‘s commitment to protecting the confidentiality, integrity, and availability of information assets. It provides the framework for setting information security objectives and directs all employees, contractors, and third parties who access organisational information or systems. This policy is issued under the authority of Top Management in accordance with ISO/IEC 27001:2022 Clause 5.2.

1. Policy Statement

[Organisation Name] is committed to protecting information assets from all threats — internal or external, deliberate or accidental — to ensure the continuous delivery of services and maintain the trust of our clients. Information security is a business imperative, not merely a technical function.

2. Objectives

The organisation’s information security objectives are to:

  1. Protect client data — Ensure client information is handled with the highest standard of confidentiality and is never disclosed without authorisation.
  2. Maintain service availability — Ensure critical services operate at agreed service levels with recovery capabilities that meet client contractual obligations.
  3. Ensure regulatory compliance — Meet all applicable legal, regulatory, and contractual obligations, including the Privacy Act, GDPR, and ISO/IEC 27001:2022.
  4. Manage risk within appetite — Identify and treat information security risks to keep residual risk within the Board-approved risk appetite.
  5. Build a security culture — Ensure all personnel understand their security responsibilities and report incidents without fear of blame.

Objectives are reviewed annually at the Management Review and translated into measurable targets in the ISMS Objectives Register.

3. Scope

This policy applies to:

  • All information in any form (digital, paper, verbal) created, received, stored, or transmitted by the organisation
  • All employees, contractors, consultants, and third parties with access to organisational systems or data
  • All locations and working arrangements (office, remote, client site)

4. Principles

PrincipleMeaning
ConfidentialityInformation is accessible only to those authorised to have access
IntegrityInformation is accurate, complete, and protected from unauthorised modification
AvailabilityAuthorised users have access to information and systems when required
AccountabilityAll access to information systems is logged and attributable to an individual
Least PrivilegeUsers are granted the minimum access required to perform their role
Risk-BasedSecurity controls are proportionate to the risk; not one-size-fits-all

5. Roles and Responsibilities

RoleResponsibility
Board / Top ManagementApprove this policy; allocate adequate resources; set risk appetite
CISOOwn the ISMS; report to Top Management; ensure compliance
Information Security ManagerImplement controls; manage risk register; conduct training
System OwnersEnsure systems under their ownership comply with this policy
All StaffRead and comply with this policy; report security incidents immediately
HRInclude security obligations in employment contracts; manage joiners/leavers

6. Supporting Policies

This top-level policy is supported by the following detailed policies, all of which must be read in conjunction with this document:

  • Asset Management Policy
  • Access Control Policy
  • Cryptography Policy
  • Physical and Environmental Security Policy
  • Incident Response Policy
  • Business Continuity and DR Policy
  • Supplier Security Policy
  • Acceptable Use Policy

7. Consequences of Non-Compliance

Failure to comply with this policy may result in disciplinary action up to and including termination of employment or contract, and in serious cases, referral to law enforcement. The organisation reserves the right to monitor system usage to detect policy violations.

8. Review

This policy is reviewed annually or following a significant security incident or change to the organisation’s risk profile. The CISO is responsible for initiating the review. All updates require Top Management approval before re-issue.

VersionDateAuthorChanges
1.0March 2026[CISO Name]Initial issue

Need help implementing ISO 27001?

Our certified team can guide you from gap assessment through to certification audit.

Talk to Our Team