Information Security Policy Template

Information Security Policy Template

Posted by Peter Bassill on 05/01/2021

Purpose, scope and users
The purpose of this document is to clearly define the boundaries of the Information Security in the firm.
Users of this document are members of the firm management, members of the project team implementing the policies.

Reference documents

ISO/IEC 27001 standard, (clause 4.2.1 a)
List of legal, regulatory, contractual and other requirements

Statement from our CEO

“Information security is very important to us and we want to ensure that confidential information is accessible only by those who are entitled to it.  We are also finding that clients are expecting us to be able to demonstrate our policies more than ever before.  
As part of our commitment to information security we have an Information Security Board which helps ensure our continued accreditation to the International Standard for Information Security Management (ISO 27001:2013). 
This document provides our policy statement (which has been published on our website) and our objectives.  It also gives an overview of the policies with some background information on the key concepts. “

Information security policy statement
As a leading firm, {company_name}, and our clients demand information systems meet high standards of confidentiality, availability and integrity.  These standards can only be achieved by ensuring that we have a practical and pro-active system for managing our information security.  The purpose of the information security policy is to protect {company_name}, its employees and clients from all information security threats, whether internal or external, deliberate or accidental.
The information security policy is characterised here as the preservation of:




ensuring that information is accessible only to those authorised to have access


safeguarding the accuracy and completeness of information and processing methods


ensuring that authorised users have access to information and associated assets when required


ensuring that {company_name} meets its regulatory and legislative requirements

We have nominated a Chief Information Security Officer (CISO) to introduce and maintain policy and to provide advice and guidance in its implementation.
We requires that all breaches of information security, actual or suspected, will be reported in accordance with the Notification and Reporting Policy.
We undertake to provide appropriate information security training for all employees through our online learning platform.
Third party suppliers providing services to {{company_name}}  are required to ensure that the confidentiality, integrity, availability, and regulatory requirements of all business systems are met. 
It is the responsibility of all users to adhere to the policy.
Information Security Commitments & Objectives

Communicate to our employees, suppliers and other stakeholders the critical importance of information security to {{company_name}} and our clients.
Protect our information assets, clients and employees from existing and emerging threats and vulnerabilities relating to the confidentiality, integrity and availability of our information and the information assets.
Support business objectives by ensuring information exchange is facilitated effectively and securely and without undue disruption to business operations.
Protect the firm’s technological and intellectual capital.
Ensure access to our information assets is maintained on a ‘need to know’ basis.
Ensure that information is only kept for the absolute minimal duration of time required.
Ensure {{company_name}} fulfils statutory, contractual, regulatory and best practice requirements relating to information security including maintaining compliance with the international ISO27001 (Information Security Management Systems) standard.
Make sure appropriate information security controls and resources are planned, implemented and embedded in the most efficient and timely way, including ensuring that our employees, contractors and third parties understand and apply these controls correctly.
Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing. Ensure that information security controls are being applied and adhered to using appropriate monitoring and auditing.
Ensure that Information Security Requirements are captured in all projects; and
Continually develop and improve the Information Security program within {company_name}.

About our policies
Our policies apply to all employees, partners, contractors, consultants, students, temporary staff, visitors and all other people that make use of the firm’s assets. You MUST:

read, understand and comply with all relevant information security policies, procedures and standards;
ensure all our information assets are handled according to their level of classification;
behave professionally and responsibly when dealing with our IT systems and with our clients; and
report all security concerns or incidents in line with the notification and reporting policy to the management team.

Our core policies are:

Acceptable Use Policy
Data Classification
Clear Desk and Screen Policy
Data Protection Policy
Physical Access Control Policy
Remote Working Policy
Incident Reporting Policy
Information Backup Policy
Security Audit Policy
Cryptography Policy
Applicable Legislation and Regulation Policy
Digital Access Control Policy
Information Retention Policy
Data Transmission Policy
Client Data Handling Policy
Third Party Security Policy
IT Patching Policy

Compliance Measurement
The {company_name} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Download the Template Policy

Contact us

  • Worklab, Europort, Gibraltar

  • +350 540 73836