How to Document Your Information Security Policy

by Robert Best on July 15, 2020
Find me on:

How to Document Your Information Security Policy

Covid-19 and the recent lockdown have dramatically changed the way we work. Most businesses would have had their staff working remotely or had to furlough them. It's likely your business looks remarkably different then it did at the start of 2020.

What is often overlooked is the effect this will have had on your security. Your IT security would not have been designed with the current working conditions in hand. So how can you make sure your business is still secure?

An information security policy is a great place to start.

What is an information security policy?

An information security policy documents the steps and measures you are taking to protect your IT infrastructure and keep it secure.

This by no means has to be a long document, for many businesses a couple of pages will do. The important part of the policy is to capture the requirements of the business and the realities of your IT day-to-day.

Although it is a document about your IT security, it doesn't have to be highly technical. Keep the policy statement as simple as possible but do make sure it is comprehensive by ensuring it covers all of your business technology.

Information security policy security certifications

To gain certification in the Government back Cyber Essentials scheme, your policy should include:

  • The requirements for handling and processing personal data of customers, employees, and third-parties.
  • A password policy that describes the minimum requirements for passwords (such as length and complexity).
  • A set of guidelines that define what users can and cannot do, including access controls and internet usage.

Meanwhile, it also has to meet the requirements of ISO 27001 if you’re looking to achieve that certification.

How to create your information security policy

Consider your business

The policy statement will also require all employees within the business to participate. For some, it might require participation from customers, suppliers, and other third parties.

You will need to consider how your policies will affect your employees and your customers and the benefits and disadvantages that the business will experience as a result.

Gathering your information

Gathering the information for your policy is not always as straightforward as it seems, especially in a large or complex business. The final policy may have to reflect the final risk assessment and the Statement of Applicability.

Whatever information you decide to aid try to make sure that the policy includes:

  • Set objectives or include a process for setting its objectives, and establish the overall sense of direction;
  • Take into account all relevant business, legal, regulatory and contractual security requirements;
  • Understand the criteria for the evaluation of security risks and the structure of the risk assessment.

The policy statement must answer:

  • Who? – Management has to be completely behind and committed to the IT infrastructure. The policy statement must, therefore, be issued under their authority. However, there should be clear evidence that the policy was debated and agreed by all decision-makers involved in the process.
  • Where? – You must identify the parts of your business where the policy applies (departments and locations for example).
  • What? – The overall goal of the policy – to protect your business from security breaches – and specific issues that you will address, such as remote access, password management and network security.
  • Why? – To protect sensitive information from a wide range of threats to ensure business continuity, minimise business damage and maximise return on investment.

Getting help with creating an information security policy

If you are unsure of what your policy looks like or the best way to secure your technology then ask for help. At Infotech we can help you draft the document and make sure it can be implemented and followed within your business.


Your business has been through a lot in recent months but don't compound that by ignoring your IT security. By updating or creating a brand new information security policy you can start making sure your business is secure in this new way of working.

If you need help with creating your information security policy or if you have any IT security concerns please contact us. You can reach us here, email, or call us on 01634 52 52 52.

New call-to-action

Join The Conversation

Please leave your comments below

Customer support

Recent Posts

Popular Posts