Information Security Policy
To use this template, simply replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.
Policy Owner
Name the person/group responsible for this policy’s management.
Policy Approver(s)
Name the person/group responsible for implementation approval of this policy.
Related Policies
Name other related enterprise policies both within or external to this manual.
Related Procedures
Name other related enterprise procedures both within or external to this manual.
Storage Location
Describe physical or digital location of copies of this policy.
Effective Date
Next Review Date
List the date that this policy went into effect.
List the date that this policy must undergo review and update.
Purpose
Describe the factors or circumstances that mandate the existence of the policy. Also state the policy’s basic
objectives and what the policy is meant to achieve.
The purpose of the Information Security policy is to protect the reputation of the organization and ensure that the
workforce members, including management of [Company Name]’s information systems meet IT security and data
protection requirements in addition to safeguarding the Confidentiality, Integrity, and Availability of [Company
Name]’s information systems and components.
Scope
Define to whom and to what systems this policy applies. List the employees required to comply, or simply indicate
“all” if all must comply. Also indicate any exclusions or exceptions, i.e. those people, elements, or situations that
are not covered by this policy or where special consideration may be made.
This policy applies to all users of all information systems that are the property of [Company Name]. Specifically, it
includes:
• All employees, whether employed on a full-time or part-time basis by [Company Name].
• All contractors and third parties that work on behalf of and are paid directly by [Company Name].
• All contractors and third parties that work on behalf of [Company Name] but are paid directly by an alternate
employer.
• All employees of partners and clients of [Company Name] that access [Company Name]’s non-public
information systems.
Definitions
Define any key terms, acronyms, or concepts that will be used in the policy or accompanying procedures. A
standard glossary approach is sufficient.
Governing Laws & Regulations
If applicable, list any laws or regulations that govern the policy or with which the policy must comply. Confirm with
the legal department that the list is full and accurate. If there are no pertinent governing laws or regulations, delete
this section.
1
Info-Tech Research Group
Guidance
Section
Policy Statements
Describe the rules that comprise the policy. This typically takes the form of a series of short prescriptive and
proscriptive statements. Sub-dividing this section into sub-sections may be required depending on the length or
complexity of the policy. Mapped regulations can be edited based on policy requirements.
Policy Statement
Mapped Regulations/Standards
1.
[Company Name] will develop a process for the
creation, review, and approval of information security
policies.
2.
Dedicated policies will be developed for needed
areas of information security.
3.
Security policies will be distributed to all necessary
employees and communicated effectively.
4.
Security policy exceptions will be documented and
approved.
5.
Security policies will be enforced and implemented
across the enterprise, with embedded violation
handling protocols.
6.
Security policies will be regularly reviewed,
evaluated, and updated.
NIST CSF ID. GV-1
SOC2SEC CC5.3
ISO 27001 5.2, 5.1.1
PCI (v3.2.1) 12.1
HIPAA §164.308(a)(1)(i)
NIST CSF ID. GV-1, PR. IP-12
NIST 800-53 AC-1, AU-1, CA-1, IA-1, IR-1, MA-1, MP-1,
PE-1, RA-1, SA-1, SC-1, SI-1
SOC2SEC CC5.3, CC5.2
ISO 27001 5.1.1
PCI (v3.2.1) 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10,
10.9, 11.6
HIPAA §164.308(a)(1)(i), §164.308(a)(3)(i),
§164.308(a)(4)(i), §164.308(a)(6)(i), §164.310(a)(1),
§164.310(b), §164.310(d)(1), §164.312(a)(1),
§164.312(a)(1), §164.312(c)(1)
NIST CSF ID. GV-1
NIST 800-53 AC-1, AU-1, CA-1, IA-1, IR-1, MA-1, MP-1,
PE-1, RA-1, SA-1, SC-1, SI-1
SOC2SEC CC2.2, CC5.3
ISO 27001 5.1.1
HIPAA §164.316(b)(1)
NIST CSF ID. GV-1
SOC2SEC CC5.3
ISO 27001 5.1.1
NIST CSF ID. GV-1
NIST 800-53 PS-8
SOC2SEC CC1.5, CC5.3
ISO 27001 5.1.1, 7.2.1, 7.2.3, 18.2.2
HIPAA §164.308(a)(1)(i), §164.308(a)(1)(ii)(C),
§164.316(a)
NIST CSF ID. GV-1
NIST 800-53 AC-1, AU-1, CA-1, IA-1, IR-1, MA-1, MP-1,
PE-1, RA-1, SA-1, SC-1, SI-1
SOC2SEC CC5.3
ISO 27001 5.1.2
PCI (v3.2.1) 12.1.1
HIPAA §164.308(a)(8), §164.316(b)(1) (i),
§164.316(b)(2)(i), §164.316(b)(1)
#
Information Security Program
7.
8.
9.
A target state for information security will be defined
and will reflect the expectations and requirements of
key stakeholders.
The scope of information security programs will be
fully defined.
The target state for information security will reflect the
security risks to the organization, including specific
industry sector and geographic risks.
NIST CSF ID.BE-3
NIST 800-53 PL-2
ISO 27001 4.1
NIST CSF ID.BE-4
NIST 800-53 PL-2
SOC2SEC CC5.1, CC5.2
ISO 27001 4.3
NIST CSF ID.BE-1, ID.BE-2
NIST 800-53 PL-2
SOC2SEC CC3.1, CC3.4, CC5.1
ISO 27001 4.1, 6.1.2
HIPAA § 164.306 (b)(2), §164.308(a)(1)(ii)(A)
2
Info-Tech Research Group
10. The governance structure for information security will
be defined.
11. [Company Name] will develop an information security
strategy and roadmap for achieving the security
target state.
12. [Company Name] will ensure the information security
program has adequate funding and support to meet
its defined goals.
13. [Company Name] will document the services
provided by the information security program, for
instance, in a security services catalog.
NIST CSF ID. GV-2, ID. GV-4
NIST 800-53 PL-2(3)
SOC2SEC CC1.3
NIST CSF ID.BE-3
NIST 800-53 PL-1, PL-2, PL-2(3), PL-8
SOC2SEC CC5.1, CC5.2
ISO 27001 4.4, 6.1.1, 6.1.3, 6.2, 7.5.1, 7.5.2, 7.5.3, 8.1
HIPAA §164.308(a)(1)(ii)(B)
ISO 27001 5.1
Security Metrics
14. Metrics must be defined to measure the effectiveness
of the security program.
15. Ensure security metrics are communicated to
relevant stakeholders.
16. Metrics provided to senior management should be
actionable and support decision making.
17. Develop a process to continuously improve the
security program based on collected metrics.
NIST CSF PR. IP-7, PR. IP-8
NIST 800-171 3.12.3
NIST 800-53 CA-7
CMMC CA. L2-3.12.3
SOC2SEC CC2.1
ISO 27001 9.1
NIST CSF PR. IP-8
NIST 800-53 CA-7
SOC2SEC CC2.1
ISO 27001 9.1, 9.3
SOC2SEC CC2.1
ISO 27001 9.1
NIST CSF PR. IP-7
NIST 800-171 3.12.3
NIST 800-53 CA-7
CMMC CA. L2-3.12.3
SOC2SEC CC2.1
ISO 27001 9.1, 10.2
Relevant Procedures
Consider creating formal procedure documents that reinforce and support the policy statements above. Note, it is
a best practice to house policies and procedures in separate documents to keep the content focused and reduce
the number of times the policy must be reapproved by senior management.
Non-Compliance
Clearly describe consequences (legal and/or disciplinary) for employee non-compliance with the policy. It may be
pertinent to describe the escalation process for repeated non-compliance.
Violations of this policy will be treated like other allegations of wrongdoing at [Company Name]. Allegations of
misconduct will be adjudicated according to established procedures. Sanctions for non-compliance may include,
but are not limited to, one or more of the following:
1. Disciplinary action according to applicable [Company Name] policies.
2. Termination of employment.
3. Legal action according to applicable laws and contractual agreements.
Agreement
Include a section that confirms understanding and agreement to comply with the policy. Both signatures and
dates are required. A sample statement is provided below.
I have read and understand the [name of policy]. I understand that if I violate the rules explained herein, I may
face legal or disciplinary action according to applicable laws or company policy.
3
Info-Tech Research Group
___________________________________________
Employee Name
___________________________________________
Employee Signature
Revision History
Version ID
Date of Change
_______________________________________
Date
Author
Rationale
_____________________________________________________
For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.
4
Info-Tech Research Group
0
