Information Security Policy Template: Free ISO 27001 & NIS2 Aligned (2026)
March 28, 2026
18 min read
Cybersecurity
An information security policy template is a pre-structured document that organisations customise to define their rules, responsibilities, and controls for protecting information assets, aligned with ISO 27001:2022 (Clause 5.2), NIS2 Directive (Article 21), GDPR (Article 32), and DORA (Article 9) requirements.
Every auditor, supervisory authority, and certification body asks the same first question: "Show me your information security policy." It is the top-level document that sets the direction for your entire security programme. Without it, individual controls lack authority, employee obligations are unclear, and regulatory compliance claims have no foundation.
The template below is designed to be copied, customised, and adopted as your organisation's official information security policy. Every section includes fill-in-the-blank fields, checkbox action items, and regulatory references. Replace [ORGANISATION] with your company name, adapt the classification levels to your data landscape, and add any sector-specific requirements.
For a comprehensive explanation of policy hierarchies, writing guidelines, and a prioritised implementation roadmap for your full policy library, see the Information Security Policy Guide. This article is the template itself.
Quick Reference
Details
What is this?
A ready-to-use information security policy template with eleven sections
Standards alignment
ISO 27001:2022 (Clause 5.2, Annex A), NIS2 (Art. 21), GDPR (Art. 32), DORA (Art. 9)
Who needs this?
CISOs, IT managers, DPOs, compliance officers, any organisation pursuing ISO 27001 certification or operating under NIS2 obligations
What is included?
Policy statement and scope, security objectives, roles and responsibilities, data classification, access control, acceptable use, incident management, physical security, third-party security, training, and compliance enforcement
How to use it
Copy each section, replace all [PLACEHOLDER] fields with your organisation's details, review with security and legal teams, obtain management sign-off
Estimated customisation time
3-5 hours for initial customisation; 1-2 hours for legal and management review
Key Takeaways
This template provides a complete, copy-ready information security policy covering all core areas required by ISO 27001:2022 and NIS2 Article 21
Share article
Need help with compliance?
Contact us for a free consultation
Built-in data classification scheme with four tiers (Public, Internal, Confidential, Restricted) and handling rules for storage, sharing, and disposal
Access control policy statements covering least privilege, MFA, password requirements, privileged access management, and termination procedures
Roles and responsibilities table defining obligations for CISO, IT, department managers, all employees, and third parties
Acceptable use policies for email, internet, devices, remote work, and personal devices in a single structured format
ISO 27001 Annex A mapping table showing which controls each template section addresses, ready for your Statement of Applicability
An information security policy is a mandatory requirement under ISO 27001 Clause 5.2, and organisations without one cannot achieve certification or demonstrate NIS2 compliance
An information security policy is a formal, management-approved document that defines an organisation's commitment to protecting the confidentiality, integrity, and availability of information assets. It establishes the rules, responsibilities, and controls that all employees, contractors, and third parties must follow when accessing, processing, storing, or transmitting organisational data.
The information security policy sits at the top of the policy hierarchy. It provides the overarching direction from which all supporting policies (access control, acceptable use, data classification, incident response) derive their authority. ISO 27001:2022 Clause 5.2 explicitly requires top management to establish an information security policy that is appropriate to the organisation's purpose, includes a commitment to continual improvement, and provides a framework for setting security objectives.
For a detailed explanation of how information security policies fit within your broader policy library, including writing guidelines, approval workflows, and a tiered implementation roadmap, see the Information Security Policy Guide.
Regulatory Requirements
Before customising the template, understand which frameworks require an information security policy and what each expects. The table below summarises the policy-specific requirements of the four most common EU frameworks.
Framework
Requirement
What It Expects
Reference
ISO 27001:2022
Mandatory
Top management must establish an information security policy that is appropriate, includes commitments to satisfy requirements and continual improvement, is communicated, and is available as documented information
Clause 5.2, Annex A.5.1
NIS2 Directive
Mandatory
Essential and important entities must adopt cybersecurity risk-management measures including policies on information system security, risk analysis, and basic cyber hygiene
Article 21(2)(a), 21(2)(h)
GDPR
Implied
Controllers and processors must implement appropriate technical and organisational measures to ensure security appropriate to the risk; a documented security policy is the primary evidence of compliance
Article 32(1), Article 24(2)
DORA
Mandatory
Financial entities must establish an ICT risk management framework including policies for the protection of information and ICT assets
Article 6(8), Article 9
If your organisation falls under multiple frameworks (common for NIS2 essential entities processing personal data, or financial institutions subject to both GDPR and DORA), your information security policy should address the most comprehensive requirements. This template is structured to satisfy all four frameworks simultaneously.
Template Section 1: Policy Statement and Scope
Copy the text below and replace all bracketed placeholders with your organisation's details.
INFORMATION SECURITY POLICY
Document Owner:[CISO NAME / SECURITY MANAGER NAME]Approved By:[CEO / MANAGING DIRECTOR NAME]Version:[1.0]Effective Date:[DATE]Next Review Date:[DATE + 12 MONTHS]Classification: Internal
1.1 Policy Statement
[ORGANISATION] is committed to protecting the confidentiality, integrity, and availability of all information assets owned, controlled, or processed by the organisation. This commitment extends to:
Information in all forms (digital, physical, verbal)
All systems and infrastructure used to process, store, or transmit information
All personnel who access, handle, or manage information on behalf of [ORGANISATION]
All third parties who access [ORGANISATION] information or systems
This policy establishes the principles and requirements that govern how [ORGANISATION] manages information security risks, protects information assets, meets regulatory and contractual obligations, and continually improves its security posture.
1.2 Purpose
The purpose of this policy is to:
Define [ORGANISATION]'s approach to managing information security
Establish clear roles, responsibilities, and accountabilities for information security
Provide a framework for setting and reviewing information security objectives
Ensure compliance with applicable laws, regulations, and contractual requirements including [ISO 27001:2022 / NIS2 / GDPR / DORA / OTHER]
Promote a culture of security awareness across the organisation
1.3 Scope
This policy applies to:
All information assets owned, leased, or managed by [ORGANISATION]
All information systems, applications, networks, and cloud services
All employees (permanent, temporary, part-time) of [ORGANISATION]
All contractors, consultants, and third-party personnel with access to [ORGANISATION] systems or data
All physical locations: [LIST: head office, branch offices, data centres, co-working spaces]
All cloud environments: [LIST: AWS, Azure, Google Cloud, SaaS platforms]
All processing activities performed by third-party processors on behalf of [ORGANISATION]
1.4 Exclusions
The following are excluded from the scope of this policy:
[LIST ANY EXCLUSIONS, OR STATE: "No exclusions. This policy applies to all information assets and personnel."]
1.5 Document Control
Version
Date
Author
Approved By
Changes
1.0
[DATE]
[AUTHOR]
[APPROVER]
Initial version
Review schedule: This policy must be reviewed and updated at minimum annually, after any significant security incident, after material changes to the organisation's risk profile, regulatory environment, or business operations, and after ISO 27001 internal or external audits.
Template Section 2: Information Security Objectives
[ORGANISATION] establishes the following information security objectives, which are measured and reviewed annually as part of the management review process (ISO 27001 Clause 9.3).
2.1 Objectives
Objective
Description
Measurement
Target
Review Frequency
Confidentiality
Ensure information is accessible only to those authorised to access it
Number of unauthorised access incidents; data breach count
Zero data breaches; fewer than [N] unauthorised access events per year
Quarterly
Integrity
Safeguard the accuracy and completeness of information and processing methods
Number of data integrity incidents; change management compliance rate
100% of changes follow change management process; zero undetected data modifications
Quarterly
Availability
Ensure authorised users have access to information and systems when needed
System uptime percentage; mean time to recovery (MTTR)
[99.9%] uptime for critical systems; MTTR fewer than [4] hours for P1 incidents
Monthly
Regulatory Compliance
Meet all applicable legal, regulatory, and contractual requirements
Audit findings; compliance gap count; regulatory notification timeliness
Zero critical audit findings; 100% of notifications submitted within mandated timelines
Annually
Continuous Improvement
Improve the effectiveness of the information security management system over time
Number of corrective actions closed; risk treatment plan progress; training completion rate
[90%] of corrective actions closed within target timelines; [95%] training completion rate
Annually
2.2 Objective Review
Information security objectives are reviewed:
During the annual management review (ISO 27001 Clause 9.3)
After significant security incidents
When the risk assessment identifies new or changed risks
When business strategy or regulatory requirements change materially
Template Section 3: Roles and Responsibilities
Information security is the responsibility of every individual who accesses [ORGANISATION] information or systems. The following table defines specific responsibilities by role.
3.1 Responsibility Matrix
Role
Responsibilities
Senior Management (CEO / Board)
Approve the information security policy and allocate adequate resources; demonstrate leadership commitment (ISO 27001 Clause 5.1); set the risk appetite; receive and act on security reports during management reviews; ensure security is integrated into business strategy
CISO / Security Manager
Develop, implement, and maintain the ISMS; conduct risk assessments and manage the risk treatment plan; report to senior management on ISMS performance; manage the internal audit programme; coordinate with external auditors, regulators, and certification bodies; oversee incident response
IT Department
Implement and operate technical security controls; manage identity and access management systems; monitor systems for security events; maintain infrastructure security (patching, configuration, hardening); manage backups and disaster recovery; support incident response and forensic activities
Data Protection Officer (DPO)
Advise on GDPR and data protection obligations; monitor compliance with data protection policies; conduct data protection impact assessments (DPIAs); serve as the contact point for the supervisory authority; review data processing activities and third-party agreements
Department Managers
Ensure their teams comply with the information security policy and supporting policies; identify and classify information assets within their department; approve access requests for their team members; report security incidents and policy violations; participate in risk assessments for their area
All Employees
Comply with this policy and all supporting security policies; complete mandatory security awareness training; protect credentials and access tokens; report security incidents, vulnerabilities, and policy violations promptly; handle information according to its classification level; lock workstations when unattended
Third Parties (Contractors, Vendors)
Comply with [ORGANISATION]'s security requirements as defined in their contract; process information only as authorised; report security incidents affecting [ORGANISATION] data; participate in security assessments and audits when requested; return or destroy all [ORGANISATION] data upon contract termination
3.2 ISMS Governance Structure
Governance Body
Composition
Meeting Frequency
Responsibilities
Information Security Committee
CISO (Chair), IT Manager, DPO, Legal, HR, Department Representatives
Quarterly
Review ISMS performance, risk treatment progress, audit findings, and policy changes; escalate significant issues to senior management
Management Review
CEO/Managing Director, CISO, CFO, Department Heads
Annually (minimum)
Review ISMS suitability, adequacy, and effectiveness per ISO 27001 Clause 9.3; approve resources, objectives, and improvement actions
Template Section 4: Data Classification
All information assets owned, processed, or stored by [ORGANISATION] must be classified according to the following scheme. Classification determines the handling, storage, sharing, and disposal requirements for each asset.
4.1 Classification Levels
Level
Definition
Examples
Handling Rules
Public
Information intended for public disclosure; no adverse impact if released
Marketing materials, published financial reports, public website content, press releases
No special handling required; may be freely shared externally
Internal
Information intended for internal use; minor impact if disclosed to unauthorised parties
Share within the organisation freely; do not publish externally; no special encryption required for internal transmission
Confidential
Sensitive business or personal information; significant impact if disclosed
Employee personal data, customer databases, financial records, contracts, business strategies, unpublished intellectual property, security audit reports
Encrypt at rest and in transit; access restricted to authorised personnel on a need-to-know basis; store in access-controlled systems; label as "Confidential"; do not share externally without authorisation and appropriate safeguards (NDA, DPA)
Restricted
Highly sensitive information; severe impact if disclosed, including regulatory penalties, significant financial loss, or harm to individuals
Passwords and access credentials, encryption keys, trade secrets, health records, special category personal data (Article 9 GDPR), incident response details during active incidents
Encrypt with strong encryption (AES-256 or equivalent) at rest and in transit; access restricted to specifically named individuals; multi-factor authentication required for access; store in dedicated secure systems with audit logging; never transmit via email without end-to-end encryption; physical copies stored in locked containers; destruction via certified secure destruction
4.2 Classification Responsibilities
Asset owners (typically department managers) are responsible for classifying information assets within their area
All personnel are responsible for handling information according to its classification
The CISO / Security Manager maintains the asset register and reviews classifications annually
Information must be classified at the point of creation or receipt
When information from different classification levels is combined, the combined asset takes the highest applicable classification
Classification must be reviewed when information is shared with new parties or when its sensitivity changes
4.3 Disposal Requirements
Classification
Digital Disposal
Physical Disposal
Public
Standard deletion
Standard recycling
Internal
Standard deletion
Cross-cut shredding
Confidential
Secure deletion (overwrite or cryptographic erasure); certificate of destruction for decommissioned media
Cross-cut shredding; certificate of destruction
Restricted
Certified secure deletion (NIST 800-88 compliant); physical destruction of storage media; certificate of destruction required
Cross-cut shredding by certified vendor; certificate of destruction required; witnessed destruction for highest-risk materials
Template Section 5: Access Control
[ORGANISATION] implements access controls to ensure that only authorised individuals can access information and systems, and only to the extent required for their role. The following policy statements align with ISO 27001 Annex A.8.1-8.5 and NIS2 Article 21(2)(i).
5.1 Access Control Principles
Least privilege: Users are granted the minimum level of access necessary to perform their job functions
Need-to-know: Access to information is restricted to individuals who require it for a specific, authorised purpose
Segregation of duties: Critical functions are divided among multiple individuals to prevent fraud and error
Default deny: Access is denied unless explicitly granted through an approved process
5.2 Authentication Requirements
Requirement
Policy Statement
Multi-factor authentication (MFA)
MFA is mandatory for: all remote access, all cloud service access, all privileged/administrative accounts, all access to Confidential or Restricted information, email access from outside the corporate network
Password requirements
Minimum 12 characters; complexity requirements per [ORGANISATION]'s password standard; no reuse of the last [12] passwords; maximum age of [90] days for non-MFA accounts (or risk-based, passwordless authentication where MFA is enforced)
Account lockout
Accounts are locked after [5] consecutive failed login attempts; lockout duration of [30] minutes or manual unlock by IT
Session management
Automatic session timeout after [15] minutes of inactivity for systems containing Confidential or Restricted data; [30] minutes for Internal systems
5.3 Access Lifecycle
Stage
Requirements
Provisioning (joiners)
Access requests submitted by the employee's manager; approved by the system owner; provisioned by IT; documented in the access management system; role-based access control (RBAC) used where possible
Changes (movers)
When an employee changes role, the previous manager must revoke access no longer required and the new manager must request new access; completed within [5] business days of the role change
De-provisioning (leavers)
All access revoked on or before the employee's last working day; remote access revoked immediately upon notification of termination; IT to disable accounts within [24] hours; all company devices and access tokens returned; confirmation of access removal documented
5.4 Privileged Access Management
Privileged accounts (administrators, root, service accounts) are inventoried and assigned to named individuals
Privileged access is granted through a separate, documented approval process
Privileged accounts are not used for day-to-day activities; administrators use standard accounts for email, browsing, and routine work
All privileged account activity is logged and reviewed [weekly / monthly]
Privileged access is reviewed quarterly by the CISO / Security Manager
Service accounts use unique credentials, are documented in the asset register, and are reviewed [quarterly]
5.5 Access Reviews
Access rights are reviewed at minimum every [6 / 12] months by system owners and department managers
Privileged access is reviewed quarterly
Access reviews are documented and any discrepancies remediated within [10] business days
Access review results are reported to the Information Security Committee
Template Section 6: Acceptable Use
All personnel with access to [ORGANISATION] information systems must comply with the following acceptable use requirements. Violations may result in disciplinary action, up to and including termination and legal proceedings.
6.1 Acceptable Use Matrix
Area
Permitted
Prohibited
Email
Business communications; limited personal use that does not interfere with work; sending Internal-classified information to other employees
Sending Confidential or Restricted information to external recipients without encryption and authorisation; opening suspicious attachments or links without verifying legitimacy; auto-forwarding corporate email to personal accounts; using corporate email for political campaigning, harassment, or illegal activities
Internet and Web
Business-related browsing; limited personal browsing during breaks; accessing cloud services authorised by IT
Downloading unauthorised software; accessing illegal, offensive, or malicious websites; using corporate internet for cryptocurrency mining; circumventing web filtering, proxy, or firewall controls; streaming personal media that degrades network performance
Company Devices
Business use; approved software installation via the IT catalogue; limited personal use that does not compromise security
Installing unapproved software; disabling endpoint protection (antivirus, EDR, firewall); connecting to unsecured wireless networks without VPN; lending devices to non-employees; storing Confidential or Restricted data on removable media without encryption
Remote Work
Working from approved locations (home office, co-working spaces with secure access); using VPN for all corporate access; locking devices when unattended
Working from public, unsecured locations without VPN and privacy screen; allowing household members to use corporate devices; using public Wi-Fi without VPN; printing Confidential or Restricted documents at unsecured locations
Personal Devices (BYOD)
Accessing corporate email and approved cloud services from personal devices enrolled in [ORGANISATION]'s MDM solution; subject to BYOD policy requirements
Accessing corporate systems from personal devices not enrolled in MDM; storing Confidential or Restricted data on personal devices without encryption and remote-wipe capability; using jailbroken or rooted devices for corporate access
6.2 Social Media
Employees must not disclose Confidential or Restricted information on social media platforms
Official company social media accounts are managed only by authorised personnel
Employees who identify themselves as [ORGANISATION] employees on personal social media accounts must include a disclaimer that views are their own
Security incidents, vulnerabilities, or audit findings must never be discussed on social media
Template Section 7: Incident Management
[ORGANISATION] maintains a documented incident response capability to detect, classify, contain, eradicate, and recover from information security incidents in compliance with GDPR Article 33, NIS2 Article 23, and ISO 27001 Annex A.5.24-5.28.
7.1 Policy Statements
All personnel must report suspected or confirmed security incidents to [CISO NAME / SECURITY TEAM EMAIL / INCIDENT REPORTING TOOL] immediately upon discovery
Incidents must be classified according to the severity matrix defined in the Incident Response Plan
The Incident Response Team is activated for all P1 and P2 incidents
Regulatory notification obligations must be assessed for every incident involving personal data or affecting essential/important services
GDPR: Personal data breaches must be reported to the supervisory authority within 72 hours of awareness (Article 33)
NIS2: Significant incidents must be reported within 24 hours (early warning) and 72 hours (incident notification) to the competent authority or CSIRT (Article 23)
Post-incident reviews must be conducted for all P1 and P2 incidents, and findings must be fed back into the risk assessment and control improvement cycle
7.2 Incident Response Plan
The detailed procedures for incident response, including classification matrices, roles and responsibilities (RACI), response phases, notification timelines, and communication templates, are documented in the Incident Response Plan, a separate document that supports this policy.
For a complete incident response plan template with all six NIST phases, notification workflows, and pre-drafted communication templates, see the Incident Response Plan Template.
7.3 Reporting Obligations
All employees must understand:
What to report: Any event that may compromise the confidentiality, integrity, or availability of information, including lost or stolen devices, suspected phishing, unauthorised access, malware detection, physical security breaches, and social engineering attempts
How to report: Contact [SECURITY TEAM EMAIL], call [SECURITY HOTLINE], or submit via [INCIDENT REPORTING TOOL]
When to report: Immediately upon detection or suspicion; do not attempt to investigate or remediate independently
No-blame culture:[ORGANISATION] operates a no-blame reporting culture; employees will not be penalised for reporting incidents in good faith, even if the incident resulted from their own error
Template Section 8: Physical Security
[ORGANISATION] implements physical security controls to prevent unauthorised access, damage, and interference to the organisation's premises, information, and processing facilities (ISO 27001 Annex A.7.1-7.14).
8.1 Secure Areas
Office premises secured with access control systems (badge, key card, or biometric)
Server rooms and network closets designated as Restricted areas with multi-factor access control and environmental monitoring (temperature, humidity, water detection)
Access logs retained for a minimum of [12] months
Security perimeters clearly defined and documented
Alarm systems installed and monitored [24/7 / during non-business hours]
CCTV in operation at entry points, server rooms, and other sensitive areas with recordings retained for [30 / 90] days
8.2 Visitor Management
All visitors must sign in at reception and be issued a visitor badge
Visitors must be escorted at all times in Restricted areas
Visitor access logged with name, organisation, purpose, arrival/departure time, and host name
Visitor logs retained for a minimum of [12] months
Visitors must not access IT systems or connect personal devices to the corporate network
8.3 Clean Desk and Clear Screen
Confidential and Restricted documents must not be left on desks when unattended; store in locked drawers or cabinets
Workstations must be locked (Ctrl+L / Cmd+L) when leaving the desk, even briefly
Printers must be checked; printed documents (especially Confidential or Restricted) collected immediately
Whiteboards containing sensitive information must be erased after meetings
At end of day: all Confidential and Restricted materials secured; workstations locked or shut down
8.4 Equipment Disposal
All IT equipment must be processed through the IT department before disposal or reuse
Storage media containing Confidential or Restricted data must be securely wiped or physically destroyed per the disposal requirements in Section 4.3
Certificates of destruction obtained and retained for all secure disposal activities
Asset register updated to reflect disposed equipment
Template Section 9: Third-Party Security
[ORGANISATION] ensures that third parties who access, process, or store organisational information maintain security standards consistent with this policy and applicable regulations (ISO 27001 Annex A.5.19-5.23, NIS2 Article 21(2)(d)).
9.1 Vendor Security Requirements
Before granting any third party access to [ORGANISATION] information or systems:
Conduct a security risk assessment proportionate to the nature of the access and data involved
Verify the third party's security posture through questionnaires, certifications (ISO 27001, SOC 2), or on-site audits
Include information security requirements in all contracts, including: data processing agreements (DPAs) where personal data is involved, confidentiality obligations, incident notification requirements (aligned with GDPR 72-hour and NIS2 24-hour timelines), security control requirements, and termination and data return/destruction provisions
9.2 Data Processing Agreements
Where a third party processes personal data on behalf of [ORGANISATION] (as a data processor under GDPR):
A GDPR-compliant Data Processing Agreement (Article 28) must be executed before processing begins
The DPA must specify: subject matter and duration of processing, nature and purpose, types of personal data, categories of data subjects, and the obligations and rights of the controller
Sub-processor arrangements must be disclosed and approved by [ORGANISATION]
International data transfers must be covered by appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules)
9.3 Right to Audit
All contracts with third parties processing Confidential or Restricted data must include a right-to-audit clause
[ORGANISATION] reserves the right to conduct security assessments or commission independent audits of third-party security controls
Audit frequency: annually for high-risk third parties; upon material change for others
Third parties must cooperate with audits, provide requested evidence, and remediate identified findings within agreed timelines
9.4 Third-Party Monitoring
Maintain a register of all third parties with access to [ORGANISATION] systems or data, including their classification level, contract status, and last assessment date
Review third-party access rights quarterly; revoke access for terminated relationships within [24] hours
Monitor third-party compliance with security requirements through regular reporting and periodic assessments
Template Section 10: Training and Awareness
[ORGANISATION] establishes and maintains a security awareness programme to ensure all personnel understand their security responsibilities and can recognise and respond to threats (ISO 27001 Annex A.6.3, NIS2 Article 21(2)(g)).
10.1 Training Requirements
Training Type
Audience
Frequency
Content
Completion Target
New joiner induction
All new employees and contractors
Within first [5] working days
This information security policy; data classification and handling; incident reporting procedures; acceptable use rules; password and MFA requirements
100% within first week
Annual refresher
All employees
Annually
Policy updates; emerging threats; incident trends; regulatory changes; case studies from recent incidents (anonymised)
[95%] completion within 30 days of launch
Role-based training
IT staff, administrators, developers, DPO, CISO
As defined per role; minimum annually
Secure coding practices; cloud security; incident response procedures; forensics; privacy impact assessments; framework-specific training (ISO 27001, NIS2, GDPR)
100% for designated personnel
Phishing simulations
All employees
[Quarterly / Monthly]
Simulated phishing campaigns with escalating difficulty; immediate training for employees who click; results tracked and reported to management
Fewer than [5%] click rate; 100% completion of remedial training
All training completion records are maintained in [HR SYSTEM / LMS NAME]
Training records retained for a minimum of [3] years
Non-completion escalated to the employee's line manager after [10] business days; escalated to the Information Security Committee if unresolved after [20] business days
Training effectiveness measured through: assessment scores, phishing simulation results, incident reporting rates, and audit findings related to human error
Template Section 11: Policy Compliance and Enforcement
11.1 Compliance Monitoring
Compliance with this policy is monitored through internal audits (ISO 27001 Clause 9.2), automated control checks, access reviews, and management observation
Internal audits of the ISMS are conducted at least annually, following the ISO 27001 internal audit programme
Non-conformities identified during audits are documented, root-cause analysed, and addressed through corrective actions with defined owners and deadlines
11.2 Disciplinary Process
Non-compliance with this policy may result in disciplinary action, proportionate to the severity of the violation:
Severity
Example
Consequence
Minor
Failing to lock workstation; minor clean desk violation; overdue training completion
Verbal warning and additional training
Moderate
Sharing Internal information externally without authorisation; failing to report a security incident; disabling endpoint protection
Written warning; mandatory security training; access review
Serious
Deliberate disclosure of Confidential or Restricted data; circumventing security controls; accessing systems without authorisation; repeated moderate violations
Final written warning; suspension; access revocation pending investigation
Gross
Deliberate data theft; intentional sabotage; facilitating external attack; criminal activity
Immediate suspension; termination of employment; referral to law enforcement; civil legal action
Disciplinary proceedings follow [ORGANISATION]'s HR disciplinary procedure. All actions are documented and retained in accordance with employment law requirements.
11.3 Exception Handling
Where business requirements necessitate a temporary deviation from this policy:
The requestor submits a written exception request to the CISO / Security Manager
The exception request must include: the specific policy requirement to be waived, the business justification, the proposed compensating controls, the requested duration (maximum [12] months), and the risk assessment
Exceptions are approved by the CISO and, for high-risk exceptions, by [SENIOR MANAGEMENT / INFORMATION SECURITY COMMITTEE]
All approved exceptions are documented in the exception register, reviewed quarterly, and expire automatically if not renewed
No exception eliminates the requirement to protect Restricted data
11.4 Audit Schedule
Audit Type
Scope
Frequency
Performed By
Internal ISMS audit
Full ISMS scope per ISO 27001 Clause 9.2
Annually
Internal audit function or qualified external auditor
Access review
User access rights, privileged accounts, third-party access
External perimeter, internal network, web applications
Annually; after significant infrastructure changes
Qualified external penetration testing firm
Third-party security assessments
High-risk third parties
Annually
CISO / Security Manager or external assessor
ISO 27001 Annex A Mapping
The following table maps each template section to the relevant ISO 27001:2022 Annex A controls. Use this mapping to support your Statement of Applicability (SoA) and demonstrate how your information security policy addresses the required controls.
Template Section
ISO 27001 Annex A Controls
Section 1: Policy Statement and Scope
A.5.1 (Policies for information security), A.5.2 (Information security roles and responsibilities)
Section 2: Information Security Objectives
A.5.1 (Policies for information security); supports Clause 6.2 (Information security objectives)
Section 3: Roles and Responsibilities
A.5.2 (Information security roles and responsibilities), A.5.3 (Segregation of duties), A.5.4 (Management responsibilities)
Section 4: Data Classification
A.5.10 (Acceptable use of information), A.5.12 (Classification of information), A.5.13 (Labelling of information), A.5.14 (Information transfer), A.7.10 (Storage media), A.7.14 (Secure disposal or re-use of equipment)
A.5.10 (Acceptable use of information and other associated assets), A.8.1 (User endpoint devices)
Section 7: Incident Management
A.5.24 (Information security incident management planning and preparation), A.5.25 (Assessment and decision on information security events), A.5.26 (Response to information security incidents), A.5.27 (Learning from information security incidents), A.6.8 (Information security event reporting)
Section 8: Physical Security
A.7.1 (Physical security perimeters), A.7.2 (Physical entry), A.7.3 (Securing offices, rooms, and facilities), A.7.4 (Physical security monitoring), A.7.7 (Clear desk and clear screen), A.7.10 (Storage media), A.7.14 (Secure disposal or re-use of equipment)
Section 9: Third-Party Security
A.5.19 (Information security in supplier relationships), A.5.20 (Addressing information security within supplier agreements), A.5.21 (Managing information security in the ICT supply chain), A.5.22 (Monitoring, review, and change management of supplier services), A.5.23 (Information security for use of cloud services)
Section 10: Training and Awareness
A.6.3 (Information security awareness, education, and training)
Section 11: Compliance and Enforcement
A.5.31 (Legal, statutory, regulatory, and contractual requirements), A.5.35 (Independent review of information security), A.5.36 (Compliance with policies, rules, and standards for information security)
How to Customise This Template
This template is designed for organisations of any size. A 20-person startup and a 500-person enterprise use the same structure; the level of detail scales with complexity.
Step 1: Replace all placeholders
Search the document for every instance of [BRACKETED TEXT] and replace with your organisation's specific information. Key placeholders:
[ORGANISATION], your legal entity name
[CISO NAME / SECURITY MANAGER NAME], your document owner
All system and tool references (MDM, LMS, SIEM, EDR)
Cloud environments and physical locations
Step 2: Adjust to your regulatory scope
Not every section applies equally to every organisation:
If you are not subject to NIS2, remove NIS2-specific references but keep the underlying security requirements
If you are subject to DORA (financial services), add ICT risk management framework references (Articles 6-9)
If you process special category data (Article 9 GDPR), strengthen the Restricted classification handling rules
If you handle payment card data (PCI DSS), add cardholder data environment scope and requirements
Step 3: Align with existing policies
If your organisation already has standalone policies (e.g., a separate Acceptable Use Policy, Access Control Policy, or Data Classification Policy), this template serves as the overarching information security policy that references them:
Replace detailed sections with cross-references to your existing standalone policies
Ensure no conflicts between this policy and subordinate policies
Maintain this as the "parent" document that subordinate policies derive authority from
Step 4: Review and approve
Security team review of all technical requirements
Legal review, especially Sections 9 (Third-Party Security) and 7 (Incident Management)
DPO review of data protection requirements
Senior management review and formal approval (required by ISO 27001 Clause 5.2)
Document management sign-off in Section 1.5
Step 5: Communicate and implement
Distribute the approved policy to all employees and relevant third parties
Publish on the company intranet or document management system
Include in new joiner induction materials
Brief the Information Security Committee
Require written acknowledgement of receipt and understanding from all employees
Set a calendar reminder for the next annual review
For organisations that need help building their ISMS, customising this template, or preparing for ISO 27001 certification, Vision Compliance provides cybersecurity advisory services and NIS2 compliance support tailored to EU regulatory requirements.
Frequently Asked Questions
Is this template sufficient for ISO 27001 certification?
This template addresses the top-level information security policy required by ISO 27001 Clause 5.2 and covers the key Annex A control areas. However, ISO 27001 certification requires a complete ISMS including risk assessment methodology, risk treatment plan, Statement of Applicability, internal audit programme, management review records, and additional supporting policies and procedures. This template is the foundational document; it is not the entire ISMS. For a step-by-step implementation guide, see the ISO 27001 Implementation Guide.
How does this template relate to NIS2 compliance?
NIS2 Article 21(2) requires essential and important entities to adopt cybersecurity risk-management measures covering policies on information system security, risk analysis, incident handling, supply chain security, and basic cyber hygiene. This template directly addresses the policy requirement. Combined with the Incident Response Plan Template for incident handling and your risk assessment methodology, it forms a significant portion of NIS2 compliance documentation. For a complete NIS2 compliance roadmap, see the NIS2 vs ISO 27001 Guide.
Can a small company use this template?
Yes. The template scales to any organisation size. A small company will have fewer named roles (one person may serve as both CISO and DPO), simpler access control structures, and fewer third parties. The core policy requirements remain the same regardless of size. ISO 27001 and NIS2 both apply a proportionality principle: your controls should be appropriate to your risk, but the policy framework must still exist.
How often should we review the information security policy?
At minimum, review the policy annually as part of the ISO 27001 management review (Clause 9.3). Additionally, review and update it after significant security incidents, after changes to the regulatory environment (e.g., new NIS2 implementing acts), after material changes to your business operations, technology, or risk profile, and when internal or external audit findings indicate policy gaps.
What is the difference between this template and the information security policy guide?
The Information Security Policy Guide is an educational resource that explains policy hierarchies, covers all the policies you need for a complete library (15 to 30 documents), provides writing guidelines, and offers a tiered implementation roadmap. This article is a single template: the top-level information security policy document. Use the guide to understand the broader policy landscape; use this template to create your foundational policy.
Do we need a separate policy for each Annex A control area?
Not necessarily. ISO 27001 requires policies "for information security" (Annex A.5.1) but does not prescribe how many documents your policy library must contain. Many organisations start with a comprehensive information security policy (this template) that covers the core areas, then develop standalone policies for complex topics (e.g., a detailed access control standard, a separate incident response plan, a dedicated data classification procedure) as their ISMS matures. The key is that all required topics are documented, approved, communicated, and reviewed.
Need help building your ISMS or customising this policy for your organisation? Vision Compliance helps organisations across the EU develop information security management systems, achieve ISO 27001 certification, and meet NIS2 requirements. Schedule a consultation to discuss your security programme.
Sources: ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIS2 Directive (EU 2022/2555) Article 21, GDPR (Regulation 2016/679) Articles 24 and 32, DORA (EU 2022/2554) Articles 6 and 9, NIST Cybersecurity Framework 2.0, ENISA NIS2 Good Practices for Security Measures (2024)
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
