Knowledge Hub
for Growth

Creating an information security policy: business guide

Ensuring information security is included across relevant policies in your business is probably one of the most vital components that makes up an organisation’s safeguard. 

An information security policy should contain guidelines for staff to comply with, to ensure that they meet at least, the minimum criteria for security at your organisation. It also provides helpful information to staff of what they need to know in the event of a security risk. 

Putting appropriate safeguarding measures in place to protect the data held within your business can be a challenge, especially for new or smaller firms. In this guide we share a framework so you can take the first step towards implementing an information security policy. 

What’s an information security policy? 

An effective Information Security (IS) policy should be considered a framework to define policies, controls, and procedures to identify and mitigate vulnerability or risk.  It is based on the three core principles of information security; confidentiality, integrity and availability.  

Confidentiality this is where only authorised users should be able to access or modify data. 

Integrity data should be maintained so that it’s impossible to modify; whether purposely or by accident. 

Availability authorised users should be able to access data easily when and where required. 

Your IS policy should provide an overview as to how your organisation considers company information to be an asset and that it must be protected from unauthorised access, modification, disclosure, or destruction. It should clearly define responsibilities of those that are authorised to deal with information security at the organisation, and where staff can direct questions. Your policy may also link to other related policies or controls that may sit under a different function, but equally important and relevant to information security, such as the data breach procedure, which would usually be owned by the privacy or legal compliance function.  

Your IS policy should be a living document, this should be regularly reviewed and updated, so that it can reflect any new or changing risk. It would be beneficial to inspect the living cyber security risk assessment in tandem, as this would conform any changes or reviews to the IS policy.  

By alluding to the above points, your organisation would demonstrate from the outset, that it takes information security seriously

How does an IS policy fit into your organisation?  

As it’s one of the most critical policies for your organisation, it requires input from higher level management in different functions, and not just the information security team. The policy would not be created in isolation, you would need to coordinate the drafting of the policy into the whole Information Security framework.  

You would first, need to conduct an analysis of your organisation’s cyber security risk (cyber security risk assessment) which can identify risk and help provide preventative and mitigating controls in accordance with each risk. The outcomes of the risk assessment would allow the information security team to ensure appropriate security controls are implemented to prevent or mitigate risk in line with your organisations’ risk appetite.  

Such controls may consist of a set of tools and procedures that the information security team can use to identify and recover from any security risk. This document is commonly referred to as the incident response plan. A good incident response plan would ensure staff are able to respond to risk in a swift, but calm and collective manner. It may indicate the steps an organisation needs to take in light of a potential or actual breach and whether any communications need to be made either internally or to external parties. 

A cyber risk assessment and an incident response plan is the minimum requirement within an Information Security framework (the list is not exhaustive). How much detail is required in your Information Security framework would be dependent on your organisation’s business model, what kind and how much data it holds, as well in which jurisdiction’s the organisation operates. 

Once you have the information required, you would then begin to draft your IS policy.  This policy would then conform other polices required in your organisation’s information security program, which should provide clarification and guidance for your staff. 

Other policies that derive from the IS policy, may include (not an exhaustive list): 

  • Acceptable Use Policy 
  • Clean Desk Policy 
  • Data Breach Response Policy (this could also be part of the organisations’ data protection framework) 
  • Data Backup Policy 
  • Incident Response Policy 
  • Remote Access Policy 

What key elements could you include in the policy?  

The policy would be bespoke based on your organisation’s business model, for example, the size, nature and scope of the business. Essentially, an IS policy can be as broad or as narrow as you want it to be.  

Purpose – state the purpose of the IS policy, which may be to understand your organisation’s approach to information security and be able to identify or prevent security breaches. 

Objectives – it’s important to insert your organisations mission statement and the strategy it takes in maintaining the confidentiality, integrity and availability (CIA) of the company’s assets. The objectives must be set from higher level in order for it to have full impact. By setting these objectives at lower level, may allow staff to feel inclined to not take the IS policy (and its stance) that seriously. 

Scope – You should consider to whom your policy applies. Consider internal and external stakeholders, third parties and suppliers.  Best practice would suggest all staff to adhere to the IS policy. 

Access - A company with global operations would wish to define the level of authority higher level management would have over certain information assets and systems.  

Your IS policy should define how access is controlled to company data as well as your network systems, and whether multi-factor authentication is required to access the work network or servers. You should even consider physical access to the workplace, i.e., whether you have a visitors attendance log, whether there’s any CCTV, or an ID badge to access the building or offices.   

Training - you should inform employees of your security procedures, including general security awareness consisting of everyday situations which, in turn, ensures staff remain alert when dealing with information security risk. it should also stipulate how often training is to be provided and whether this is customised depending on staff roles or responsibilities, and whether this is provided at onboarding and or where risk has been identified.  

If you require assistance in developing and delivering a training programme suitable for your business, our solicitors can help you. Learn more about our tailor-made GDPR training service.  

Responsibility – you should establish who owns the IS policy and others that conform, such as the access control, and the data backup policy. This may be the Chief Information Security Officer (for cooperate or global companies) or the Head of Information Security for smaller companies. This person would have ultimate responsibility to ensure it’s kept up to date and in line with the organisation’s risk assessment and the business continuity plan (BCP). 

Communication you should explain how your staff will be informed about this policy and whether any cyber security awareness is endorsed at the organisation, and how.  

Reporting breaches – staff should be informed how to report actual or potential security breaches and be taken to the data breach reporting procedure. 

Our lawyers will work with you in developing and drafting a customised IS policy, suited to your business needs and requirements.  Let us, meet your compliance goals and help you develop standards that fit around your business model and risk appetite.  

Do you need a separate IS policy?  

This is really a matter for your organisation and where your other compliance policies are kept. Many organisations require all policies to appear within the company’s code of conduct under relevant sub sections. This can ensure staff have one point of reference for policies for easier access. However, the downside is, that usually benefits policies mainly get looked at, as these would concern the employee more than, an IS policy.  

In this day and age, where many organisations’ use Microsoft Office 365, you may feel compliance policies such as the IS or Data Protection policy should sit within the company’s intranet, where they are readily accessible, rather than scrolling through the whole code of conduct.  

Your compliance policies are those that are put into place in order to comply with laws, and regulations and to sustain the organisation’s reputation. It would be understandable to have these at the forefront for not only accessibility but also for the sake of raising awareness.  

Who is responsible for creating an IS policy? 

Functions such as Risk Management, Compliance, Legal, Information Security, Facilities and or the Data Privacy departments, to name a few, would likely be required to assist in drafting an IS policy. Each function has their part to play when determining risk and how to prevent or mitigate it. The functions would consist of management that have a say in the decision-making process in the operational side of the business as well as, any those that have any impact. The person that has ultimate responsibility would likely be the highest level of management within the information security function. 

How do you implement and enforce the policy? 

This comes down to creating awareness and educating staff. A good message is always delivered from the top, we can agree that communication from management is linked to business strategy. However, the delivery of the message must be effective in order for it to have maximum impact.  You should ensure the policy is accessible at all times by publishing it onto your company intranet and or provide hard copies, as well as have a system where staff are informed whenever there are updates. Lastly, for accountability, you should ask staff to confirm they have read and understood the IS policy. 

How often should you review your policy? 

The IS policy should be kept under continuous review. Whilst many other compliance policies are usually reviewed at least every 12 months, an IS policy should reflect any updates to the organisation’s cyber risk, which can occur at any time. If you need assistance with this or any other issues discussed in setting up an IS policy, our data protection solicitors can assist with clear and pragmatic advice to suit your situation.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry