Your information security policy is one of the first documents an ISO 27001 auditor will ask to see. It's also one of the documents most businesses get wrong — either because it's too vague to be useful, or because it reads like it was copied from a template and never touched again.

This guide explains what your ISO 27001 information security policy needs to cover, what auditors are actually looking for, and how to write something that reflects your real business rather than a generic framework. There are example structures included throughout.

What is an information security policy?

An information security policy is a high-level statement from your organisation's leadership about your commitment to protecting information. It sets out why information security matters to your business, the principles you're committing to, and who is responsible for making it happen.

It's not a technical document. It shouldn't list every control you have in place or detail exactly how your firewall is configured. That level of detail belongs in your procedures and technical documentation. The policy sits above all of that — it's the foundation everything else is built on.

Think of your information security policy as the "why and what we stand for" document. Your procedures are the "how we do it" documents. They're different things, and auditors expect them to be treated differently.

What ISO 27001 requires

ISO 27001:2022 requires an information security policy under clause 5.2. The standard is fairly prescriptive about what it must contain. Specifically, your policy must:

  • Be appropriate to the purpose of your organisation
  • Include information security objectives, or provide a framework for setting them
  • Include a commitment to satisfying applicable requirements related to information security
  • Include a commitment to continual improvement of the information security management system (ISMS)
  • Be available as documented information
  • Be communicated within the organisation
  • Be available to interested parties as appropriate

That last point trips up a lot of businesses. "Available to interested parties" doesn't mean you have to publish your full policy publicly — but you may want a summarised version available to clients or partners who ask for evidence of your security posture. Many larger UK businesses and public sector organisations now request this as part of supplier due diligence.

💡 2022 update note

If you're working from older templates or guidance written before the ISO 27001:2022 revision, double-check your policy covers the updated requirements. The structure of the standard changed, and some clause references moved. Annex A controls were also reorganised from 114 to 93.

What to include in your policy

Here's what a well-written ISO 27001 information security policy should cover, in plain terms:

1. Purpose and scope

Start by explaining why you have this policy and what it applies to. Be specific about scope — does it cover all systems, all staff, all locations? If your ISMS has a defined scope (which it must under clause 4.3), your policy should align with it.

2. Your commitment to information security

This is the leadership commitment section. It should be written in the first person on behalf of senior management — not as an abstract statement. Something like: "The board of [Company] is committed to protecting the confidentiality, integrity, and availability of all information we hold on behalf of our clients, staff, and stakeholders."

3. Information security objectives

You don't need to list every objective here, but you need to either state them or explain that they are set formally and reviewed on a defined schedule. This links to clause 6.2 of the standard.

4. Roles and responsibilities

Who owns information security in your organisation? Even in a small business, someone needs to be named. This is often a director, an IT manager, or in larger organisations, a dedicated Information Security Manager or CISO.

5. Consequences of non-compliance

The policy should make clear that breaches of information security requirements may result in disciplinary action. This doesn't need to be heavy-handed, but it needs to be there.

6. Review and approval

State how often the policy will be reviewed (annually is standard), who approved it, and when it was last updated. This is critical — an undated or unsigned policy is a red flag for auditors.

Common mistakes to avoid

⚠️ These are the most common reasons an information security policy fails an audit

Auditors see the same problems repeatedly. Avoid these and you'll be in a much stronger position on the day.

  • It's too generic. If your policy could belong to any company in any industry, it's not doing its job. Reference your actual business, the type of information you handle, and the risks relevant to your sector.
  • It's never been communicated. The standard requires you to communicate the policy to all staff. That means evidence — induction records, email confirmations, or a sign-off process. "We told everyone verbally" won't satisfy an auditor.
  • It hasn't been reviewed. A policy dated three years ago with no evidence of review suggests your ISMS isn't being actively maintained. Annual reviews are the minimum expectation.
  • It conflates policy with procedure. Your policy shouldn't describe how to respond to a data breach step by step. That belongs in your incident response procedure. Keep the policy high-level.
  • Senior management haven't signed it. ISO 27001 places significant emphasis on leadership commitment (clause 5). A policy signed by a mid-level manager rather than a director or equivalent will raise questions.

Example policy structure

Here's a structure you can use as a starting point. Adapt the language to reflect your organisation — don't just swap in your company name and leave everything else unchanged.

  1. Introduction — What the policy is for and who it applies to
  2. Scope — The systems, people, and locations covered by the ISMS
  3. Policy statement — Your organisation's commitment to protecting information (signed by leadership)
  4. Information security objectives — High-level goals or reference to where detailed objectives are documented
  5. Roles and responsibilities — Who is accountable for information security
  6. Compliance requirements — References to relevant legal obligations (UK GDPR, NIS2 if applicable, sector-specific requirements)
  7. Consequences of non-compliance — Brief statement on disciplinary implications
  8. Related documents — List of supporting policies and procedures (acceptable use, access control, incident response, etc.)
  9. Review schedule — Frequency, owner, and date of last review
  10. Approval — Signature, name, title, and date

A typical information security policy for an SME should sit between one and three pages. Longer isn't better — clarity and specificity are what matter.

Getting your policy signed off

ISO 27001 makes leadership involvement a requirement, not a nice-to-have. If your senior leadership team views the information security policy as a box-ticking exercise rather than a genuine commitment, that attitude tends to show up elsewhere in your ISMS — and auditors notice.

When you present the policy for sign-off, it helps to frame it in business terms. What are the reputational risks of a breach? What contracts or clients depend on your ability to demonstrate security credentials? What are your obligations under UK GDPR? Connecting information security to business risk tends to get more genuine engagement than presenting it as a compliance requirement.

Once signed, make sure you have a clear process for communicating the policy to all staff. For most UK SMEs, this means including it in onboarding documentation, storing it somewhere accessible (your intranet, document management system, or shared drive), and getting staff to acknowledge they've read it. That acknowledgement — even just an email reply or a checkbox in your HR system — is the evidence your auditor will want to see.

💡 Keep a version history

Every time you update your policy, save the previous version with a clear version number and date. Auditors often ask to see how documents have evolved over time as evidence of continual improvement — one of ISO 27001's core principles.

Check your ISO 27001 readiness

Getting your information security policy right is an important step — but it's just one part of building a compliant ISMS. Before you engage a certification body or start pulling together your full documentation set, it's worth taking stock of where your organisation actually stands.

ISOKnow's free ISO readiness assessment helps UK businesses understand how prepared they are for certification, where the gaps are, and what to prioritise next. It takes about five minutes and gives you a clear picture of your starting point — no sales calls, no obligation.

Take the free ISO 27001 readiness assessment at isoknow.co.uk and find out how close you really are to certification.