Free Template: IT Security Policy – A Step-by-Step Guide

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security | 29 November

In this blog post, I will take you through our template for an effective IT security policy. You will be able to create a policy for your organisation and, therefore, strengthen the IT security in your organisation. The IT security policy is an important tool to achieve and maintain a healthy and good IT security culture in your organisation.

What is the difference between an IT Security Policy and an Acceptable Use Policy?

When you work with IT security in your organisation, it can be highly useful to have an IT security policy and Acceptable Use Policy. With a policy and a set of guidelines, you set the tone for your IT security work which will make your security stronger.

The purpose of an IT security policy is to provide a general framework for the organisation that includes objectives and delegates the responsibility for IT security. It is a small document with only a few pages and is viewed as a management memo with ambitions for the organisations’ IT security actions.

The Acceptable Use Policy is a larger document with rules and guidelines which all employees must follow. Where the policy is general and strategic, the guidelines are concrete and implementable.

In this blog post, I will go through the template for an effective IT security policy and inform you of what you should be aware of when you create a policy of your own for your organisation.


The IT security policy: step-by-step

The purpose of the IT security policy is, as previously mentioned, to create the framework for the organisations’ IT security work. The policy will help you to make objectives, delegate responsibility, and report progress.

I will now go through each step of the template with comments on how to use it and what to be aware of.

We highly recommend that you follow the template while reading this guide because it is filled with useful examples.



The IT security policy contains seven sections that you need to consider and complete. These sections are:

  • Purpose

  • Validity

  • Objectives

  • Organisation and responsibilities

  • Waiver

  • Reporting

  • Violation


Step 1: Purpose

The first section you need to consider is the purpose of the policy. The purpose will almost always be to set the framework for the management of information security in the organisation. In this section, you could, for instance, write something as:


“The security policy defines the framework for the management of information security in X.”


Step 2: Validity

Validity deals with whom the policy affects. Often this would be all employees in the organisation. However, it could also include consultants who work for the organisation and everybody who uses the IT system in the organisation. Thus, it is up to you to decide who is included in the policy.
It could sound like:


“The security policy applies to all employees in X and the entire access to X’s information systems.”

Step 3: Objectives

The third section is the objectives. In many ways, the objectives are the central element of the policy. This is the place where you define what you want to achieve. You are in line with your policy if you comply with the objectives.

In our template, there are 8 examples of potential objectives that can be used, adjusted, or deleted to fit your organisation. It is important to consider why you choose the objectives you choose and whether they are realistic. The 8 examples can be found in the template, but you can see one of them here:

“ORG X uses a risk-based approach where the level of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum”

The examples in our template point in the direction of already existing frameworks such as ISO270001. It does so because it is not necessary to reinvent the wheel. It is perfectly fine for you to use already existing frameworks.

Create realistic objectives

In the examples, we use the word endeavours a few times. You might think that it is vague to use a word as endeavours in an objective. The use of this word must be understood as an understanding of the amount of work it takes to comply with ISO27001:2013 and all the GDPR regulations. For many organisations, it would be an unrealistic objective to comply with. Therefore, by using the word endeavours you set demands for moving in the right direction, but you also accept that it is a journey. A lot of organisations simply cannot comply with all rules from day one.

The objectives change as your organisation does

The policy is a document that is always in progress and needs to be reassessed regularly. The wording can change many times while you get smarter and better in your organisation. Thus, by reassessing and updating the policy every year you will see changes in the objectives to make them fit your organisation.

It ensures that the policy does not become an old dusty document but an active tool in your security work.

Step 4: Organisation and responsibility

You must delegate the responsibility for IT security across the organisation. The policy can be an effective way of doing this.

It is perhaps the person who is responsible for IT who sits with the daily tasks and operations but there must be responsibilities and tasks in other positions in the organisation. At every level of the organisation, from board members to employees, there is responsibility.

As shown in the template a delegation of responsibility could be something like:

  • The board of directors has the ultimate responsibility for information security in X.
  • The executive board is responsible for management principles and delegates specific responsibilities for protective measures, which includes ownership of information systems.
  • Ownership is set for every critical information system. The owner establishes how.
  • The IT department consults, coordinates, controls, and reports on the status of the security. The IT department prepares guidelines and procedures.
  • The individual employee is responsible for complying with the security policy and being informed about it in the 'IT usage policy'.

It is important to note that it is not necessarily the IT department that has ownership for every information system. It could be, for instance, the marketing department that holds ownership for the company webpage. Hence, it is important that the responsibility delegation mirrors the organisation’s reality.


Step 5: Waiver

Waivers are exceptions where responsibility and objectives are not applicable. If you do not have any clear exceptions, you can formulate a statement as such that allows changes in the future if needed:

“Waivers for X’s information security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board.”


Step 6: Reporting

Reporting is important because it creates a loop and process in the work related to IT security. The reporting highlights the areas of responsibility. If the IT department, for example, must report to the executive board, you ensure that progress is created because the IT department must show results in the reports.

The reporting ensures progress in the work with objectives and assures that responsibilities are respected.

The section could be formulated as follows:

  • The IT department informs the executive board about all relevant security breaches
  • Status of waivers are included in the IT department’s annual report to the executive board
  • The executive board reviews the security status annually and reports to the board of directors afterward


Step 7: Violation

The last step in the IT security policy deals with what happens if someone intentionally violates the policy. It could be the HR department’s responsibility to deal with such violations or it may even be the person responsible for the entire IT. The important aspect is to have it on paper who needs to act in case of a violation. In that way, you ensure that the situation is handled. In our template we have written:

 “Intentional violation and abuse are reported by the IT department to the HR department and the closest authority with lead responsibility. Violation of the information security policy and supporting guidelines may result in employment law consequences.”



The IT security policy is the framework for your security

These seven sections are the contents of your policy. It does not need to take up more space than a few pages because it is ‘just’ the framework for the organisation’s security work.

When the ambitions and objectives are in place, you and your organisation can dive into more concrete rules and guidelines which employees need to follow. These rules and guidelines are usually written in another document – the Acceptable Use Policy.

Together, the IT security policy and the Acceptable Use Policy create the foundation for a strong IT security culture in your organisation.

It is important to update the documents annually to make sure that they are up to date and useful. You need to actively work with the objectives and rules in those two documents to make sure that your organisation moves forward.

I hope you found the template useful!