In this blog post, I will take you through our free IT-security policy template. You will be able to use this template and guide to write a security policy for your organisation and, therefore, strengthen your organisation’s IT security. An effective information security policy is an important tool to achieve and maintain a healthy IT security culture within your organisation.
Table of contents
In this video, we show you how to create an information security policy.
What is the difference between an IT Security Policy and an Acceptable Use Policy?
When you work with IT security in your organisation, it can be highly useful to have an IT security policy and an Acceptable Use Policy, regardless of the size of your organisation. With policies and guidelines, you set the tone for your IT security work, which will make your security stronger.
IT Security Policy
The purpose of an IT security policy is to provide a general framework for the organisation that includes objectives and delegates the responsibility for IT security. It is a small document with only a few pages and is viewed as a management memo with ambitions for the organisation's IT security actions.
Acceptable Use Policy
The Acceptable Use Policy is a larger document with rules and guidelines which all employees must follow. While the IT security policy is general and strategic, the guidelines are concrete and implementable. For example, it might include guidelines around how to create strong passwords, using the Wifi or handling personal data. You will want to make an acceptable use policy that is easy to implement and follow, so that all employees know how to act safely.
In this blog post, I will go through our information security policy template and inform you of what you should be aware of when you create an IT security policy for your own organisation.
The information security policy: step-by-step guide
The purpose of the IT security policy is, as previously mentioned, to create the framework for the organisation’s IT security work. The policy will help you make objectives, delegate responsibility, and report progress.
I will now go through each step of the IT security policy template with comments on how to use it and what to be aware of.
We highly recommend that you follow the template while reading this guide, because it is filled with useful examples.
The IT security policy contains seven sections that you need to consider and complete. These sections are:
The first section you need to consider is the purpose of the information security policy. The purpose will almost always be to set the framework for the management of information security in the organisation. In this section, you could, for instance, write something like:
“The security policy defines the framework for the management of information security in X.”
Step 2: Validity
Validity deals with whom the IT security policy affects. Often, this would be all employees in the organisation. However, it could also include consultants who work for the organisation and everybody who uses the organisation’s IT systems. Thus, it is up to you to decide who is included in the policy. It could sound like:
“The security policy applies to all employees in X and the entire access to X’s information systems.”
Step 3: Objectives
The third section outlines the objectives. In many ways, the objectives are the central element of the policy. This is the place where you define what you want to achieve. You are in line with your information security policy if you comply with the objectives.
In our template, there are 8 examples of potential objectives that can be used, adjusted, or deleted to fit your organisation. It is important to consider why you choose the objectives you choose and whether they are realistic. The 8 examples can be found in the template, but you can see one of them here:
“ORG X uses a risk-based approach where the level of protection and its cost must be based on the business risk and impact assessment that must be carried out annually as a minimum”
The examples in our IT policy template point in the direction of already existing frameworks, such as the ISO 270001. They do so because it is not necessary to reinvent the wheel when you write a security policy. It is perfectly fine for you to use already existing frameworks.
Create realistic objectives
In the examples, we use the word endeavours a few times. You might think that it is vague to use the word “endeavours” in an objective, but we use this word in acknowledgement of the amount of work it takes to ensure that your organisation complies with the GDPR regulations. For many organisations, it could be an unrealistic objective to comply with. Therefore, by using the word endeavours you set demands for moving in the right direction, but you also accept that it is a journey. A lot of organisations simply cannot comply with all the rules from day one.
The objectives change as your organisation does
The information security policy is a document that is always in progress and needs to be reassessed regularly. The wording can change many times while your organisation becomes more secure. Thus, by reassessing and updating the policy every year, you will see changes in the objectives to make them fit your organisation’s progress.
Regularly reviewing your IT security policy ensures that the policy does not become an old dusty document but remains an active tool in your security work.
Step 4: Organisation and responsibility
The responsibility for IT security must be delegated across the organisation. The policy can be an effective way of doing this.
You might choose to appoint an employee who oversees the entire IT department and works with daily tasks and operations, or it could also be the data protection officer. However, you must make sure that other employees in your organisation are also involved and responsible for IT security. The goal is to encourage employees at every level of the organisation to actively participate in strengthening your IT security.
As shown in the IT security policy template, a delegation of responsibility could be something like:
- The board of directors has the ultimate responsibility for information security in X.
- The executive board is responsible for management principles and delegates specific responsibilities for protective measures, which includes ownership of information systems.
- Ownership is set for every critical information system and the owner establishes how this is done.
- The IT department consults, coordinates, controls, and reports on the status of the security. The IT department prepares guidelines and procedures.
- The individual employee is responsible for complying with the information security policy and being informed about it in the 'IT usage policy'.
It is important to note that it is not necessarily the IT department that has ownership of every information system. It could be, for instance, the marketing department that holds ownership of the company webpage. Hence, it is important that the delegation of responsibility mirrors the organisation’s reality.
Step 5: Waiver
Waivers are exceptions where responsibility and objectives are not applicable. If you do not have any clear exceptions, you can formulate a statement as such that allows changes in the future if needed:
“Waivers for X’s information security policy and guidelines are approved by the IT department based on the guidelines laid out by the executive board.”
Step 6: Reporting
Reporting is important because it creates a loop and process in the work related to IT security. The report highlights the areas of responsibility. For example, if the IT department must report to the executive board, you ensure that progress occurs because the IT department must show results in these reports.
Therefore, reporting ensures progress towards the objectives and assures that responsibilities are respected.
The section could be formulated as follows:
- The IT department informs the executive board about all relevant security breaches.
- Status of waivers are included in the IT department’s annual report to the executive board.
- The executive board reviews the security status annually and reports to the board of directors afterward.
Step 7: Violation
The last section of the IT security policy deals with what happens if someone intentionally violates the policy. It could be the HR department’s responsibility to deal with such violations, or it may even be the person responsible for the entire IT department. The important aspect is to determine who needs to act in case of a violation and write it down on paper. In this way, you ensure that the situation can be properly handled. In our IT policy template, we have written:
“Intentional violation and abuse are reported by the IT department to the HR department and the closest authority with lead responsibility. Violation of the information security policy and supporting guidelines may result in employment law consequences.”
The IT security policy is the framework for your security
These seven sections are the contents of your information security policy. It does not need to take up more space than a few pages because it is ‘just’ the framework for the organisation’s security work.
When the ambitions and objectives are in place, you and your organisation can dive into more concrete rules and guidelines which employees need to follow. As mentioned earlier these rules and guidelines are usually written in the Acceptable Use Policy.
Together, the IT security policy and the Acceptable Use Policy create the foundation for a strong IT security culture in your organisation.
It is important to update the documents annually to make sure that they are still relevant and useful. You need to actively work with the objectives and rules in the two documents to make sure that your organisation moves forward.
Achieve the goals in your IT security policy through continuous learning
I hope you found our guide on how to write an IT security policy helpful! Remember that writing an IT security policy is just one step towards a stronger security culture within your organisation. Simply telling your employees about your information security policy, while necessary, is not enough to promote good IT security habits. We recommend continuous learning about IT security threats through awareness training and phishing testing. If we can help you achieve a stronger security culture through these methods, please do not hesitate to contact our team.