Information Security Policy
Top-level ISMS policy. Mandatory under ISO 27001:2022 clause 5.2.
Failed to load preview.
About this Information Security Policy
The Information Security Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It maps to clause 5.2. of the main ISO 27001 standard.
Top-level ISMS policy. Mandatory under ISO 27001:2022 clause 5.2. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to clause 5.2.
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Clause 5.2 - Information security policy
- Clause 5.1 - Leadership and commitment
- Annex A 5.1 - Policies for information security
How to customise
- - State the ISMS scope and the business context.
- - Insert top-management approval, role, name, and date.
- - List the topic-specific policies that sit beneath this one.
- - Set the review cycle (typically annual or on significant change).
Evidence auditors may expect
- - Signed top-level policy approved by top management
- - Communication record showing the policy was made available
- - Review log with date of last review and outcome
- - Map of topic-specific policies that flow from this one
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Frequently asked questions
Is an information security policy mandatory for ISO 27001?
Yes. ISO 27001:2022 clause 5.2 requires top management to establish and approve a documented information security policy that sets the direction of the ISMS and is communicated to staff.
Who should approve the information security policy?
Top management (CEO, CISO, or equivalent). The approver, role, and date must be recorded on the document so auditors can confirm leadership commitment under clause 5.1.
How often should the information security policy be reviewed?
At planned intervals - typically annually - and whenever significant changes occur to the business, technology, or risk environment. The review log is mandatory audit evidence.
What should an ISO 27001 information security policy include?
Scope of the ISMS, security objectives, commitment to legal and regulatory requirements, framework for setting topic-specific policies, roles and responsibilities, and the review cycle.
Related ISO 27001 documents
Risk Assessment & Treatment Policy
Defines the risk methodology, scoring and treatment approach. Mandatory under clauses 6.1.2/6.1.3.
Statement of Applicability (SoA)
Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d).
Document Control Policy
Governs document creation, approval and version control. Required by clause 7.5.
Compliance Policy
Approach to legal, regulatory and contractual compliance (Annex A 5.31).
Internal Audit Checklist
Step-by-step checklist for ISMS internal audits. Supports clause 9.2.
Get the editable Information Security Policy
Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).
