Tillbaka till resurser
Blog

5 tips for writing an Information Security Policy

Jan 24, 2022

5 min

man holding a lightbulb as he has gotten an idea

The role of policies in GDPR

One thing that is mentioned a lot when it comes to GDPR is policies. A large part of how companies demonstrate compliance with GDPR is through documentation and policies. The regulation, for example, requires a data protection and information security policy to exist, as well as a privacy policy.

A data protection and information security policy is a document that describes the organisation and its overall routines and processes in relation to the handling and processing of personal data.

It can be time consuming to create a policy, and there are a few important things to keep in mind when developing an information security policy.

What an information security policy should include

As of now, there isn’t a specific template to follow when writing a GDPR information security policy. Our advice is therefore to base it on the ISO 27001 standard and adjust the policy to the requirements prioritised in GDPR.

The document should include a general description of the policy, scope, stakeholders and their requirements. It should also include the following:

Core components of the policy

  • Organisation (stakeholders, scope)
  • Leadership (management structure, policy, responsibility)
  • Planning (risks/opportunities, goals)
  • Support (resources, competence, awareness, documentation)
  • Activities (planning, assessment and handling of risks)
  • Evaluation of performance (measurement, analysis, evaluation, audit)
  • Improvements (and deviations)

GDPR-specific considerations

To adapt the policy to GDPR, it is important to document and specify areas prioritised in the regulation. These include access control, Security by Design, assets such as records of data processing activities, and incident handling, since GDPR requires quick reporting of incidents.

5 quick tips for writing an information security policy

Use clear and familiar language

Decide which language to use, everyone should be able to understand the content of the policy. Use terms and language already familiar within the organisation.

Involve the entire organisation

Involve people across the organisation before, during and after writing the policy. Even though it is mainly a management document, broad involvement is important. Continuous internal training is also key.

Reuse existing policies

If you already have policies in place, reuse what works. Some parts of older policies may still be highly effective.

Keep it simple

At the policy level, focus on being broad and strategic. Avoid unnecessary detail and instead emphasise purpose and goals.

Treat the policy as a living document

Don’t be afraid to change a policy. It should be continuously updated to stay relevant and effective.