What is an Information Security Policy and why do we need one?


An Information Security Policy provides organisations with the guidelines and actions required to prevent data breaches.

We’ve created this free download to help your organisation develop its ISP.

Click for Free Download




An Information Security Policy (ISP) defines the risk associated with information security and the rules and procedures an organisation must take to mitigate risk.

Information security policies exist to protect and restrict data distribution to those with authorised access.


What should be included in your ISP?



An effective information security policy should:



Where is data stored, and who has access? Your ISP should address all sensitive information, including systems, facilities, programs and third parties.



Defined objectives will enable you to measure the success of your security policy. ISP objectives are to preserve confidentiality, integrity and availability of systems and information used by a company’s members. These three principles are known as the CIA triad.
Confidentiality: Controlling access to data to users who are authorised. Additionally, some users may have limited access to specific types of data.
Integrity: Ensuring data hasn’t been tampered with or manipulated. As a result, the data can be considered correct and authentic.
Availability: For data to be accessible, systems, networks and applications all need to be working effectively.


Authority and access control policy

There is a fine line between many users accessing data, streamlining job processes and having robust procedures in place to protect data. Your ISP will need to define that balance.

A typical security policy uses a hierarchical pattern – whereby a senior member has the authority to authorise access to data to relevant parties. The ISP should outline what level of control and access each role has to their IT Systems and data.


Data classification

There are different types of data; as such, data can be classified by levels. Each classification can be assigned an appropriate level of protection, for example:
1. Low Sensitivity: Data is openly accessible to the public and can be freely distributed.
2. Medium Sensitivity: Data intended for internal use. Such as non-identifiable personal data.
3. High Sensitivity: Data protected by legislation that could cause significant harm to an individual or organisation if breached.


Security awareness training

Your security policy shouldn’t be a document created and then filed. An essential part of the success of your ISP is your organisation’s understanding of it. Your ISP should include a plan to provide employees with awareness training.

Your employees are often the most outward facing members of your business. And as such, they are commonly the target of cybercrime. By providing your organisation with awareness training, you will be better placed to prevent a data breach.


Responsibilities, rights and duties of personnel

Appropriate members should be assigned to carry out access reviews, implementation, training, incident response and periodic updates.


Protecting your organisation

At Arc, we understand that not every business has the time, resources or technical ability to maintain business backups. However, disaster recovery and business continuity planning should be of paramount concern to all businesses. Please speak to us about securing your data.