Information Security Policy: How to Write One (+ Template)

Every audit, every compliance framework, every cyber insurance application asks the same first question: do you have an information security policy? And here’s what two decades around IT organizations has taught me — most companies technically do. It’s forty pages long, written in 2019, and nobody below the IT director has ever read it.

That’s not a policy. That’s a liability shield with a table of contents. So this guide covers what an information security policy actually is, the sections that belong in one, a free template outline you can copy today, and — the part most guides skip — how to write one people actually follow.

What Is an Information Security Policy?

An information security policy is a formal document that defines an organization’s rules, responsibilities, and expectations for protecting its information and systems — establishing who is accountable for security, what behavior is required, and how violations and exceptions are handled.

Think of it as the constitution, not the law library. The policy states the durable principles (“all access follows least privilege”); the detailed how-to lives in standards and procedures underneath it. Getting that separation right is half the battle:

  • Policy — the rules and the “why.” Changes rarely. Signed by leadership.
  • Standards — the mandatory specifics. “Passwords: 14+ characters, MFA required.”
  • Procedures — the step-by-step. “How to request access, in five steps.”
  • Guidelines — recommended, not required. The “we suggest” layer.

When a forty-page monster fails, it’s usually because someone crammed all four layers into one document. Keep the policy short and principled, and let the layers below carry the detail.

Pyramid infographic showing the information security policy hierarchy: policy, standards, procedures, and guidelines — LeadingCyber

What an Information Security Policy Should Include

Nine sections cover what auditors expect and employees need:

  1. Purpose and scope — why the policy exists and who it binds: employees, contractors, vendors, every system and data type. No exemptions by silence.
  2. Roles and responsibilities — who owns the policy, who enforces it, what every employee is personally responsible for. Named roles, not “the IT department.”
  3. Data classification — the categories (public, internal, confidential, restricted) and the handling rules for each. Everything downstream keys off this.
  4. Access control — least privilege as the default, how access is requested and approved, and — learned the hard way in my municipal years — how it expires. Access without an end date is how contractor accounts outlive the contractors.
  5. Acceptable use — what people may and may not do with company systems, email, and data. Plain language beats legalese here; this is the section employees actually meet.
  6. Incident reporting — what counts as an incident, who to tell, and the explicit promise that honest reporting is never punished. That one sentence changes reporting rates more than any tool.
  7. Vendor and third-party security — the requirements anyone touching your data must meet, checked before the contract is signed.
  8. Exceptions — the formal path: who can approve a deviation, in writing, with an expiration date. If the policy has no exception process, people create informal ones — and those never expire.
  9. Enforcement and review — consequences for violations, and a mandatory review cycle (annually, or after major incidents and business changes).

Roadmap infographic showing how to roll out an information security policy: draft, sign, launch, enforce, review — LeadingCyber

Free Information Security Policy Template (Outline)

Copy this skeleton, replace the bracketed parts, and you have a working first draft. Aim for 6–10 pages when finished — if you pass 15, you’re writing standards, not policy.

[ORGANIZATION NAME] — Information Security Policy
Version: [X.X]  |  Owner: [Role, e.g., CISO / IT Director]  |  Approved by: [Executive]  |  Review date: [Annual]

1. Purpose
This policy defines the rules and responsibilities for protecting [Organization]’s information, systems, and services against unauthorized access, disclosure, alteration, and loss.

2. Scope
Applies to all employees, contractors, and third parties, and to all systems, devices, and data owned or processed by [Organization], in all locations including remote work.

3. Roles and Responsibilities
— [Executive sponsor]: accountable for policy approval and resourcing
— [Security lead / CISO / vCISO]: owns, maintains, and enforces this policy
— [System owners]: responsible for the security of named systems
— All personnel: required to follow this policy and report suspected incidents

4. Data Classification
Data is classified as Public, Internal, Confidential, or Restricted. Handling requirements for each classification are defined in [Data Handling Standard].

5. Access Control
Access follows least privilege and is granted through [request process], approved by [role], reviewed [quarterly], and revoked upon role change or departure. All temporary access carries an expiration date.

6. Acceptable Use
Company systems are provided for business purposes. Users must not [share credentials / install unapproved software / transfer confidential data to personal accounts / disable security controls]. Multi-factor authentication is required for [all remote and privileged access].

7. Incident Reporting
Suspected security incidents — including phishing, lost devices, and accidental data exposure — must be reported to [contact/channel] immediately. Good-faith reporting will never result in punishment.

8. Third-Party Security
Vendors with access to [Organization] data must meet [security requirements / questionnaire / contract clauses] before engagement and are reviewed [annually].

9. Exceptions
Deviations from this policy require written approval from [role], are recorded in [register], and expire no later than [12 months] from approval.

10. Enforcement and Review
Violations may result in disciplinary action up to termination and, where applicable, legal referral. This policy is reviewed [annually] and after significant incidents or organizational change.

Want to compare against fuller examples? SANS publishes a well-regarded library of free security policy templates worth borrowing language from — just resist the urge to adopt all forty of them on day one.

How to Write One People Actually Follow

The template is the easy 20%. The rest:

  • Write for the reader, not the auditor. The auditor reads it once a year; your employees live under it daily. Plain sentences, concrete examples, no “heretofore.”
  • Get executive signature — visibly. A policy signed by the CEO and mentioned in all-hands carries different weight than a PDF on the intranet. This is where organizations without security leadership stall, and where a vCISO often earns their retainer in week one.
  • Launch it like a change, not an email. Short training, real examples, a channel for questions. One unread attachment is not a rollout.
  • Enforce it evenly — especially upward. The fastest way to kill a policy’s credibility is a visible executive exception. If leadership won’t live under it, nobody will; I’ve watched that exact dynamic sink otherwise excellent policies, and it’s the purest form of the people-and-process problem.
  • Review it on a calendar, not after a crisis. Annual review minimum. Your vulnerability management policy and other domain policies hang off this parent — keep the family consistent.

Infographic showing the nine core sections of an information security policy — LeadingCyber

Information Security Policy Examples: What Good Looks Like

You’ll find hundreds of information security policy examples online, and quality varies wildly. The good ones share three traits: they’re short (under 10 pages, with detail delegated to standards), they’re specific about ownership (named roles beside every responsibility), and they’re dated (version, owner, and next review visible on page one). If an example you’re borrowing from lacks those three, keep the structure and rewrite the substance.

Key Takeaways

  • An information security policy states the durable rules and accountabilities — the detail belongs in standards and procedures beneath it
  • Nine sections cover it: purpose, scope, roles, data classification, access control, acceptable use, incident reporting, third parties, exceptions, and enforcement/review
  • Keep it 6–10 pages; a 40-page policy is a filing cabinet, not a governing document
  • Every access grant and every exception needs an expiration date — informal forever-exceptions are how policies rot
  • Rollout and even-handed enforcement decide whether it’s a living document or shelf-ware — a policy leadership won’t live under is already dead

Comparison infographic showing why information security policies fail versus what makes them work — LeadingCyber

Frequently Asked Questions

What is an information security policy?

An information security policy is a formal, leadership-approved document defining an organization’s rules and responsibilities for protecting its information and systems — covering who is accountable, what behavior is required, how data is classified and access controlled, how incidents are reported, and how exceptions and violations are handled. It states durable principles; detailed requirements live in standards and procedures beneath it.

What should an information security policy include?

Nine core sections: purpose and scope, roles and responsibilities, data classification, access control, acceptable use, incident reporting, third-party/vendor security, a formal exception process with expiration dates, and enforcement plus a review cycle. Written plainly, that fits in 6–10 pages — long enough to govern, short enough to be read.

What is the difference between a policy, a standard, and a procedure?

A policy states the rules and principles (“access follows least privilege”) and changes rarely. A standard sets mandatory specifics (“passwords: 14+ characters, MFA required”). A procedure gives the step-by-step instructions (“how to request access”). Guidelines add optional recommendations. Most bloated, unread policies are really all four layers crammed into one document.

How long should an information security policy be?

Six to ten pages for most organizations. If it passes fifteen, you’re almost certainly writing standards and procedures inside the policy — move that detail to child documents. A short, principled policy gets read and survives audits; a forty-page one gets skimmed once at onboarding and never opened again.

How often should a security policy be reviewed?

At least annually, plus after significant triggers: a major incident, a merger or reorganization, new regulations, or big technology shifts like a cloud migration. Put the review date, version number, and owner on page one — auditors look for it, and an undated policy signals an unmaintained one.

Who is responsible for the information security policy?

Ownership sits with the senior security role — a CISO, a vCISO, or in smaller organizations the IT director — who maintains and enforces it. Accountability sits above that: an executive sponsor signs it and resources it. And responsibility for following it belongs to every employee, contractor, and vendor in scope, which is exactly what the roles section should spell out by name.

Picture of  Iris A.

Iris A.

Author

Recent Posts

How to Prepare for a Cyber Attack: A Leader’s Checklist

How to Prepare for a Cyber Attack: A Leader’s Checklist

I spent years in public-sector and utility IT, where emergency preparedness isn’t…

Information Security Policy: How to Write One (+ Template)

Information Security Policy: How to Write One (+ Template)

Every audit, every compliance framework, every cyber insurance application asks the same…

What Is a CISO? Role, Salary, and How to Become One

What Is a CISO? Role, Salary, and How to Become One

Ask five people what is a CISO and you’ll get five answers:…