MAKE YOUR FREE Information Security Policy
What we'll cover
What is an Information Security Policy?
An Information Security Policy details a business’ rules and procedures regarding information security (eg how any security measures are implemented and how compliance is monitored). Information Security Policies act to protect sensitive business information and data from any unauthorised access. They are also used to ensure staff members know about the importance of information security and the steps they must take to ensure that any information held by a business is kept secure.
When should I use an Information Security Policy?
- to ensure any information held by your business is secure
- to comply with your obligations under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA)
- to inform staff about information security
- to set out the consequences of failing to keep information secure
- only for staff based in England, Wales or Scotland
Sample Information Security Policy
The terms in your document will update based on the information you provide
About Information Security Policies
Learn more about making your Information Security Policy
-
How to make an Information Security Policy
Making an Information Security Policy online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Information Security Policy, you will need the following information:
Employer details
-
What is the employer’s name?
-
Who has overall responsibility for data protection compliance and what are their details?
Policies
-
What policies does the employer have in place?
-
Are the employer's policies available online? If so, what are the URLs of the policies?
Security measures
-
What security measures are in place to protect personal data?
-
Who is responsible for computers and IT?
-
How is training on information security delivered?
Data transfers
-
Can personal data be transferred outside of the UK?
-
-
Common terms in an Information Security Policy
An Information Security Policy is used to set out how a business protects information and ensures that it is kept secure. To do this, this Information Security Policy covers:
Statement of Policy
This section provides a brief overview of the Information Security Policy, why it is being adopted and to whom it applies. It also highlights the fact that all staff members should familiarise themselves with the Policy.
Purpose of Policy
This section provides more detail on why the Information Security Policy is being adopted. Specifically, it highlights that the Policy is crucial for the employer’s data protection compliance. This section also sets out that the Policy does not form part of any employment contracts and can, therefore, be changed by the employer at their discretion.
Roles and responsibilities
This section sets out that all staff members have a responsibility for information security and appoints someone with overall responsibility for the Policy and clarifies what their duties include.
Scope of this policy
This section sets out what forms of information and communication the Policy applies to. It also provides details of any policies which supplement the Information Security Policy.
General principles
This section sets out the general principles of the Information Security Policy, including the importance of maintaining the security of all information.
Information management
This section details how any personal data (ie information about individuals who can be identified from the data, eg names and addresses) must be processed and what steps need to be taken to ensure the safety of this data.
Human resources (HR) information
This section sets out that, due to the internal confidentiality of personnel files, all access to such files will be limited to the HR department.
Access to offices and information
This section details how offices and all information kept in offices is kept secure. It also sets out how visitors should act when on the premises.
Computers and IT
This section sets out how computers and IT systems are kept secure and how the security of any digital information is ensured.
Communications and transfer of information
This section sets out how staff are to ensure the security and confidentiality of communications, especially when not in the office.
Personal email and cloud storage accounts
This section explains that personal email accounts and personal cloud storage accounts should not be used for work purposes. It also highlights that staff members should consult with the relevant department (eg an IT department) if they need to transfer large amounts of data.
Working from home
This section provides details on maintaining information security when staff work from home.
Transfer to third parties
This section sets out when third-party service providers (eg businesses offering cloud storage services) may be engaged. It also clarifies that staff members involved in dealing with third-party service providers should speak to the individual with overall responsibility for data protection compliance before entering into any contracts.
International data transfers
This section sets out whether personal data may be transferred to parties outside the UK (eg to the European Economic Area (EEA)).
Training
This section provides details of the types of training that are provided to staff members. This includes how such training will be delivered and how often.
Reporting data breaches
This section highlights that all staff members have an obligation to report actual or potential data breaches and sets out why this is the case.
Consequences of non-compliance
This section sets out the potential consequences of failing to comply with this Policy. These include disciplinary action and even dismissal.
If you want your Information Security Policy to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Information Security Policy for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
Legal tips for making an Information Security Policy
Ensure that the business complies with the commitments made in the Policy
Recording how your business will meet its data protection and information security obligations in writing is a fundamental first step toward compliance. However, simply having an Information Security Policy in place is not enough to demonstrate that you’ve actually complied with your legal obligations. You need to ensure that the steps set out in your Policy are followed. It is, therefore, crucial that you make and follow a clear plan for implementing the Information Security Policy.
Consider what documents are needed to supplement this Policy
This Information Security Policy should be supported by a variety of different documents, depending on your business’ needs. For example:
-
a Data protection and data security policy - this is an essential policy setting out the policies and procedures the business complies with when dealing with staff personal information and personal data
-
an Employee privacy notice and/or Consultant privacy notice - detailing how the business collects, uses, retains and discloses staff and/or consultants’ personal information. This document allows employers to be transparent and open about the information collected from staff/consultants
-
a Communications and use of equipment policy - setting out the rules and procedures for accessing communications and IT equipment and resources and for monitoring staff in the workplace
-
a Data processing agreement (DPA) - ensuring compliance with the GDPR whenever any data processing is outsourced to a third-party service provider
-
a data retention policy - setting out for how long the business will keep personal data and how any data will be disposed of when it's no longer needed. Ask a lawyer if you need a data retention policy
-
a Working from home policy - setting out the business' approach to home working
-
a subject access requests policy - setting out how subject access requests can be made and how the business handles such requests. Ask a lawyer if you need a subject access requests policy
Understand when to seek advice from a lawyer
Ask a lawyer if:
-
you work in a regulated sector
-
this policy doesn’t meet your needs and you’d like a bespoke version drafted
-
you have staff based outside England, Wales and Scotland
-
Information Security Policy FAQs
-
What is included in an Information Security Policy?
This Information Security Policy template covers:
-
the purpose of the Policy
-
who has responsibility for information security
-
general principles relating to information security and data protection
-
what steps the business takes to protect information, including personal data
-
how access to offices is secured
-
what computer and IT measures are in place to protect information
-
how working from home affects information security
-
transfers of information, including international data transfers
-
consequences of a breach of this Policy
-
-
Why do I need an Information Security Policy?
Having an Information Security Policy in place shows your commitment to ensuring the security of information. This includes protecting your business from security concerns, such as minimising and preventing potential security incidents like leaks and data breaches. It also helps you to comply with the relevant data protection legislation.
Adopting an Information Security Policy Policy also helps you ensure a consistent way of addressing and managing any information security risks your business may face.
For more information, read Information security and cyber security.
-
What is information security?
Information security (or ‘InfoSec’) is the practice of protecting information held by a business. This includes confidential information (eg trade secrets), personal data (eg customer names and addresses), sensitive personal data (eg information about staff members’ trade union membership or health) and business information (ie business-related information that isn’t personal data).
Information security protects the information a business holds against unauthorised activities (eg unauthorised changes). Further, under the GDPR and the DPA, you may only process (eg receive and store) personal data in a way that ensures the appropriate security of the data. This means adopting certain appropriate security measures to protect personal data. An Information Security Policy helps you comply with these obligations.
For more information, read Information security and cyber security.
-
Who should be responsible for the Information Security Policy?
While all staff are responsible for information security within your business, one person should have overall responsibility for this Information Security Policy. Who this person should be will depend on your business. They will be either:
-
your business’ data protection officer (DPO) - the person in the business with operational responsibility for data protection compliance, or
-
a person other than the DPO - this person will need to take practical steps to comply with data protection laws and so should be someone who can understand and apply the relevant legal rules (eg an information security manager)
-
-
What are security measures?
Security measures are the steps your business takes to protect information from being accidentally or deliberately compromised. Security measures include:
-
organisational measures - ensuring data security within your business (eg having an employee responsible for information security and for entering into data processing agreements)
-
technical measures - including physical measures (eg how the workplace is protected) and cybersecurity (eg how network security is ensured)
For more information, read Data protection principles.
-
-
What security measures should be in place?
Which security measures are needed to protect information will depend on the specifics of your business. Examples of security measures include:
-
encrypting personal data - encoding the personal data in such a way that only authorised users can access it. For more information, see the Information Commissioner’s Office’s (ICO’s) guidance
-
pseudonymising personal data - removing or replacing information from personal data that identifies a specific individual (eg replacing a name with a reference number). For more information, see the ICO’s guidance
-
implementing dual-factor authentication (also known as ‘two-factor authentication’ or ‘2FA’) - securing access to systems and devices by requiring two methods of verifying someone’s identity (eg requiring a username and password and, additionally, verification through an app)
-
using strong passwords to protect devices
-
password protecting documents containing sensitive personal data
See the ICO's guidance for more information on password protection and dual-factor authentication.
To determine what security measures your business should have in place, consider what measures you may need to:
-
ensure the ongoing confidentiality, integrity, availability and resilience of business systems (eg computer systems)
-
restore the availability of, and access to, information in a timely manner in the event of a physical or technical incident
-
test the effectiveness of your business’ security measures
For more information, read Information security and cyber security. Consider using the ICO’s checklist to assess your business’ information security compliance.
-
-
What are the consequences of not complying with this Information Security Policy?
If staff don’t comply with the Information Security Policy, they may be subject to disciplinary action (in accordance with your Disciplinary procedure). In certain circumstances, depending on the severity of the situation, non-compliance may result in the dismissal of that person. This applies to all staff, including those who hold senior positions (eg directors).
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.