Need specific cyber security advice? Get in touch and we'll help you out.
Contact Us

Example Information Security Policy

The following example Information Security Policy is supplied by the Department of Trade and Industry. Use each of the sub items as the heading for your Policy.  For further information a link is provided at the end of the page.


The purpose and objective of this Information Security Policy is to protect the company’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise business damage and maximise return on investments and business opportunities.


  1. The Chief Executive Officer has approved the Information Security Policy.
  2. It is the Policy of the [company] to ensure that:
  • Information will be protected from a loss of: confidentiality (note 2), integrity (note 3) and availability (note 4).
  • Regulatory and legislative requirements will be met (note 5).
  • Business continuity plans will be produced, maintained and tested (note 6).
  • Information security training will be available to all staff.
  • All breaches of information security, actual or suspected, will be reported to, and investigated by, the Information Security Manager.
  1. Guidance and procedures will be produced to support this policy. These may/will include incident handling, information backup, system access, virus controls, passwords and encryption.
  2. The role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
  3. The designated owner of the Information Security Policy [name] has direct responsibility for maintaining and reviewing the Information Security Policy.
  4. All managers are directly responsible for implementing the Information Security Policy within their business areas.
  5. It is the responsibility of each employee to adhere to the Information Security Policy.


  1. Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation.
  2. Confidentiality: ensuring that information is accessible only to authorised individuals.
  3. Integrity: safeguarding the accuracy and completeness of information and processing methods.
  4. Availability: ensuring that authorised users have access to relevant information when required.
  5. This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act.
  6. This will ensure that information and vital services are available to users whenever they need them.
  7. Depending on the size and nature of the business this may be a part or full-time role for the nominated person.


Signed ________________ Title __________________ Date __________________

(The Policy will be reviewed by the designated owner of the Information Security Policy, typically not more than 1 year from the date signed?

Source of Information

Information taken from the DTI document “Information Security: A business manager’s guide“.

Reproduced under the Open Government Licence.