Profile information Account settings
Sign up Log in

MAKE YOUR FREE Information security policy

  • Make your document in minutes
  • Access from any device
  • Securely sign online
Make document

How to make an Information security policy

Create an information security policy to set out how your business protects information and ensures that it is kept secure.

An information security policy is a document that states a business’ rules and procedures on information security (eg how any security measures are implemented and how compliance is monitored). Information security policies are used to ensure staff know about the importance of information security and the steps they must take to ensure that any information held by a business is kept secure.

Use this information security policy template:

  • to ensure any information held by your business is secure

  • to comply with your obligations under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA)

  • to inform staff about information security

  • to set out the consequences of failing to keep information secure

  • only for staff based in England, Wales or Scotland

This information security policy template covers:

  • the purpose of the policy

  • who has responsibility for information security

  • general principles relating to information security and data protection

  • what steps the business takes to protect information, including personal data

  • how access to offices is secured

  • what computer and IT measures are in place to protect information

  • how working from home affects information security

  • transfers of information, including international data transfers

  • consequences of a breach of this policy

Having an information security policy in place shows your commitment to ensuring the security of information. It also helps you to comply with the relevant data protection legislation. Adopting this policy helps you to ensure a consistent way of addressing and managing any information security risks your business may face. For more information, read Information security and cyber security.

Information security (or ‘InfoSec’) is the practice of protecting information held by a business. This includes confidential information (eg trade secrets), personal data (eg customer names and addresses), sensitive personal data (eg information about staff members’ trade union membership or health) and business information (ie business-related information that isn’t personal data).

Information security protects the information a business holds against unauthorised activities (eg unauthorised changes). Further, under the GDPR and the DPA, you may only process (eg receive and store) personal data in a way that ensures the appropriate security of the data. This means adopting certain appropriate security measures to protect personal data. An information security policy helps you comply with these obligations.

For more information, read Information security and cyber security.

While all staff are responsible for information security within your business, one person should have overall responsibility for this information security policy. Who this person should be will depend on your business. They will be either:

  • your business’ Data protection officer (DPO) - the person in the business with operational responsibility for data protection compliance, or

  • a person other than the DPO - this person will need to take practical steps to comply with data protection laws and so should be someone who can understand and apply the relevant legal rules (eg an information security manager)

Security measures are the steps your business takes to protect information from being accidentally or deliberately compromised. Security measures include: 

  • organisational measures - ensuring data security within your business (eg having an employee responsible for information security and for entering into data processing agreements)

  • technical measures - including physical measures (eg how the workplace is protected) and cybersecurity (eg how network security is ensured)

For more information, read Data protection principles.

Which security measures are needed to protect information will depend on the specifics of your business. Examples of security measures include:

  • encrypting personal data - encoding the personal data in such a way that only authorised users can access it. For more information, see the Information Commissioner’s Office’s (ICO’s) guidance

  • pseudonymising personal data - removing or replacing information from personal data that identifies a specific individual (eg replacing a name with a reference number). For more information, see the ICO’s guidance

  • implementing dual-factor authentication (also known as ‘two-factor authentication’ or ‘2FA’) - securing access to systems and devices by requiring two methods of verifying someone’s identity (eg requiring a username and password and, additionally, verification through an app)

  • using strong passwords to protect devices

  • password protecting documents containing sensitive personal data 

See the ICO's guidance for more information on password protection and dual-factor authentication.

To determine what security measures your business should have in place, consider what measures you may need to:

  • ensure the ongoing confidentiality, integrity, availability and resilience of business systems (eg computer systems)

  • restore the availability of, and access to, information in a timely manner in the event of a physical or technical incident

  • test the effectiveness of your business’ security measures

For more information, read Information security and cyber security. Consider using the ICO’s checklist to assess your business’ information security compliance.

If staff don’t comply with the information security policy, they may be subject to disciplinary action (in accordance with your Disciplinary procedure). In certain circumstances, depending on the severity of the situation, non-compliance may result in the dismissal of that person. This applies to all staff, including those who hold senior positions (eg directors).

This information security policy should be supported by a variety of different documents, including:

Ask a lawyer if:

  • you work in a regulated sector

  • this policy doesn’t meet your needs and you’d like a bespoke version drafted

  • you have staff based outside England, Wales and Scotland

This information security policy complies with the laws of England, Wales and Scotland.

Other names for Information security policy

InfoSec Policy, Cyber security policy, Information security management system policy, Information security procedures, Information security and management policy.