Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO 27001 policies – dos and don’ts

One of the areas we’re often asked about is that of policies. In this article I’ll cover some of the dos and don’ts of creating ISO 27001 policies.

But first of all, what do we mean by a policy? One common definition of a policy is:

“a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business  organization, a government, or a political party”.

In information security terms, we would probably say it’s a set of rules to follow.

Policy Documents

How many policies?

So how many policies do you need to comply with the ISO27001 standard? Well, a simple search of the term within the 2022 standard document only comes up with three discrete instances where the need for a policy is mentioned:

  1. Information security policy
  2. Access control policy
  3. Backup policy

However, the term “topic-specific policy” is used quite often and there is an implicit expectation that you will define such policies where needed. The main reference to this is in the Annex A control A.5.1 Policies for information security.

But in terms of how many documents that actually translates into is largely up to you and your organization. You could for example have one single information security policy that covers everything, and some people do that. The main advantage of this approach is simplicity.

However, in some circumstances a number of issues occur with this approach. Firstly, there’s the question of the audience. Not all policies are aimed at the same people; you may have some that are intended for users, some for technicians and again some for a specific department such as HR.

Secondly, it depends on who approves your policies and how often they change. It’s common for an information security policy to be approved at board level and if you need to make frequent revisions to the document because it covers areas that change rapidly then approval could become a problem.

So there’s no single right answer to the question of how many policies is appropriate; it depends on your organization.

The CertiKit approach

What we provide in the toolkit is a high-level information security policy that references a set of lower-level policies that may change more often and have specific audiences. We also provide many more than the number mentioned in the standard as we believe that having clear rules in each area of information security is a good idea. But you could decide to merge some of these together into a smaller set – remember the approach you take is up to you.

What should your policies say?

So how should you create your policies from the template documents we provide in the toolkit? The mantra we often suggest when it comes to creating policies suitable for audit is to under-promise and over-deliver, rather than the other way round. Make sure that the ISO 27001 policies reflects what you actually do now, rather than what you aspire to at some time in the future. The ISO27001 standard just says you should have a policy; it isn’t prescriptive about what is in it. If a statement in a template policy doesn’t reflect your current practices then simply remove it. You can always put it back in when your ISMS is more mature. An easy way to get a nonconformity at audit time is to state you do something in a policy that isn’t the case. The only caveat I put on that is that the policy still needs to be appropriate to the level of risk you perceive in that area.

Policy language, approval and communication

Because it’s a set of rules, the language used in your policies should be sufficiently imperative – use verbs like “must” and “will” rather than “should” or “may”, unless you genuinely want to allow something to be optional.

Once you’ve created your policy, the ISO27001 standard expects it to be formally approved and communicated. Failing to do either of these actions would be an audit issue. Approval doesn’t have to be a wet signature on a piece of paper; most electronic forms of signifying approval by an appropriate person are accepted.

Communication means that the people who are expected to abide by the policy are aware of it and its contents. This normally means as part of new starter induction and via a suitable mechanism to publish new policies and changes to existing ones. Clear version control is essential in this.

It’s also important to communicate the consequences of non-compliance with your policies. This is often done as part of regular awareness training.

Final thoughts

Lastly, things do change, and it’s important that your ISO 27001 policies change with them. Put in place a regular review of all of your policies and make sure you record the fact that this has happened.

Policies are a great tool as part of your ISMS and following these basic rules should help to avoid the most common pitfalls.


This blog was written by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and primary author of the ISO27001 toolkits. Ken is a qualified ISO/IEC 27001 Lead Auditor and an active member of ISACA and a BSI-published author on IT service management. Note, this blog was updated in November to reflect the 2022 standard. 

Title image credits: Computer vector created by freepik –

Download free ISO27001 Implementation

Find out more about implementing an ISMS, transitioning to the new standard and preparing for ISO27001 certification with our free ISO27001 guide.

  • Privacy Policy


    When you request to download our free implementation guide, we use your name, company name (which is optional), phone number, country and your email address to email you a link to download the requested document. We may also email or call you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.


We’ve helped more than 4000 businesses with their compliance


Thanks for saving me many, many hours of policy writing!

Le Rucher

View all Testimonials