Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO 27001 policies – dos and don’ts

One of the areas we’re often asked about is that of policies. In this article I’ll cover some of the dos and don’ts of creating ISO 27001 policies.

But first of all, what do we mean by a policy? One common definition of a policy is:

“a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business  organization, a government, or a political party”.

In information security terms, we would probably say it’s a set of rules to follow.

Policy Documents

How many policies?

So how many policies do you need to comply with the ISO27001 standard? Well, a simple search of the term within the 2022 standard document only comes up with three discrete instances where the need for a policy is mentioned:

  1. Information security policy
  2. Access control policy
  3. Backup policy

However, the term “topic-specific policy” is used quite often and there is an implicit expectation that you will define such policies where needed. The main reference to this is in the Annex A control A.5.1 Policies for information security.

But in terms of how many documents that actually translates into is largely up to you and your organization. You could for example have one single information security policy that covers everything, and some people do that. The main advantage of this approach is simplicity.

However, in some circumstances a number of issues occur with this approach. Firstly, there’s the question of the audience. Not all policies are aimed at the same people; you may have some that are intended for users, some for technicians and again some for a specific department such as HR.

Secondly, it depends on who approves your policies and how often they change. It’s common for an information security policy to be approved at board level and if you need to make frequent revisions to the document because it covers areas that change rapidly then approval could become a problem.

So there’s no single right answer to the question of how many policies is appropriate; it depends on your organization.

The CertiKit approach

What we provide in the toolkit is a high-level information security policy that references a set of lower-level policies that may change more often and have specific audiences. We also provide many more than the number mentioned in the standard as we believe that having clear rules in each area of information security is a good idea. But you could decide to merge some of these together into a smaller set – remember the approach you take is up to you.

What should your policies say?

So how should you create your policies from the template documents we provide in the toolkit? The mantra we often suggest when it comes to creating policies suitable for audit is to under-promise and over-deliver, rather than the other way round. Make sure that the ISO 27001 policies reflects what you actually do now, rather than what you aspire to at some time in the future. The ISO27001 standard just says you should have a policy; it isn’t prescriptive about what is in it. If a statement in a template policy doesn’t reflect your current practices then simply remove it. You can always put it back in when your ISMS is more mature. An easy way to get a nonconformity at audit time is to state you do something in a policy that isn’t the case. The only caveat I put on that is that the policy still needs to be appropriate to the level of risk you perceive in that area.

Policy language, approval and communication

Because it’s a set of rules, the language used in your policies should be sufficiently imperative – use verbs like “must” and “will” rather than “should” or “may”, unless you genuinely want to allow something to be optional.

Once you’ve created your policy, the ISO27001 standard expects it to be formally approved and communicated. Failing to do either of these actions would be an audit issue. Approval doesn’t have to be a wet signature on a piece of paper; most electronic forms of signifying approval by an appropriate person are accepted.

Communication means that the people who are expected to abide by the policy are aware of it and its contents. This normally means as part of new starter induction and via a suitable mechanism to publish new policies and changes to existing ones. Clear version control is essential in this.

It’s also important to communicate the consequences of non-compliance with your policies. This is often done as part of regular awareness training.

Final thoughts

Lastly, things do change, and it’s important that your ISO 27001 policies change with them. Put in place a regular review of all of your policies and make sure you record the fact that this has happened.

Policies are a great tool as part of your ISMS and following these basic rules should help to avoid the most common pitfalls.


This blog was written by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and primary author of the ISO27001 toolkits. Ken is a qualified ISO/IEC 27001 Lead Auditor and an active member of ISACA and a BSI-published author on IT service management. Note, this blog was updated in November to reflect the 2022 standard. 


More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance


Keep pitching what you do... It works and wins when comparing to perceived competition. Almost a personal touch springs to mind. Personally I like the product, and the way it's delivered.

Reality Consulting

View all Testimonials