Information Security Policy Writing
Information Security covers a broad range of areas and touches on all areas of most modern companies. It is often intimidating to even get started aggregating all of your internal systems and processes to write the many information security documents that it is possible to have.
For our clients, we have taken a lot of work out of Information Security Policy writing. One of our most popular requests is for an all in one Information Security Work Manual.
This Information and Data Security document covers GDPR requirements as well as the following areas (and more or less if required).
Information Security Areas
- GDPR Data Classifications
- Joiners, Movers, Leavers IT Security,
- Data Governance
- Internal Network Management
- Support Systems and Software
- Data Security (At Rest, In Transit, In Use)
- Environment Provisioning and Management
- Access Controls
- Password and Biometric Security
- Change Management
- Hardware Management
- Physical Security
- Data Destruction
- Data Classifications
- Incident Response Policy (data breaches procedure)
- Data Controller Actions
- Privacy Impact Assessment
- Subject Access Requests
Working With Our Clients
As you can see there are potentially a lot of areas to cover. However, we work through the content with our customers by providing easy to complete questionnaires and using our business analysis skills to understand your organisation.
As part of the process, we will recommend statements and ways of working to fill gaps in your information security preparedness. Also, you can be updated with any changes in legislation that you need to be aware of.
These can be folded into your information security documents when needed.
The Standards
UK information security policy is grounded in ISO 27001:2022 (the 2022 revision reorganised Annex A from 114 to 93 controls in 4 themes), the NCSC's 10 Steps to Cyber Security, the Cyber Essentials and Cyber Essentials Plus schemes, and (for sectors in scope) the NIS Regulations 2018 and the forthcoming Cyber Security and Resilience Bill.
Other frameworks layer on top in specific sectors: the FCA's operational resilience expectations for financial services, the NHS Data Security and Protection Toolkit for healthcare, and PCI DSS v4.0 for card-handling environments.
The Core Policy Library
- Information Security Policy (the umbrella governance document).
- Acceptable Use Policy.
- Access Control Policy.
- Information Classification Policy.
- Cryptography and Key Management Policy.
- Patch and Vulnerability Management Policy.
- Backup and Recovery Policy.
- Data Protection and Privacy Policy (UK GDPR).
- Incident Response and Data Breach Policy.
- Business Continuity Policy and ICT Continuity Plan.
- Supplier and Third-Party Security Policy.
- Physical Security Policy.
- Remote Working and BYOD Policies.
What Has Changed in 2025-2026
The 2022 ISO 27001 transition deadline expired on 31 October 2025; certificates against the 2013 version are no longer valid. Cyber Essentials updated its requirements during 2024-2025 to clarify cloud services scope and BYOD treatment.
PCI DSS v4.0 became mandatory from 31 March 2025.
Frequently Asked Questions
Do we need ISO 27001 certification?
Certification is voluntary but increasingly a contractual requirement in regulated sectors and in enterprise procurement. Many organisations adopt the framework without formal certification.
Cyber Essentials or ISO 27001 first?
For most SMEs, Cyber Essentials is the practical first step (weeks to certify, focused on five technical controls). ISO 27001 is the broader, longer programme suitable once the technical baseline is established.
What Policy Pros Delivers
Our Information Security Policy Library is mapped to ISO 27001:2022 Annex A, NCSC 10 Steps and Cyber Essentials. We also write the supporting Statement of Applicability, Risk Treatment Plan and internal-audit framework needed for certification.
