Back to Resources

Creating an Information Security Policy

Creating an Information Security Policy

Creating an Information Security Policy

An Information Security Policy (ISP) is one of the foundational policies required for businesses to ensure the confidentiality, integrity, and availability of information across their organizations. It should address the shared responsibility within the organization regarding its cybersecurity practices and procedures.

Why an Information Security Policy is Important

An Information Security Policy (ISP) serves three primary purposes: it lays out responsibilities for your staff, including how cybersecurity incidents are reported; protects sensitive data that your organization holds; and ensures compliance with regulations. Nearly all regulatory frameworks (e.g. SOC 2, ISO 27001, CyberSecure Canada) require an Information Security Policy (ISP).

1. Security Incident Reporting

The ISP should first address how employees and contractors can report security incidents and provide the necessary tools. This can be as simple as a form or a fillable PDF that takes the incident information and internally assigns it to a resource on your team to investigate. Formalizing this process also ensures you have a record of security incidents at your organization, which is also a key requirement to align with regulatory frameworks.

Cyber Security Incident Response Incident Summary Template (SANS Institute)

2. Roles and Responsibilities

Next, you need to clearly outline the roles and responsibilities of departments (or personnel) in context of the Information Security process. For example, what are the responsibilities of system owners in the context of Information Security? How about your personnel? The following is an excerpt from our ISP template (which we share later on) which highlights how the roles and responsibilities section for your staff could look within the policy. This is a great time to evaluate who would be responsible for investigating any security incidents reported from the earlier step.

3. Mobile Device Security

Another vital component in an ISP is the Mobile Device Policy, which this could be it’s own policy, we find it most effective to have as least (but in-depth) policies as possible as multiple policies can often lead to users not fully reading them and absorbing the processes and procedures. This mobile device policy should determine how end-user devices that access company resources are secured and what is required from them. Our template includes a number of these which can be adopted to meet your organization’s requirements, but some common ones can include:

  • Information containing Personally Identifiable Information (PII), Protected Health Information (PHI), Intellectual Property (IP) or any other potentially sensitive information should not be sent over email unless it is stored and shared with the recipient on a secure medium (e.g. Google Drive or OneDrive).
  • Any mobile device used to access company resources (such as file shares and email) must not be shared with any other person.
  • Confidential information must not be stored on mobile devices or USB drives (this does not apply to business contact information, e.g., names, phone numbers, and email addresses)

4. Clear Desk/Screen Considerations

While this applies less to remote companies, companies with a physical office presence or remote workers may benefit from including a clear desk/screen policy within the ISP. This clause will mandate that all staff ensure their workspaces (e.g. desks) are free of papers, notes or other sensitive material at the end of each work day. Any sensitive material should be stored in locked drawers or designated areas to prevent unauthorized access. Companies primarily working remotely can ignore this but may opt to leave it to address remote working concerns.

5. Security Awareness Training

The next big thing in the policy is defining how cybersecurity awareness training is performed and mandating it is performed upon joining and annually after that. Our free WatchDog Security subscription can empower your team with unlimited users and free, recurring security awareness training which can satisfy the requirements. However, this has inherent limitations – it assumes training is a one-glove-fits-all solution, which could not be further from true. The reality is that certain users exhibit riskier behaviours, often being educated about their significance. This is where a paid subscription to WatchDog Security can come in handy. The subscription offers flexibility, allowing us to adapt the training to the specific needs of each user, depending on their day-to-day insecure behaviours. For instance, if they don’t use MFA on SaaS platforms often, we can assign them a course educating them on it automatically as an example.

An Acceptable Use Policy (AUP) outlines how your organization’s information systems and data are used, ensuring that all employees understand the boundaries of acceptable and unacceptable behaviour. The policy should articulate that staff can only use the equipment for authorized business purposes and not engage in practices that would compromise them. Furthermore, within the unacceptable use portion, you can explicitly mention that illegal activities, turning off security features, setting up remote access, and other considerations are not allowed. Our template includes a number of templated usage statements which can be tweaked.

Creating an ISP using WatchDog Security’s Free Policy Manager

Using a free subscription to the WatchDog Security platform, you can leverage our policy manager to create and disseminate policies (such as an Information Security Policy) to your team members and have a centralized hub to manage everything. To get started sign up here. Once you sign up, navigate to Policy Manager and click Create New Policy. Select the Create Using Template option to pre-populate it with various information to help speed up policy development. Edit the highlighted parts of the policy with your organization-accepted parameters and click Publish Policy. Now all the users added via Employee Management will receive the policy to accept in their dashboard.

Turn Your Workforce Into Your Strongest Defense

Your employees are the #1 target — and businesses face constant risk from AI deepfakes, misconfigurations, and more. Start today with our unified trust, compliance, and security platform, free-for-life, and get access to:

  • Cybersecurity training – 50+ animated micro-courses
  • Unlimited employees on the free plan – no credit card required
  • Policy, risk, and vendor management -publish, distribute, and track with ease
  • Inventory manager -track, categorize and organize all your assets

Get started free today – no credit card required.

Additional Resources

Information Security Policy and Guidelines (Government of British Columbia) Information Security Policy (CIS Center for Internet Security)