Skip to content
Security calendar_today Updated: 7 April 2026 schedule 4 min read

Information Security Policy - What Should It Include?

An information security policy describes how your organisation protects personal data and business information. This article explains what to include, how to draft it, and how to keep it up to date.

summarize Key Takeaways
  • check_circle An information security policy describes the rules and measures to protect business information and personal data
  • check_circle The policy must be practical: employees need to understand and follow it
  • check_circle Start with the basics: passwords, access, clean desk, incident reporting, and device usage
  • check_circle Review the policy at least annually and after every security incident

Why you need a security policy

You can have the best technical security in place, but if your employees don’t know the rules, it’s like installing an alarm system and sticking the code on a post-it next to the door.

An information security policy describes the rules and expectations for everyone in your organisation. It tells employees what they can and cannot do with business information and personal data. And it shows the regulator that you take security seriously.

What should it include?

Purpose and scope

Briefly describe why the policy exists and who it applies to. Typically it covers all employees, freelancers, and interns with access to business systems or data.

Passwords and authentication

  • Requirements for password strength and uniqueness
  • Mandatory two-factor authentication where available
  • Prohibition on sharing passwords
  • Use of a password manager

Access control

  • Rights granted based on role (need-to-know)
  • Rights reviewed when roles change
  • All access revoked immediately upon departure
  • Periodic review of access rights

Device usage

  • Rules for using company devices
  • BYOD policy if employees use personal devices
  • Mandatory disk encryption and screen lock
  • Rules for working on public networks (use a VPN)

Clean desk and clear screen

  • Documents with personal data stored away when leaving the workstation
  • Screens locked when away
  • Confidential prints collected immediately from the printer

Email and communication

  • Guidelines for sending personal data via email
  • When encryption is required
  • How to handle suspicious emails (phishing)
  • Use of personal email addresses for work matters

Incident reporting

  • How employees should report a security incident
  • Who to report it to
  • Within what timeframe (as soon as possible)
  • That there are no negative consequences for reporting mistakes

External storage and tools

  • Which cloud storage services are approved
  • Prohibition on using unapproved tools for business data
  • Rules for sharing files with external parties

How to draft it

  1. Start with a template - no need to reinvent the wheel. Use an existing template and adapt it
  2. Make it practical - write in plain language. Avoid legal jargon
  3. Discuss it with your team - ensure employees can provide input and ask questions
  4. Have it signed - each employee confirms they have read and understood the policy
  5. Make it accessible - store it somewhere everyone can find it

Keep it alive

A security policy that you write and forget has little value. Review it:

  • Annually - is it still current?
  • After an incident - does anything need tightening?
  • When things change - new tools, new employees, new ways of working?
auto_awesome Document your security approach

GDPRWise helps you record your security measures and policy documents as part of your compliance dossier.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.