MAKE YOUR FREE Information Security Policy
What we'll cover
What is an Information Security Policy?
An Information Security Policy details a business’ rules and procedures regarding information security (eg how any security measures are implemented and how compliance is monitored).
Information Security Policies act to protect sensitive business information and data from any unauthorised access. They are also used to ensure staff members know about the importance of information security and the steps they must take to ensure that any information held by a business is kept secure.
When should I use an Information Security Policy?
Use this Information Security Policy:
-
to ensure any information held by your business is secure
-
to comply with your obligations under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA)
-
to inform staff about information security
-
to set out the consequences of failing to keep information secure
-
only for staff based in England, Wales or Scotland
Sample Information Security Policy
The terms in your document will update based on the information you provide
This document has been customised over 4.1K times
Documents and communicates
Ask a lawyer questions about your document
INFORMATION SECURITY POLICY
Statement of Policy
- (the Employer, we or our) is committed to the highest standards of information security and treats data security and confidentiality extremely seriously.
- This Policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, temporary and agency workers, trainees, casual and fixed-term staff, apprentices, interns and any volunteers (Staff or you).
- All Staff must familiarise themselves with this Policy and comply with its terms.
Purpose of Policy
- In relation to personal data, under the UK General Data Protection Regulation (the UK GDPR), the Employer must:
- ensure the security of personal data, including protection against any unlawful or unauthorised data processing and accidental loss, damage or destruction, by utilising appropriate technical or organisational measures;
- demonstrate the consideration and integration of data compliance measures into the Employer’s data processing activities, by implementing appropriate technical or organisational measures; and
- be able to demonstrate the use and implementation of such appropriate technical or organisational measures.
- The purpose of this Policy is to:
- protect against any potential breaches of confidentiality;
- protect the Employer’s informational assets and IT systems and facilities against any loss, damage or misuse;
- ensure that Staff are aware of and comply with UK laws and the Employer’s policies and procedures on the processing of personal data; and
- raise awareness of and clarify the responsibilities and duties of Staff in respect of information security, data security and confidentiality.
- This is a statement of policy only and does not form part of your contract of employment. The Employer may amend this Policy at any time, in our absolute discretion, and we will do so in accordance with our data protection and other obligations. A new copy of the Policy will be circulated whenever it is changed.
- For the purposes of this Policy:
- Business Information means any of the Employer’s business-related information other than personal data about customers, clients, suppliers and other business contacts;
- Confidential Information means any trade secrets or other confidential information (belonging to the Employer or third parties) processed by the Employer;
- Personal Data means any information that relates to an individual who can be identified from that information, either directly or indirectly; and
- Sensitive Personal Data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), health, sex life, sexual orientation, genetic information or biometric information (where this is used to identify an individual).
Roles and Responsibilities
- All Staff have a responsibility for information security. The has overall responsibility for this Policy. Specifically, they must:
- implement and maintain this Policy;
- monitor potential and actual security breaches;
- ensure Staff are aware of their responsibilities in relation to information security and confidentiality; and
- ensure compliance with the UK GDPR and all other relevant legislation and guidance.
Scope of This Policy
- This Policy covers all written, verbal and digital information held, used or transmitted by or on behalf of the Employer, irrespective of media. This includes, but is not limited to:
- paper records;
- hand-held devices;
- telephones;
- information stored on computer systems; and
- information passed on verbally.
- The information covered by this Policy may include:
- Personal Data relating to Staff, customers, clients or suppliers;
- other Business Information; and
- Confidential Information.
- This Policy supplements the Employer’s policies relating to data protection, internet, email and communications, and document retention, including the Employer’s:
The content of these policies must be considered and taken into account alongside this Policy.
General Principles
- All information must be:
- treated as commercially valuable; and
- protected from loss, theft, misuse or inappropriate access or disclosure.
- Through the use of appropriate technical and organisational measures all Personal Data, including Sensitive Personal Data, must be protected against:
- unauthorised and/or unlawful processing; and
- accidental loss, destruction or damage.
- Staff and line managers should discuss what security measures (including technical and organisational measures) are appropriate and which exist to protect any information accessed by Staff in the course of employment.
- Any information, apart from Personal Data, is owned by the Employer and not by an individual or team.
- Any information must only be used in connection with work being undertaken for the Employer. It must not be used for any other personal or commercial purposes.
- Any Personal Data must only be processed for the specified, explicit and legitimate purpose for which it is collected.
Information Management
- Any Personal Data must be processed in accordance with:
- the data protection principles;
- the Employer’s policies on data protection generally; and
- the Employer’s other relevant policies.
- All Personal Data collected, used and stored must be:
- adequate, relevant and limited to what is necessary for the relevant purposes; and
- kept accurate and up to date.
- The Employer will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage. These measures include:
- The encryption of Personal Data.
- Any Personal Data and Confidential Information must not be kept any longer than is necessary and will be stored and destroyed in accordance with our policies on data retention.
Human Resources (HR) Information
- Due to the internal confidentiality of personnel files, access to these files and any information contained therein is limited to the HR Department. Non-HR Staff are not authorised to access HR information, except as provided for in any individual roles.
- Personnel information must also be kept strictly confidential by any Staff involved in:
- the recruitment process;
- a management role; or
- a supervisory role.
- Under the UK GDPR and other relevant legislation, Staff may ask to see their personnel files and obtain access to any other Personal Data about them.
Access to Offices and Information
- All office doors, office keys and access codes must, at all times, be kept secure. Office keys and access codes must at no time be given to or communicated to any third parties.
- All documents containing and any equipment displaying Confidential Information should be placed and positioned so that anyone passing by cannot see them (e.g. through office windows or glass doors).
- Any visitors must:
- sign it at reception;
- be accompanied by Staff at all times; and
- not be left alone in areas or situations where they may have access to Confidential Information.
- Meetings with visitors must, where possible, take place in meeting rooms. If a visitor meeting takes place outside a meeting room, in an office or other room containing Employer information, steps must be taken to ensure no Confidential Information is visible and accessible to the visitors.
- All paper documents, backup systems and devices containing Confidential Information must be securely locked away:
- whenever desks are unoccupied; and
- at the end of the working day.
Computers and IT
- Where available on our systems, password protection and encryption must be used to maintain confidentiality.
- All computers and other electronic devices must be password protected. Such passwords must be changed regularly and must not be recorded anywhere (e.g. written down) or made available to others.
- To minimise the risk of accidental loss or disclosure, all computers and other electronic devices must be locked when not in use, including when left unattended at a desk.
- All data held electronically must be securely backed up as soon as possible in accordance with the Employer’s internal backup procedure.
- Confidential Information must not be copied onto removable hard drives, CDs or DVDs, floppy disks or memory sticks, without the express permission of the. Any Personal Data held on such devices must, as soon as possible, be transferred to the Employer’s computer network to be backed up and then deleted from the device.
- Staff must:
- ensure that they do not introduce viruses, malware or malicious codes onto the Employer’s systems.
- not install or download from the internet any software without it first being checked for viruses.
Staff should speak to the for more information and guidance on appropriate steps to be taken to ensure compliance.
Communications and Transfer of Information
- When speaking in public places (e.g. when speaking on a mobile phone), Staff must take care in maintaining confidentiality.
- Confidential Information must be marked ‘strictly private and confidential’ and circulated only to those who need to know the information in the course of their work
- Confidential Information must not be removed from the Employer’s offices (and systems) unless required for authorised business purposes, and then only in accordance with the subsequent paragraph.
- If the removal of Confidential Information from the Employer’s offices is permitted, all reasonable steps must be taken to maintain the confidentiality and integrity of the information. This includes, but is not limited to, Staff ensuring that Confidential Information is:
- stored with strong password protection, with devices and files kept locked when not in use;
- not transported in see-through or other unsecured bags or cases, when in paper copy;
- not read in public places when working remotely (e.g. in waiting rooms or on trains); and
- not left unattended or in any place where it is at risk (e.g. in airports or conference centres).
- Care must be taken to verify all postal and email addresses before any information is sent to them. Particular care must be taken when checking and verifying email addresses where auto-complete features may have inserted incorrect email addresses.
- Before being sent by email or recorded delivery, all sensitive or particularly confidential information should be encrypted.
Personal Email and Cloud Storage Accounts
- Personal email accounts (e.g. Google, Hotmail and Yahoo) and cloud storage services (e.g. Google Drive, iCloud and OneDrive) are vulnerable to hacking and do not provide the same level of security as the services provided by the Employer’s IT systems.
- Staff must not use personal email accounts or cloud storage accounts for work purposes.
- If large amounts of data need to be transferred, Staff should speak to the.
Working From Home
- Unless required for authorised business purposes, and then only in accordance with the subsequent paragraph, Staff must not take information home with them.
- Where information is permitted to be taken home, Staff must ensure that appropriate technical and practical measures are in place within the home to maintain the continued security and confidentiality of that information. In particular, all Confidential Information and Personal Data must be:
- kept in a secure and locked location, where it cannot be accessed by others (including family members and guests); and
- retained and disposed of in accordance with paragraph 21 above.
- Staff must not store any Confidential Information on their home computers or other devices (e.g. laptops, PCs or tablets).
Transfers to Third Parties
- Third party service providers should only be engaged to process information where appropriate written agreements are in place to ensure that they offer appropriate data protection, confidentiality and information security protections and undertakings. Care must be taken to consider whether any such third party service providers will be considered data processors for the purpose of the UK GDPR.
- Staff involved in the process of setting up new arrangements or altering existing arrangements with third parties should speak to and consult with the for more information and guidance.
International Data Transfers
- There are restrictions on (onward) transfers of Personal Data to international organisations outside of the UK.
- For more information, please contact the Legal Department.
Training
- The Employer will provide training on the concepts and measures contained in this Policy to all Staff as part of the induction process and at regular intervals thereafter or whenever there is a substantial change in the law or our policies and procedures.
- Training is provided. The completion of such training is compulsory. The Employer will continually monitor training needs but if you feel that you need further training on any aspect of the relevant law or this Policy, please contact the.
Reporting Data Breaches
- All Staff are under an obligation to report actual or potential data protection compliance breaches to enable the Employer to:
- investigate the breach and take any necessary remedial actions;
- maintain a register of compliance breaches; and
- make any applicable notifications (e.g. to the Information Commissioner’s Office).
- For more information on the Employer’s reporting procedure, contact the.
Consequences of Non-compliance
- The Employer takes compliance with this Policy very seriously and failure to comply with this Policy puts Staff and the Employer alike at significant risk.
- Due to the importance of this Policy, failure to comply with any of its procedures and requirements may result in disciplinary action and dismissal.
- If you have any questions or concerns about anything in this Policy, please contact the.
Attribution
- This Information Security Policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).
About Information Security Policies
Learn more about making your Information Security Policy
-
How to make an Information Security Policy
Making an Information Security Policy online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your Information Security Policy, you will need the following information:
Employer details
-
What is the employer’s name?
-
Who has overall responsibility for data protection compliance and what are their details?
Policies
-
What policies does the employer have in place?
-
Are the employer's policies available online? If so, what are the URLs of the policies?
Security measures
-
What security measures are in place to protect personal data?
-
Who is responsible for computers and IT?
-
How is training on information security delivered?
Data transfers
-
Can personal data be transferred outside of the UK?
-
-
Common terms in an Information Security Policy
An Information Security Policy is used to set out how a business protects information and ensures that it is kept secure. To do this, this Information Security Policy covers:
Statement of Policy
This section provides a brief overview of the Information Security Policy, why it is being adopted and to whom it applies. It also highlights the fact that all staff members should familiarise themselves with the Policy.
Purpose of Policy
This section provides more detail on why the Information Security Policy is being adopted. Specifically, it highlights that the Policy is crucial for the employer’s data protection compliance. This section also sets out that the Policy does not form part of any employment contracts and can, therefore, be changed by the employer at their discretion.
Roles and responsibilities
This section sets out that all staff members have a responsibility for information security and appoints someone with overall responsibility for the Policy and clarifies what their duties include.
Scope of this policy
This section sets out what forms of information and communication the Policy applies to. It also provides details of any policies which supplement the Information Security Policy.
General principles
This section sets out the general principles of the Information Security Policy, including the importance of maintaining the security of all information.
Information management
This section details how any personal data (ie information about individuals who can be identified from the data, eg names and addresses) must be processed and what steps need to be taken to ensure the safety of this data.
Human resources (HR) information
This section sets out that, due to the internal confidentiality of personnel files, all access to such files will be limited to the HR department.
Access to offices and information
This section details how offices and all information kept in offices is kept secure. It also sets out how visitors should act when on the premises.
Computers and IT
This section sets out how computers and IT systems are kept secure and how the security of any digital information is ensured.
Communications and transfer of information
This section sets out how staff are to ensure the security and confidentiality of communications, especially when not in the office.
Personal email and cloud storage accounts
This section explains that personal email accounts and personal cloud storage accounts should not be used for work purposes. It also highlights that staff members should consult with the relevant department (eg an IT department) if they need to transfer large amounts of data.
Working from home
This section provides details on maintaining information security when staff work from home.
Transfer to third parties
This section sets out when third-party service providers (eg businesses offering cloud storage services) may be engaged. It also clarifies that staff members involved in dealing with third-party service providers should speak to the individual with overall responsibility for data protection compliance before entering into any contracts.
International data transfers
This section sets out whether personal data may be transferred to parties outside the UK (eg to the European Economic Area (EEA)).
Training
This section provides details of the types of training that are provided to staff members. This includes how such training will be delivered and how often.
Reporting data breaches
This section highlights that all staff members have an obligation to report actual or potential data breaches and sets out why this is the case.
Consequences of non-compliance
This section sets out the potential consequences of failing to comply with this Policy. These include disciplinary action and even dismissal.
If you want your Information Security Policy to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the Information Security Policy for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
Legal tips for making an Information Security Policy
Ensure that the business complies with the commitments made in the Policy
Recording how your business will meet its data protection and information security obligations in writing is a fundamental first step toward compliance. However, simply having an Information Security Policy in place is not enough to demonstrate that you’ve actually complied with your legal obligations. You need to ensure that the steps set out in your Policy are followed. It is, therefore, crucial that you make and follow a clear plan for implementing the Information Security Policy.
Consider what documents are needed to supplement this Policy
This Information Security Policy should be supported by a variety of different documents, depending on your business’ needs. For example:
-
a Data protection and data security policy - this is an essential policy setting out the policies and procedures the business complies with when dealing with staff personal information and personal data
-
an Employee privacy notice and/or Consultant privacy notice - detailing how the business collects, uses, retains and discloses staff and/or consultants’ personal information. This document allows employers to be transparent and open about the information collected from staff/consultants
-
a Communications and use of equipment policy - setting out the rules and procedures for accessing communications and IT equipment and resources and for monitoring staff in the workplace
-
a Data processing agreement (DPA) - ensuring compliance with the GDPR whenever any data processing is outsourced to a third-party service provider
-
a Data retention policy - setting out for how long the business will keep personal data and how any data will be disposed of when it's no longer needed
-
a Working from home policy - setting out the business' approach to home working
-
a subject access requests policy - setting out how subject access requests can be made and how the business handles such requests. Ask a lawyer if you need a subject access requests policy
Understand when to seek advice from a lawyer
Ask a lawyer if:
-
you work in a regulated sector
-
this policy doesn’t meet your needs and you’d like a bespoke version drafted
-
you have staff based outside England, Wales and Scotland
-
Information Security Policy FAQs
-
What is included in an Information Security Policy?
This Information Security Policy template covers:
-
the purpose of the Policy
-
who has responsibility for information security
-
general principles relating to information security and data protection
-
what steps the business takes to protect information, including personal data
-
how access to offices is secured
-
what computer and IT measures are in place to protect information
-
how working from home affects information security
-
transfers of information, including international data transfers
-
consequences of a breach of this Policy
-
-
Why do I need an Information Security Policy?
Having an Information Security Policy in place shows your commitment to ensuring the security of information. This includes protecting your business from security concerns, such as minimising and preventing potential security incidents like leaks and data breaches. It also helps you to comply with the relevant data protection legislation.
Adopting an Information Security Policy Policy also helps you ensure a consistent way of addressing and managing any information security risks your business may face.
For more information, read Information security and cyber security.
-
What is information security?
Information security (or ‘InfoSec’) is the practice of protecting information held by a business. This includes confidential information (eg trade secrets), personal data (eg customer names and addresses), sensitive personal data (eg information about staff members’ trade union membership or health) and business information (ie business-related information that isn’t personal data).
Information security protects the information a business holds against unauthorised activities (eg unauthorised changes). Further, under the GDPR and the DPA, you may only process (eg receive and store) personal data in a way that ensures the appropriate security of the data. This means adopting certain appropriate security measures to protect personal data. An Information Security Policy helps you comply with these obligations.
For more information, read Information security and cyber security.
-
Who should be responsible for the Information Security Policy?
While all staff are responsible for information security within your business, one person should have overall responsibility for this Information Security Policy. Who this person should be will depend on your business. They will be either:
-
your business’ data protection officer (DPO) - the person in the business with operational responsibility for data protection compliance, or
-
a person other than the DPO - this person will need to take practical steps to comply with data protection laws and so should be someone who can understand and apply the relevant legal rules (eg an information security manager)
-
-
What are security measures?
Security measures are the steps your business takes to protect information from being accidentally or deliberately compromised. Security measures include:
-
organisational measures - ensuring data security within your business (eg having an employee responsible for information security and for entering into data processing agreements)
-
technical measures - including physical measures (eg how the workplace is protected) and cybersecurity (eg how network security is ensured)
For more information, read Data protection principles.
-
-
What security measures should be in place?
Which security measures are needed to protect information will depend on the specifics of your business. Examples of security measures include:
-
encrypting personal data - encoding the personal data in such a way that only authorised users can access it. For more information, see the Information Commissioner’s Office’s (ICO’s) guidance
-
pseudonymising personal data - removing or replacing information from personal data that identifies a specific individual (eg replacing a name with a reference number). For more information, see the ICO’s guidance
-
implementing dual-factor authentication (also known as ‘two-factor authentication’ or ‘2FA’) - securing access to systems and devices by requiring two methods of verifying someone’s identity (eg requiring a username and password and, additionally, verification through an app)
-
using strong passwords to protect devices
-
password protecting documents containing sensitive personal data
See the ICO's guidance for more information on password protection and dual-factor authentication.
To determine what security measures your business should have in place, consider what measures you may need to:
-
ensure the ongoing confidentiality, integrity, availability and resilience of business systems (eg computer systems)
-
restore the availability of, and access to, information in a timely manner in the event of a physical or technical incident
-
test the effectiveness of your business’ security measures
For more information, read Information security and cyber security. Consider using the ICO’s checklist to assess your business’ information security compliance.
-
-
What are the consequences of not complying with this Information Security Policy?
If staff don’t comply with the Information Security Policy, they may be subject to disciplinary action (in accordance with your Disciplinary procedure). In certain circumstances, depending on the severity of the situation, non-compliance may result in the dismissal of that person. This applies to all staff, including those who hold senior positions (eg directors).
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.
