How to Write an Information Security Policy
Step-by-step guide to writing an information security policy covering policy structure, essential components, NIS2 Article 21(2)(a) requirements, DORA ICT security policies, ISO 27001 Clause 5.2 alignment, and review and version control practices.
- 1
The information security policy is the apex document that mandates all subordinate security policies, standards, and procedures — keep it concise and management-focused.
- 2
NIS2 Article 21(2)(a), DORA Article 9, and ISO 27001 Clause 5.2 all require formal information security policies approved by management.
- 3
Write for your audience: plain language, clear structure, and a one-page executive summary ensure the policy is actually read and followed.
- 4
Review policies annually at minimum, plus after significant incidents, regulatory changes, and audit findings — DORA Article 9(3) makes this explicit.
1. Policy Structure and Essential Components
An information security policy is the apex document in your security governance hierarchy. It establishes the organisation's commitment to information security, defines the scope and objectives of the security programme, assigns roles and responsibilities, and provides the mandate for all subordinate policies, standards, procedures, and guidelines. The policy should be concise — typically 10-15 pages — and written for a management audience, not a technical one. It sets direction and boundaries; the technical implementation details belong in subordinate standards and procedures.
A well-structured information security policy contains the following components: a purpose statement explaining why the policy exists and what it aims to achieve; a scope definition clarifying which entities, systems, data, and personnel are covered; a statement of management commitment demonstrating that the management body has endorsed the policy; information security objectives aligned with business objectives; roles and responsibilities for information security governance; a risk management approach describing how security risks are identified, assessed, and treated; a policy compliance section covering monitoring, exceptions, and consequences for non-compliance; a definitions section clarifying key terms; and a document control section covering version history, review schedule, and approval records.
The policy hierarchy matters. The information security policy sits at Level 1. Level 2 comprises topic-specific policies (access control policy, data classification policy, incident response policy, acceptable use policy, etc.). Level 3 contains standards that prescribe specific technical requirements (encryption standards, password standards, hardening baselines). Level 4 contains procedures and guidelines that describe how to implement the standards operationally. This layered structure ensures that the apex policy can remain stable (reviewed annually) while lower-level documents are updated more frequently as technology and threats evolve. Each level should reference its parent, creating a traceable chain from operational procedure to board-approved policy.
2. NIS2 Article 21(2)(a): Policy Requirements
NIS2 Article 21(2)(a) mandates that essential and important entities implement 'policies on risk analysis and information system security' as part of their cybersecurity risk-management measures. This is the first item in Article 21's enumerated list, reflecting the foundational role that policy plays in the Directive's compliance architecture. The Commission Implementing Regulation (EU) 2024/2690 further specifies that the policy must be approved by the management body, communicated to all relevant personnel, and reviewed at regular intervals and following significant incidents or changes.
The NIS2-aligned information security policy must address several areas explicitly. The policy must cover all ten measure categories listed in Article 21(2)(a)-(j), either directly in the apex policy or by reference to subordinate topic-specific policies. The policy must reflect the proportionality principle of Article 21(1), documenting how the organisation's security measures are proportionate to its risk exposure, entity size, incident likelihood, and potential societal/economic impact. The policy must establish the management body's role in approving cybersecurity measures and overseeing their implementation, as required by Article 20. And the policy must address supply chain security as a first-class concern, consistent with Article 21(2)(d).
Member State transposition laws may impose additional policy requirements beyond the Directive's minimum. Germany's NIS2UmsuCG, for example, introduces specific requirements for critical infrastructure operators that may necessitate policy provisions not found in the Directive itself. When drafting your information security policy, review both the Directive and your applicable national transposition law to ensure full coverage. Where your organisation operates across multiple EU Member States, the policy should address the most prescriptive national requirements, with annexes or addenda covering jurisdiction-specific variations where necessary.
NIS2 Article 21(2)(a) lists risk analysis and information system security policies as the first required measure category. The Commission Implementing Regulation further specifies that these policies must be management-body approved, communicated to personnel, and regularly reviewed.
3. DORA ICT Security Policies (Article 9)
DORA Article 9 requires financial entities to establish and implement ICT security policies, procedures, protocols, and tools that are proportionate to the entity's ICT risk exposure. For financial entities subject to both DORA and NIS2, the DORA requirements are more prescriptive and should be treated as the primary compliance target — a policy that satisfies DORA will generally satisfy NIS2, but not necessarily the reverse.
DORA Article 9(1) requires that the ICT security policies define the rules for protecting the confidentiality, integrity, availability, and authenticity of data and ICT assets. Article 9(2) requires that these policies be based on the ICT risk management framework established under Article 6. Article 9(3) requires that the policies be reviewed at least once a year, or after significant ICT-related incidents, and that lessons learned from testing (Article 24-27), participation in threat-led penetration testing (TLPT under Article 26), and actual incidents be incorporated into policy updates. Article 9(4) enumerates specific areas that the ICT security policies must address, including network security management (a), safeguards against intrusion and data misuse (b), access control and authentication (c), ICT change management (d), and patching and updating (e).
The DORA Regulatory Technical Standards on ICT risk management (RTS under Article 15) provide further detail on the expected policy content. Financial entities should structure their ICT security policy documentation to map directly to the RTS requirements, creating a traceable link between each RTS article and the corresponding policy provisions. This mapping serves dual purposes: it ensures completeness during drafting and provides a ready-made compliance matrix for supervisory examinations. The European Supervisory Authorities (ESAs) — EBA, ESMA, and EIOPA — have signalled that ICT security policy documentation will be a focus area in their initial DORA supervisory activities.
DORA Article 9(3) requires that ICT security policies be reviewed at least annually AND after significant incidents, with lessons learned from testing and incidents incorporated. Calendar-based review alone is insufficient — incident-triggered reviews are mandatory.
4. ISO 27001 Clause 5.2: Policy Alignment
ISO 27001 Clause 5.2 requires top management to establish an information security policy that is appropriate to the purpose of the organisation, includes information security objectives or provides the framework for setting them, includes a commitment to satisfy applicable requirements, and includes a commitment to continual improvement of the ISMS. The policy must be available as documented information, communicated within the organisation, and available to interested parties as appropriate.
For organisations pursuing ISO 27001 certification alongside NIS2 and DORA compliance, the information security policy serves as the unifying document that demonstrates alignment across all three frameworks. Structure the policy to address ISO 27001's ISMS scope and context requirements (Clauses 4.1-4.4), which naturally incorporate the entity classification and risk context required by NIS2, and the ICT risk management framework required by DORA. The policy's risk management section should reference the risk assessment methodology (ISO 27001 Clause 6.1.2), the risk treatment plan and Statement of Applicability (ISO 27001 Clause 6.1.3), and the mapping of selected Annex A controls to NIS2 Article 21 measures and DORA Article 9 requirements.
ISO 27001's 2022 revision reorganised Annex A controls into four themes (Organisational, People, Physical, Technological) with 93 controls. The information security policy should reference the Statement of Applicability as the definitive list of controls implemented, rather than attempting to enumerate all 93 controls within the policy itself. This keeps the apex policy stable and maintainable — the Statement of Applicability and subordinate topic-specific policies handle the control-level detail. Certification auditors will assess whether the policy meets Clause 5.2's requirements and whether it is effectively communicated and understood, not whether it contains every operational detail.
5. Practical Drafting: Writing a Policy That Works
The most common failure in information security policy drafting is producing a document that satisfies auditors but is ignored by the organisation. A policy that no one reads, understands, or follows provides zero security value regardless of how comprehensively it addresses regulatory requirements. Write for your audience: the information security policy should be understandable by non-technical management body members, line managers, and general employees. Use plain language, avoid jargon where possible, and where technical terms are necessary, define them in a glossary section.
Structure the policy for readability and navigability. Use numbered sections with descriptive headings. Keep paragraphs short (3-5 sentences). Use tables for role-responsibility matrices. Include a one-page executive summary at the front of the document that a board member can read in three minutes. Cross-reference subordinate policies by name and document number so that readers can find the detailed guidance they need. Many organisations produce both a full policy document (for governance and audit purposes) and a condensed policy summary (for communication and training purposes) — this dual-format approach improves both compliance and awareness.
Avoid common drafting pitfalls. Do not copy-paste framework language verbatim into your policy — regulators and auditors can tell the difference between adopted language and understood language. Do not make the policy so aspirational that it describes a security programme you do not have — a policy that claims 24/7 SOC monitoring when you have no SOC creates a compliance gap, not a compliance document. Do not include technology-specific details that will become outdated — the policy should reference capabilities (e.g., 'multi-factor authentication for all remote access') rather than products (e.g., 'RSA SecurID tokens for VPN access'). And do not skip the exception management section: every policy needs a formal process for requesting, approving, documenting, and time-bounding exceptions, because real-world operations inevitably require them.
Produce both a full policy document (for governance and audit) and a condensed policy summary (for employee communication and training). The full document satisfies regulatory requirements; the summary ensures the policy is actually read and understood.
6. Review Cadence and Version Control
Policy review is not a formality — it is the mechanism that keeps your security governance aligned with evolving threats, regulatory changes, and organisational developments. Establish a formal review cadence: annual review at minimum (ISO 27001 Clause 5.2 and DORA Article 9(3) both require this), with triggered reviews following significant security incidents, material changes to the threat landscape, organisational restructuring, regulatory updates (such as new NIS2 implementing regulations or DORA RTS), and findings from internal or external audits.
Implement rigorous version control for all policy documents. Each version should carry a version number (semantic versioning — e.g., v2.1 — is clearer than date-based versioning alone), the date of approval, the identity of the approving authority (management body member or governance committee), a change log summarising what was modified and why, and the next scheduled review date. Store all policy versions in a document management system that preserves the full version history — supervisory authorities may request evidence of how the policy has evolved over time, and the ability to produce any historical version on demand demonstrates mature document governance.
Communication is the final critical step after each review cycle. A reviewed and updated policy that sits in a document management system without being communicated provides no value. Establish a communication protocol: notify all personnel when a policy is updated, highlight material changes, require acknowledgement from management body members and key security personnel, and update training materials to reflect policy changes. Track policy acknowledgement rates as a governance metric — regulatory frameworks increasingly expect organisations to demonstrate not just that policies exist, but that personnel are aware of them. For NIS2 Article 21(2)(g), basic cyber hygiene practices and cybersecurity training should include policy awareness as a standing component.
How long should an information security policy be?
The apex information security policy should typically be 10-15 pages. It should set direction, assign responsibilities, and reference subordinate policies — not contain every operational detail. Topic-specific policies (access control, incident response, data classification, etc.) should be separate documents of 5-10 pages each. The total policy suite may run to 50-100 pages across all documents, but no single document should try to cover everything. Length is less important than clarity: a concise policy that is read and understood provides more security value than a comprehensive one that sits unread.
Does the management body need to approve the information security policy?
Yes, this is a requirement across all three frameworks. NIS2 Article 20 requires management body approval of cybersecurity risk-management measures. DORA Article 5(2)(a) requires the management body to approve the ICT risk management framework including policies. ISO 27001 Clause 5.2 requires top management to establish the policy. Document the approval with dated signatures or board minutes that record the approval decision, the version approved, and the names of approving members.
How do we handle policy requirements across multiple EU jurisdictions?
If your organisation operates across multiple EU Member States, draft a single group-level information security policy that addresses the most prescriptive requirements from any applicable jurisdiction. Use annexes or addenda for jurisdiction-specific provisions (e.g., sector-specific requirements from the German NIS2UmsuCG or the French national transposition). The group policy should explicitly state its geographic scope and identify the regulatory frameworks it addresses in each jurisdiction. This approach ensures consistency while accommodating national variations.
What is the relationship between the information security policy and a cybersecurity strategy?
The cybersecurity strategy is a forward-looking document that describes where the organisation wants to be in terms of security maturity, capability development, and risk posture over a 2-3 year horizon. The information security policy is the governance document that establishes the current rules, responsibilities, and requirements. The strategy informs the policy (e.g., a strategic decision to adopt zero-trust architecture should be reflected in policy updates), but they serve different purposes. Both are expected by supervisory authorities — the strategy demonstrates direction, the policy demonstrates governance.
Should we use a policy template or write from scratch?
Starting from a reputable template (such as those published by ENISA, national cybersecurity agencies, or aligned with ISO 27001) is sensible — it ensures structural completeness and saves time. However, the policy must be substantively customised to reflect your organisation's actual risk profile, regulatory obligations, governance structure, and operational context. Auditors and supervisors can immediately identify a template that has been adopted without tailoring. Use templates as a structural starting point, but write the content to reflect your organisation's genuine security programme.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.