An information security policy should ideally comply with ISO/IEC 27001. This standard provides best practice recommendations for information security management. The security policy should be defined as part of an organisations ISO/IEC 27001 Information Security Management System (ISMS).

A security policy that complies with the standard ISO/IEC 27001 should contain the following contents.

  • Security Policy
  • Organisation of Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Evironmental Security
  • Communications and Operation Management
  • Access Control
  • Information Systems Aquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance

The suggested contents for an Information Security Policy are can be found in the following document. This security policy is from the 2000's.