An Information Security Policy (IRP) describing security objectives, risk appetite, and high-level strategies for information security SHALL be implemented.

Control Type: Administrative

Control Function: Directive

Description: An Information Security Policy is a strategic policy that defines the organization’s cybersecurity objectives and aligns them with overall business objectives and missions. Also known as the Master Cybersecurity Policy, the policy will serve as the single source of truth and direction for developing the remainder of the Information Security Management System (ISMS). Beneath the master policy, Issue-specific policies and system-specific policies will be constructed to address business security requirements on more granular levels. All senior leadership and relevant stakeholders must be involved in the creation of the Information Security Policy. Agreed upon business objectives and risk tolerance will drive the policy. All stakeholders must thoroughly review the policy before publication. Once finalized, the policy should be published to all stakeholders and integrated into the general policy package distributed to employees. The policy should also be posted to the public through avenues such as the company website. Employees should have easy access to the policy in both print and digital format, and all new hires should become well-versed in the policy as part of their onboarding process. Because every business environment is different, the specific structure of the policy and its stated objectives will vary. Generally, there is a minimum set of points that should be addressed: 

  • Overall objectives of the organization’s Information Security Program. Generally, the main objective is to uphold the CIA Triad throughout all business processes and activities. 
  • The acceptable level of risk is determined by senior management. 
  • Processes for identifying, reporting, and addressing information security risks. 
  • The connection between information security and business planning. 
  • Defines roles and responsibilities regarding information security.
  • Map of security controls to risks.
  • Procedures for adapting the entire organization to emerging risks. 
  • Map of risks to key performance metrics and budgetary goals. 
  • The selected key indicators for measuring the effectiveness of the ISMS.