UK Information Security Policy Template

What is a UK information security policy?

Quick answer. A UK information security policy is the top-level statement of leadership commitment, scope, and security objectives — the document that auditors read first. Required by ISO 27001 Clause 5.2 + Annex A.5.1, expected by UK GDPR Article 32, and aligned with NCSC 10 Steps to Cyber Security.

The information security policy serves three roles simultaneously. First, it is the top-level statement of management intent — the document signed by the CEO or Board that says the organisation takes security seriously and authorises the resources needed to deliver it. ISO 27001 auditors will not move past Stage 1 without this. Second, it is the umbrella document under which every other security policy (access control, acceptable use, cryptography, incident response, etc.) operates. The downstream policies are operational; the information security policy is constitutional. Third, it is the scope statement for the Information Security Management System (ISMS) — defining which business functions, locations, and information assets are in scope for the certification or attestation, and which are explicitly out of scope. Get this clause wrong and the entire ISMS scope is invalidated.

Who needs a UK information security policy?

Quick answer. Every UK organisation handling personal data, customer data, or operating regulated systems. Critical for: ISO 27001 candidates (auditor asks at Stage 1), SOC 2 Type I/II (CC1.4), UK GDPR controllers and processors, financial services firms (FCA SYSC 13), healthcare (NHS DSP Toolkit), public-sector contractors (HMG SPF, Cyber Essentials Plus), and any business pursuing enterprise B2B contracts where vendor security questionnaires demand a documented policy.

The threshold is set by what the organisation does, not by company size. A 10-person SaaS handling enterprise customer data faces the same procedural test as a 1,000-person bank. The first time a vendor risk questionnaire arrives, the question "Do you have a documented information security policy reviewed by leadership annually?" is binary — yes or no — and a missing policy is an automatic deal-stop with enterprise prospects. Beyond commercial pressure, regulatory pressure makes the policy effectively mandatory for any UK SME pursuing FCA-regulated activity, NHS work, government contracts above the Crown Commercial Service threshold, or any operation in scope of NIS2 (financial services, energy, water, transport, health, digital infrastructure, MSPs). The Cyber Essentials certification scheme assumes one exists.

What must a UK information security policy include?

Quick answer. Eight clauses align with ISO 27001:2022 Annex A.5.1: leadership statement and approval signature, scope of the ISMS, security objectives mapped to business goals, defined roles and responsibilities, the policy hierarchy (this policy as umbrella for downstream policies), legal and regulatory commitment (UK GDPR, sector rules), continuous improvement commitment, and named ownership with annual review cadence.

• Leadership statement and signed approval — description with citation.
• Scope of the ISMS — named business functions, locations, and information assets — description with citation.
• Security objectives mapped to business goals — description with citation.
• Roles and responsibilities — ISMS Manager, named CISO/SIRO, all-employee duties — description with citation.
• Policy hierarchy — cross-references to access, AUP, incident response, BCP, cryptography, supplier security, data classification policies — description with citation.
• Legal and regulatory commitment — UK GDPR Article 32, sector rules (FCA, NHS, NIS2), contractual obligations — description with citation.
• Continuous improvement and ISMS review cadence (Clause 9.3 Management Review, 10.1 continual improvement) — description with citation.
• Named ownership and annual review (with version stamping and effective date) — description with citation.

How does this map to UK security regulation?

Quick answer. The information security policy maps directly to ISO 27001:2022 Clause 5.2 and Annex A.5.1; satisfies the "appropriate organisational measures" requirement of UK GDPR Article 32; is treated as a CC1.4 prerequisite under SOC 2; and is the foundation control under the NCSC 10 Steps to Cyber Security.

In an ISO 27001:2022 audit the information security policy is one of the first three documents the auditor requests (along with the Statement of Applicability and the Risk Treatment Plan). For SOC 2, it appears in CC1.4 and CC5.3 control test work. For UK GDPR Article 32 enforcement, the ICO's expectation is that "appropriate organisational measures" includes a documented information security policy with named ownership, version control, and evidence of annual review. The same document serves all three regimes simultaneously when written correctly. Cross-reference: this policy is the umbrella under which the access control policy (covered inside the information security policy), business continuity policy, disciplinary policy (for security incident handling), and cookie policy all operate.

Related UK security resources

Frequently asked questions