Purpose
This policy defines how [Organisation] protects the confidentiality, integrity and availability of the information it holds, and sets the expectations that all supporting policies and controls derive from.
Scope
This policy applies to all employees, contractors, third parties and systems that access, process, store or transmit [Organisation] information, regardless of location or device.
Policy statements
- Information is classified and handled according to its sensitivity.
- Access to information is granted on a least-privilege, need-to-know basis and reviewed periodically.
- Security controls are risk-based, documented and monitored for effectiveness.
- All personnel complete security awareness training and are accountable for protecting information.
- Security incidents are reported, investigated and remediated through a defined process.
- Compliance with applicable laws, regulations and contractual obligations is maintained at all times.
Roles & responsibilities
- Management: approves the policy, allocates resources and owns overall accountability.
- Information Security / CISO: maintains the ISMS, controls and risk register.
- All staff: comply with this policy and report suspected incidents promptly.
Enforcement
Violations may result in disciplinary action up to and including termination, and where relevant, legal action.
Review
This policy is reviewed at least annually, or after any significant change, and approved by management.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
