Information Security Policy Template for Indian Companies

Why an ISP Is Required

Multiple regulatory and contractual drivers require an Information Security Policy. ISO 27001:2022 clause 5.2 explicitly requires top management to establish an information security policy. RBI Cyber Security Framework requires board-approved cyber security policy. SEBI, IRDAI similar. DPDP Act implicitly through reasonable security safeguards expectation. SOC 2 CC1 and CC2 directly reference security policy. Customer security questionnaires almost universally ask for security policy evidence.

The ISP is the document that makes management commitment visible. Without it, every other security activity exists in a vacuum and audits raise immediate findings.

Mandatory ISP Content

• Purpose: why the policy exists
• Scope: which entities, locations, systems, processes, personnel are covered
• Policy statement: management commitment to information security and protection of information assets
• Objectives: high-level security objectives the organisation pursues
• Roles and responsibilities: CISO, ISMS owner, control owners, every employee's general responsibility
• Applicable laws and regulations: list of legal and regulatory obligations the organisation respects
• Information classification: data categories (public, internal, confidential, restricted) with handling requirements per category
• Acceptable use: how employees may use information systems, equipment, internet, email, social media, AI tools
• Access management: how access is granted, reviewed and revoked
• Incident reporting: how to report a suspected incident, who handles it
• Compliance and disciplinary action: consequences of non-compliance
• Review and update: cadence of policy review and approval
• Effective date and version control: history of changes and current effective date

Policy, Standard, Procedure, Guideline

Information security documentation is structured as a hierarchy. Each level has a specific role:

Policy: what we do and why. High-level, principle-driven, rarely changes. Approved by management.

Standard: specific requirements. Mandatory, technology-agnostic where possible. Examples: password length standard, encryption standard, logging standard. Approved by ISMS owner or equivalent.

Procedure: step-by-step how. Operational, may change as tools change. Examples: how to provision a new user, how to respond to an incident. Approved by process owner.

Guideline: recommended approach, not mandatory. Provides flexibility for situations where one-size-fits-all does not work.

Many Indian organisations conflate policy with procedure, producing 60-page Information Security Policies that nobody reads. The discipline of separating the layers is what makes documentation usable.

Practical Template Structure

Length target: 15 to 25 pages. Above 30 pages, split into supporting standards. Below 10 pages, likely missing required content.

• Section 1 Purpose and Scope
• Section 2 Policy Statement (management commitment)
• Section 3 Roles and Responsibilities
• Section 4 Information Classification
• Section 5 Acceptable Use
• Section 6 Access Management
• Section 7 Data Protection
• Section 8 Network and Device Security
• Section 9 Software and Vulnerability Management
• Section 10 Cloud and Third-Party Services
• Section 11 Physical Security
• Section 12 Incident Reporting
• Section 13 Business Continuity
• Section 14 Training and Awareness
• Section 15 Compliance and Disciplinary Action
• Section 16 Review and Update
• Annex A Definitions
• Annex B Related Standards and Procedures (cross-reference)

Policy Review and Maintenance

ISO 27001 clause 5.2 requires the policy to be reviewed at planned intervals and when significant changes occur. Annual review minimum. Plus triggered review on material organisation change (M&A, new product, new regulator, significant cyber incident).

Review process: ISMS owner drafts updates, security committee reviews, senior management approves. Version control maintained. Old versions retained for evidence trail. New versions communicated to all staff with acknowledgement collection.

Communicating the Policy

Every employee, contractor and third-party with access to information assets must be aware of the policy. ISO 27001 clause 7.4 (communication) makes this an explicit obligation. Evidence required.

Practical implementation: induction training for new joiners includes ISP overview, annual mandatory refresher for all staff (often delivered through LMS), policy made accessible on intranet or document management system, acknowledgement signature collected at induction and after major revisions, communication of changes through company-wide channels.

Acknowledgements (digital or paper) are part of the auditor's evidence sample. Indian organisations frequently have the policy but cannot produce acknowledgement records. The records are essential.

Common Gaps in Indian ISP Documentation

Recurring findings in our gap assessments: ISP exists but has not been reviewed in 2+ years, ISP and procedures conflated into one 60-page document nobody reads, missing acceptable use sections covering modern realities (AI tools, social media, BYOD, remote work), incident reporting section not aligned with current IR plan, classification scheme defined but not used in practice, missing acknowledgement records, training records not retained, version control patchy, distribution to contractors and third parties skipped.

Most of these are operational fixes rather than rewrites. A focused ISP refresh engagement (4 to 6 weeks) typically closes them. Codesecure delivers ISP refresh as a standalone engagement or as part of broader ISO 27001 readiness.