LOGBOOK

HELP

Quiz Entry - updated: 2026.06.29

What does a real Information Security Policy statement look like, and what are its characteristic elements?

A short CEO-signed statement that commits the company to documented security, assigns responsibility to every employee, and explicitly links to the supporting document set.

The example below is an English-tradition ("anglo-american") Enterprise Information Security Policy (EISP) — the top-tier statement that sits above the more granular issue- and system-specific policies, the counterpart to the German Politik at the apex of the document pyramid.

Characteristic elements from the template:

  • Compliance anchor: the company operates within a documented IS policy "to comply with all statutory, regulatory and contractual requirements" and to protect company, client, and employee interests
  • Not stand-alone: the statement explicitly says it is supported by detailed process operating procedures and work instructions (WI) — the pyramid in action
  • Maintenance: maintained by audit and review — the KVP loop, in writing
  • Concrete usage rules referenced: control of documents, computers, mobile devices, mail/voice/fax against unauthorized use
  • Employee responsibility: all employees responsible not to compromise the company (defamatory e-mail, unauthorized purchases…); awareness that e-mail/fax confidentiality "may not be guaranteed"
  • Sanctions: internet restricted to business use; breaches → disciplinary action
  • Named accountability: a manager responsible for IS and for training employees
  • Personal commitment: ends with the leader's signed commitment, making security "the responsibility of every individual employee"

Tip: Templates (e.g. templatelab.com's security policy collection) are legitimate starting points — but every clause must be adapted: a policy promising controls you don't have is an audit finding, not protection.

From Quiz: ISM / Policies, Concepts & Guidelines | Updated: Jun 29, 2026