Back to blogCybersecurity

How to write an Information Security Policy (ISSP)?

NRNicolas Renard·July 14, 2026· 8 min read

ANSSI, the French cybersecurity agency, defines the Information Security Policy as the document that formalizes, at management level, the rules, responsibilities and security measures applicable to an organization's information system. Its own ISSP guide stresses a point often overlooked: a policy only has value if it reflects an observed reality. An ISSP copied from a generic template, without a prior assessment, will not withstand an audit or a real incident.

What is an ISSP, concretely?

An ISSP is not an isolated technical document. It is the expression, at management level, of the security requirements the organization imposes on itself, later broken down into operational procedures: access management, backups, incident response. It serves as a shared reference for internal teams, vendors and, where relevant, auditors or cyber insurers, who increasingly ask to review it before agreeing to cover a claim.

Cybersecurity Diagnostic·See a diagnostic preview

The steps to write an ISSP

  1. Carry out a factual assessment of the current state: infrastructure, access management, backups, monitoring, past incidents.
  2. Identify critical assets (data, applications, infrastructure) and the risks associated with each.
  3. Define security rules and objectives per domain, consistent with the identified risks: no rule should be set without an operational justification.
  4. Assign responsibilities (who decides, who applies, who checks) and have the policy validated by management.
  5. Translate the ISSP into operational procedures and tracking indicators.
  6. Review the ISSP at regular intervals and after any significant change (new tool, incident, headcount growth).

The domains an ISSP must cover

DomainWhat to document
Security governanceRoles, responsibilities, security steering committee
Identity and access managementGranting, reviewing and revoking access rights
Vulnerability managementDetection, prioritization and remediation of flaws
Encryption and data protectionData at rest and in transit, key management
AwarenessEmployee training, phishing, best practices
Monitoring and loggingIncident detection, log retention
Business continuityBackups, recovery plan, restore tests

Common mistakes to avoid

  • Writing the ISSP without a prior assessment, by copying a template found online.
  • Setting rules too strict to actually be followed day to day.
  • Never reviewing the ISSP after its first publication.
  • Not involving operational teams in drafting it, which produces a theoretical document disconnected from reality.

An ISSP, however well written, does not protect anything by itself: it sets a framework, not a shield. Its value comes from how consistently it is applied and reviewed, far more than from the quality of the writing. A domain by domain assessment, backed by evidence, remains the best starting point to draft a realistic, enforceable version, rather than a style exercise that will not survive the first incident.

Ready to assess your organization?

Try for free