How to write an Information Security Policy (ISSP)?
ANSSI, the French cybersecurity agency, defines the Information Security Policy as the document that formalizes, at management level, the rules, responsibilities and security measures applicable to an organization's information system. Its own ISSP guide stresses a point often overlooked: a policy only has value if it reflects an observed reality. An ISSP copied from a generic template, without a prior assessment, will not withstand an audit or a real incident.
What is an ISSP, concretely?
An ISSP is not an isolated technical document. It is the expression, at management level, of the security requirements the organization imposes on itself, later broken down into operational procedures: access management, backups, incident response. It serves as a shared reference for internal teams, vendors and, where relevant, auditors or cyber insurers, who increasingly ask to review it before agreeing to cover a claim.
Cybersecurity Diagnostic·See a diagnostic preview
The steps to write an ISSP
- Carry out a factual assessment of the current state: infrastructure, access management, backups, monitoring, past incidents.
- Identify critical assets (data, applications, infrastructure) and the risks associated with each.
- Define security rules and objectives per domain, consistent with the identified risks: no rule should be set without an operational justification.
- Assign responsibilities (who decides, who applies, who checks) and have the policy validated by management.
- Translate the ISSP into operational procedures and tracking indicators.
- Review the ISSP at regular intervals and after any significant change (new tool, incident, headcount growth).
The domains an ISSP must cover
| Domain | What to document |
|---|---|
| Security governance | Roles, responsibilities, security steering committee |
| Identity and access management | Granting, reviewing and revoking access rights |
| Vulnerability management | Detection, prioritization and remediation of flaws |
| Encryption and data protection | Data at rest and in transit, key management |
| Awareness | Employee training, phishing, best practices |
| Monitoring and logging | Incident detection, log retention |
| Business continuity | Backups, recovery plan, restore tests |
Common mistakes to avoid
- Writing the ISSP without a prior assessment, by copying a template found online.
- Setting rules too strict to actually be followed day to day.
- Never reviewing the ISSP after its first publication.
- Not involving operational teams in drafting it, which produces a theoretical document disconnected from reality.
An ISSP, however well written, does not protect anything by itself: it sets a framework, not a shield. Its value comes from how consistently it is applied and reviewed, far more than from the quality of the writing. A domain by domain assessment, backed by evidence, remains the best starting point to draft a realistic, enforceable version, rather than a style exercise that will not survive the first incident.
Related diagnostic
Ready to assess your organization?
Try for free