Security policy under ISO 27001 and the ENS.

The information security policy is the foundational document of any information security management system. ISO 27001 requires it (clause 5.2) and so does the ENS (control org.1). However, many organisations have policies that are mere formalities: documents nobody reads, full of generic language and disconnected from day-to-day work. In this guide I show how to write a useful, clear and effective policy.

What is the information security policy?

The information security policy is the document in which the management declares its commitment to information security and establishes the framework for managing it. It is a high-level document, brief (typically 3-5 pages), strategic and approved at the highest level of the organisation.

Mandatory content according to ISO 27001

ISO 27001 (clause 5.2) requires the policy to: be appropriate to the purpose of the organisation, include security objectives or the framework to set them, include the commitment to comply with applicable requirements, include the commitment to continual improvement, be documented and communicated within the organisation, and be available to interested parties when appropriate.

Mandatory content according to the ENS

Control org.1 of the ENS requires the policy to include: the organisation's security objectives, the regulatory framework applicable to the activity, the security roles and the responsibilities for each role, the structure of the security committee, the guidelines for the structuring of system security documentation, and its approval by the highest-ranking authority.

Recommended structure of the policy

An effective policy includes:

1. Introduction and scope: brief description of the organisation, scope of the policy (all the organisation or specific units), and beneficiaries of the policy (employees, suppliers, customers).
2. Management commitment: explicit declaration of the management's commitment to information security as a strategic value of the organisation.
3. Security objectives: high-level objectives such as protecting the confidentiality, integrity and availability of information; complying with legal, regulatory and contractual obligations; maintaining the trust of customers and stakeholders; minimising the impact of security incidents; and ensuring the continuity of critical services.
4. Applicable regulatory framework: list of regulations (GDPR, LOPDGDD, ENS, ISO 27001, sector-specific ones) and their relationship with the organisation.
5. Roles and responsibilities: management, security committee, CISO, security officer, information owners, system administrators, all staff.
6. Security committee: composition, functions, meeting frequency.
7. Documentation structure: how policies, procedures, instructions and records are organised.
8. Review and update: frequency (annual minimum) and triggers (significant changes).
9. Approval: signature and date of approval by the highest authority.

Common mistakes to avoid

Three traps I see repeatedly: drafting it in legal or excessively technical language, when the audience is the whole organisation; making it generic by copy-pasting from a template without adaptation, so nobody recognises themselves in it; and confusing it with the ISMS manual, which is an internal, operational document instead of strategic.

The approval process

Approval must come from the highest authority of the organisation (CEO, board, mayor). It is not a formality: it is the source of legitimacy of the entire security framework. Document approval with a formal act (signature, board resolution, ministerial order). Without proper approval, the policy lacks force.

Communication and accessibility

A policy that nobody reads has no effect. Communicate it actively: announcement to all staff with executive sponsorship, mandatory induction of new employees, refresher every two years for all staff, publication on the corporate intranet, and inclusion in the supplier onboarding kit.

Periodic review

Review the policy at least once a year and after any significant change: change of management, regulatory updates, mergers/acquisitions, expansion to new services or sectors, major incidents that reveal gaps. Document the review in the management review meeting, with conclusions and actions.

From policy to operational reality

The policy is just the starting point. From it, develop second-level documents (specific policies on access, classification, suppliers, etc.), third-level documents (procedures, instructions) and fourth-level documents (records, evidence). The pyramid only works if the top — the policy — is clear and aligned with the business. ENS Audit: Preparation and Keys to Pass It.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

What is the information security policy?

The foundational document in which management declares its commitment to information security and sets out the framework for managing it. ISO 27001 requires it (clause 5.2) and the ENS requires it through control org.1.

Who must approve the policy?

The highest authority of the organisation: CEO, board, mayor. Document the approval with a formal act (signature, board resolution, ministerial order).

How often must the policy be reviewed?

At least once a year and after any significant change (management change, regulatory updates, mergers, new services, major incidents). Document the review with conclusions and actions.

How long should the policy be?

Typically 3-5 pages. It is a high-level strategic document. Operational detail is left to second-, third- and fourth-level documents (specific policies, procedures, instructions and records).