In any company dealing with sensitive data, information security plays a central role. But how can clear guidelines be established without getting lost in too many details? This is where a global information security guideline comes into play. This document sets out general rules that apply to all employees, business partners, and service providers.
The key point is that the guideline provides a framework only. It doesn't specify in detail which measures need to be implemented individually. Instead, it offers a clear structure that all areas of the company can follow. Specific instructions and processes – such as risk assessments or how to handle incidents – are covered in subsequent policies, work instructions, or specialized documents.
A crucial aspect of the guideline is preventing unauthorized access to information and protecting against threats. This involves not only technical measures but also organizational and personnel-related actions. A guideline of this kind is intentionally kept open, allowing it to be applied flexibly across various parts of the company.
This ensures that all stakeholders – from employees to external service providers – understand their responsibilities and know the basic security requirements that must be followed.
Below is an example of a global information security policy...
Information security policy
Table of contents
Introduction
Scope
References
Information Security Objectives
Confidentiality
Integrity
Availability
Company-specific Information Security Goals
Ensuring business continuity
Protection of corporate assets
Maintaining the company’s reputation
Compliance with legal and contractual requirements
Minimizing risks and costs in the event of damage
Roles and Responsibilities
Management
Information Security Officer
Information Security Working Group
Executives
Employees
Risk Management
Identification of risks
Risk assessment
Risk treatment
Risk communication and reporting
Continuous risk assessment and improvement
Security Measures
Organisational measures
Personal measures
Physical measures
Technological measures
Training and Awareness Raising
Regular training
Awareness-raising measures
Training new employees
Responsibility of managers
Review and further development of the training program
Monitoring and Audits
Monitoring security measures
Internal audits
External audits
Reporting and measures
Continuous improvement
Compliance with Legal and Contractual Requirements
Data protection requirements
Industry-specific regulatory requirements
Contractual obligations
Monitoring legal compliance
Training and awareness raising
Violations and Sanctions
Definition of violations
Procedure in case of violations
Sanctions
Reporting violations
Preventive measures
Continuous Improvement
Regular review of security measures
Adaptation to new risks
Feedback and lessons learned
Training and awareness programs
Technological and organizational innovations
Validity and Entry into Force
Review of the guideline
Adjustments and updates
Communication of changes
Storage and access
Introduction
Information security is crucial to the success and competitiveness of a company. In an increasingly connected and digital world, companies must ensure that their information - whether digital, on paper or in any other form - is protected from threats. Information security does not only concern technological aspects, but encompasses all areas of the organization.
This guideline serves as a framework for systematically managing information security in our company. It defines the key principles and objectives of information security that are binding for all employees, business partners and service providers. Protecting confidential information, ensuring data integrity and the availability of IT systems are central components of our approach.
Compliance with this policy ensures that legal, regulatory and contractual requirements are met, protects the company's reputation and minimises risks that may arise from the loss, damage or disclosure of information.
Our goal is to establish and maintain an information security management system that is continuously improving and responds flexibly to new threats. All employees and partners are called upon to make their contribution to information security and to support the measures defined in this guideline.
Scope
This information security policy applies to all employees, business units, subsidiaries and external service providers who handle the company's information in any way. It covers all types of information, regardless of whether it is in digital, physical or other form.
The principles and measures defined in this guideline are binding for everyone who works with sensitive data or critical IT systems. In addition to employees, this also includes partners and suppliers who have access to company information as part of their contractual obligations.
The specific scope of the information security management system (ISMS) is defined in a separate document that defines the scope of the ISMS in detail. This document describes which processes, systems and locations are included in the ISMS and is crucial for the implementation and monitoring of the security measures described here. The scope document must be reviewed regularly and adjusted if necessary to ensure that it takes current risks and organizational changes into account.
References
Document | Description | Responsible |
ISMS Scope | Defines the scope of the ISMS. | Senior Management / Information Security Officer |
Information Security Risk Management Policy | Policy that defines the procedures and processes for managing information security risks. | Information Security Officer |
Incident management policy | Documents the procedures for reporting, investigating and responding to security incidents. | Information Security Officer |
Privacy Policy | Policy on compliance with the General Data Protection Regulation (GDPR) and on the protection of personal data. | Data Protection Officer |
Information security training concept | Document describes the training program and awareness raising measures for employees. | Human Resources / IT Department |
Legal and contractual register | Includes information security-related purchasing terms and conditions, project specifications, customer contracts, service level agreements (SLAs), non-disclosure agreements (NDAs) and other legal obligations. | Legal department / Contract Management |
Internal audit procedure | Describes the process for conducting internal audits to review information security policies and controls. | Information Security Officer |
Reporting security incidents | Defines the processes for documenting and reporting security incidents. | Information Security Officer |
Protocol for the management review | Documents the results of management reviews, including security risk assessments and audit results. | Senior Management / Information Security Officer |
Information security objectives
In the context of information security, the following global goals form the basis for all security measures in the company. These goals are generally recognized and essential for the protection of information. They serve as the basis for concrete measures in the information security management system (ISMS).
Confidentiality
Confidentiality ensures that information is only accessible to authorized persons. It involves protecting sensitive data from unauthorized access or disclosure. This includes protecting personal data, confidential business documents and other classified information, regardless of the storage or transmission medium.
Integrity
Integrity ensures the accuracy, completeness and consistency of information throughout its lifecycle. It ensures that data is not altered without authorization or inadvertently. Protecting the integrity of information is critical to maintaining trust in our systems and processes and to making informed decisions.
Availability
Availability ensures that authorized users have access to information and the corresponding resources at all times. This includes ensuring the operation of IT systems, protecting against data loss through backups and contingency plans, and minimizing downtime to ensure business continuity.
Company-specific Information Security Goals
In addition to the global information security objectives, such as confidentiality, integrity and availability, the company defines specific objectives that are tailored to the particular requirements and risks of our business operations. These objectives ensure that information security measures are consistent with the company's strategic interests and legal requirements.
Ensuring business continuity
The continuous availability of IT-supported business processes is crucial to minimise operational disruptions and ensure the company's performance. Appropriate emergency plans and recovery strategies are intended to maintain business operations even in crisis situations.
Protection of corporate assets
Protecting the company's tangible and intangible assets, such as intellectual property, customer data and technical know-how, is of the highest priority. All relevant information is classified according to its importance and protected by appropriate measures.
Maintaining the company’s reputation
The company's reputation is an essential intangible asset that must be safeguarded by protecting sensitive information and preventing security incidents. Security incidents that could undermine the trust of customers or partners must be prevented through preventive measures.
Compliance with legal and contractual requirements
The company is committed to complying with all legal and regulatory requirements in the area of information security. This includes in particular the protection of personal data in accordance with the General Data Protection Regulation (GDPR) and compliance with contractual obligations towards business partners and customers.
Minimizing risks and costs in the event of damage
The implementation of preventive security measures is intended to reduce the risk of a security incident. In the event of damage, efficient emergency measures are intended to minimize the financial impact and operational interruptions. This also includes the regular review and improvement of existing security measures.
Roles and Responsibilities
The successful implementation and maintenance of information security in the company requires a clear definition of roles and responsibilities. Everyone involved, from management to individual employees, bears an important responsibility with regard to the protection of information. This chapter defines the key roles and their tasks within the framework of information security management.
Management
The management has the ultimate responsibility for information security in the company. It approves the information security policy, provides the necessary resources and monitors the implementation of security measures. The management decides on the acceptance of risks and is responsible for compliance with legal and regulatory requirements.
Information Security Officer
The information security officer is responsible for the development, implementation and continuous improvement of the information security strategy. He coordinates the measures to ensure the confidentiality, integrity and availability of information. The information security officer also supports management in risk assessment and advises all departments on information security issues.
Information Security Working Group
The information security working group consists of representatives from the relevant company departments (e.g. IT, legal, data protection, auditing). It meets regularly to discuss security issues, coordinate measures and analyze security incidents. The working group ensures uniform implementation of information security guidelines and contributes to the continuous improvement of security measures. Decisions in this committee are made jointly, and in the event of a dispute, management retains the final decision-making authority.
Executives
Executives are responsible for ensuring that information security policies are implemented in their respective departments. They ensure that employees comply with security regulations and that all necessary measures are taken to ensure the security of information within their area. They work closely with the information security officer on security-related issues.
Employees
Every employee is responsible for following the information security policy and applying the security measures made available to them. Employees are obliged to report security-related incidents immediately and to help implement protective measures. They play a crucial role in ensuring compliance with security standards in daily operations.
Risk Management
Risk management plays a central role in ensuring information security in the company. The aim is to systematically identify and assess risks and take appropriate measures to ensure the protection of information. The procedure is described in detail in the Information Security Risk Management Policy, which, as a stand-alone document, regulates all risk management processes and procedures.
Identification of risks
Risks are identified in accordance with the information security risk management policy. This involves identifying all potential threats and vulnerabilities that could endanger the confidentiality, integrity or availability of information. Risks include technological vulnerabilities as well as human and organizational factors.
Risk assessment
Once risks have been identified, they are assessed according to their likelihood and potential impact on the company. The information security risk management policy sets out the assessment criteria and risk categories used to classify risks as low, medium or high risk. This assessment forms the basis for prioritizing risks and deciding on measures.
Risk treatment
Based on the risk assessment, risk treatment measures are defined. The policy describes how risks can be treated by avoiding, reducing, transferring or accepting them. The measures include preventive security precautions, such as technical controls, organizational measures or employee training. The information security officer monitors the implementation of the measures in cooperation with the specialist departments.
Risk communication and reporting
Communication about identified risks and the measures taken to address them is carried out on an ongoing basis to management and relevant departments. The Information Security Risk Management Policy specifies how this reporting is ensured through regular risk reviews and audits to promote transparency and enable informed decisions.
Continuous risk assessment and improvement
Risk management is a dynamic process that is regularly reviewed and adjusted. The information security risk management policy describes how new threats and changes in the company environment are integrated into the ongoing risk assessment. The aim is to continuously improve the risk management process and adapt it to current developments.
Security Measures
To ensure comprehensive protection of company information, the company implements a series of security measures aimed at ensuring the confidentiality, integrity and availability of information and minimizing risks. The specific measures are defined in detail in downstream policies, work instructions, concepts and processes and are regularly reviewed and updated to meet current threats.
Organisational measures
Organizational measures include policies, processes and procedures that control and monitor information security in the company. These create the organizational framework and define responsibilities to achieve the security objectives.
Personal measures
Personal measures focus on training and raising awareness among employees so that they can understand information security requirements and implement them in practice. These measures aim to minimize human errors and create awareness of security aspects.
Physical measures
Physical measures protect corporate resources and information from unauthorized physical access. They include protecting buildings, facilities and equipment to ensure that information is safe even from physical threats.
Technological measures
Technological measures include the use of technical solutions and controls that ensure the confidentiality, integrity and availability of information. These include the protection of networks, controlled data access and the use of encryption technologies.
Training and Awareness Raising
The security of information in the company depends to a large extent on the awareness and behavior of employees. To maintain security awareness and ensure that all employees understand and can implement the applicable security policies and procedures, a comprehensive training and awareness program is carried out.
Regular training
All employees of the company are required to attend regular information security training. These trainings are conducted at least annually and are aimed at new employees as well as existing employees to inform them of current security risks, best practices and changes in policies.
Awareness-raising measures
In addition to formal training, continuous awareness-raising measures are implemented to increase employees' security awareness in their daily work. This can be done through e-learning modules, newsletters, posters or targeted information security campaigns.
Training new employees
New employees undergo specific information security training at the beginning of their employment. This training ensures that they are familiar with the basic security requirements and measures relevant to their role.
Responsibility of managers
Managers have a special responsibility in promoting information security. They are responsible for encouraging their teams to take advantage of training opportunities and raising awareness of the importance of information security. They ensure that all employees complete the necessary training and apply the security guidelines in their daily operations.
Review and further development of the training program
The training and awareness program is regularly reviewed and developed to adapt to new threats, technologies and legal requirements. Feedback from participants and analysis of security incidents are used to continuously improve the program.
Monitoring and Audits
Continuous monitoring and regular audits are essential components of information security management. They serve to ensure compliance with security policies, identify vulnerabilities at an early stage and initiate improvements. The findings and results from these reviews are incorporated into the management review to ensure that strategic decisions are based on sound analysis.
Monitoring security measures
The company's security measures are continuously monitored to ensure their effectiveness and to ensure that they can withstand current threats. This monitoring affects IT systems, networks and physical protection devices. The findings from the monitoring are documented and used to adapt the measures.
Internal audits
Internal audits are carried out at regular intervals to check compliance with information security policies and the effectiveness of the measures implemented. These audits serve to uncover potential weak points and ensure that processes are implemented correctly. The results of the internal audits flow directly into the management review and support continuous improvement.
External audits
External audits are conducted by independent auditors to obtain an objective assessment of the company's information security measures. These audits help ensure compliance with legal and regulatory requirements. The reports of the external audits are considered in the management review to support strategic decisions and improvement measures.
Reporting and measures
The results of monitoring and audits are systematically documented and forwarded in reports to management and relevant departments. Based on these reports, corrective measures are initiated to eliminate any deficiencies identified. The implementation of these measures is monitored and evaluated as part of the management review to ensure that improvements are implemented sustainably.
Continuous improvement
The findings from monitoring and audits are an essential part of the continuous improvement process of the information security management system. They are discussed in the management review to ensure that the company responds appropriately to new threats and challenges and that the security level remains consistently high.
Compliance with Legal and Contractual Requirements
Compliance with legal, regulatory and contractual requirements is a central component of information security in the company. These requirements include the protection of data, compliance with industry-specific regulations and contractual obligations to business partners and customers. The company ensures that all relevant laws and guidelines are integrated into the security processes.
Data protection requirements
The company is committed to complying with all relevant data protection laws, in particular the General Data Protection Regulation (GDPR) and national data protection regulations. The protection of personal data and the safeguarding of the rights of the data subjects, such as the right to information, rectification and erasure, are central elements of the security strategy.
Industry-specific regulatory requirements
Industry-specific regulations that apply to the company's respective field of activity are taken into account in the security measures. These include, in particular, regulations in regulated industries such as the financial sector or healthcare. The company regularly reviews and updates its processes to ensure compliance with these regulations.
Contractual obligations
In addition to the legal requirements, the company is committed to complying with contractual requirements arising from agreements with business partners and customers. This includes:
Non-disclosure agreements (NDAs): Protect sensitive information in all business relationships.
Service Level Agreements (SLAs): Ensuring service requirements within the framework of customer contracts.
Purchasing conditions of business partners and customers: The security requirements specified by the purchasing conditions of business partners and customers must be fully complied with and integrated into the company's processes.
Project specifications for customer orders: The security requirements defined within the framework of customer projects are consistently taken into account and integrated into the project processes.
The company ensures that these contractual obligations are anchored in the security processes and are continuously monitored.
Monitoring legal compliance
Regular internal and external audits support the monitoring of compliance with legal, regulatory and contractual requirements. Deviations are identified and remedied immediately, with measures being implemented to prevent future violations.
Training and awareness raising
All employees receive regular training on applicable legal and contractual requirements, particularly with regard to data protection, confidentiality and specific contractual obligations. This ensures that all employees are familiar with the requirements and apply them in their daily work.
Violations and Sanctions
Compliance with information security policies is critical to protecting company assets and maintaining the security of information. Violations of these policies can have serious consequences for the company and its customers. For this reason, clear procedures are established for dealing with violations, which also include sanctions for non-compliant behavior.
Definition of violations
A breach of the information security policy occurs when employees, service providers or partners intentionally or negligently violate the established security requirements. This can include the following:
Unauthorized access to confidential information.
Failure to comply with established security measures or processes.
Misuse of IT resources or data.
Failure to report a known security incident.
Procedure in case of violations
Violations of the information security policies are investigated immediately. The information security officer or a responsible body will initiate a formal investigation to determine the nature, extent and impact of the violation. In serious cases, management is informed immediately and can involve external bodies (e.g. authorities) if necessary.
Sanctions
Depending on the severity of the breach and its impact on information security, different sanctions may be imposed. Possible measures include:
Warnings: For minor violations, a written or verbal warning may be issued.
Training measures: In cases where ignorance or negligence is the cause of the violation, additional awareness training may be ordered.
Disciplinary measures: In the event of serious violations, disciplinary measures may be taken, including termination of employment.
Legal action: In the event of intentional or grossly negligent violations that cause significant damage to the company or its customers, civil or criminal action may be taken.
Reporting violations
Employees are required to report violations of the information security policies immediately to the Information Security Officer or an appropriate authority. The company provides secure and confidential reporting channels to ensure that employees can report violations without fear of reprisal.
Preventive measures
To prevent future breaches, the causes are analyzed and suitable preventive measures are developed. This can include improving security measures, adapting processes or additional training. The goal is to strengthen information security in the long term through preventive measures.
Continuous Improvement
Continuous improvement of information security is a central component of the Information Security Management System (ISMS). The threat landscape is constantly evolving and internal organizational changes can also introduce new risks. Therefore, the company takes a proactive approach to regularly evaluate and optimize information security processes.
Regular review of security measures
All implemented security measures are regularly reviewed to ensure that they meet current requirements and threats. These reviews are carried out as part of internal and external audits and through continuous monitoring. Findings from security incidents or new threats are directly incorporated into these assessments.
Adaptation to new risks
The company continuously analyzes new risks and adapts its information security strategies accordingly. This may include both technological developments and regulatory changes. Risk assessments are regularly updated to ensure that security measures remain appropriate and effective.
Feedback and lessons learned
The company systematically uses feedback from audits, training, incidents and employee suggestions to identify vulnerabilities and make improvements. After each security-related incident or audit, a "lessons learned" analysis is carried out to understand the causes of the incident and develop preventive measures.
Training and awareness programs
As part of continuous improvement, the training and awareness program is regularly revised and expanded. New threats and technologies require continuously updated content to keep employees up to date with the latest information security developments.
Technological and organizational innovations
The company relies on technological innovations and organizational adjustments to continuously improve information security. This includes the introduction of new technologies for threat detection, the automation of security processes and the optimization of organizational structures to strengthen the security culture in the company.
Validity and Entry into Force
This Information Security Policy takes effect on [insert date] and is binding on all employees, business partners and service providers of the Company. It remains valid until it is replaced or updated by a new version.
Review of the guideline
The information security policy is reviewed regularly, but at least every three years. This review is carried out by the information security officer in cooperation with management and the relevant departments. The aim of the review is to ensure that the policy always complies with current legal requirements, new threats and technological developments.
Adjustments and updates
Changes to this policy may be required due to new legal requirements, internal organizational changes or in response to newly identified risks. Updates are prepared by the Information Security Officer and must be approved by management before they come into effect.
Communication of changes
All changes and updates to the guidelines will be communicated immediately to all affected employees, business partners and service providers. The implementation of the new requirements will be supported by training and appropriate adjustments to internal processes.
Storage and access
The current version of the information security policy is stored centrally and is accessible to all employees and relevant partners via the internal information portal. Historical documentation of previous versions is also kept to ensure traceability and transparency.
