Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Information Security Policy
I need an information security policy that outlines the protocols for protecting sensitive data, includes guidelines for employee access and usage, and complies with New Zealand's data protection regulations. The policy should also address incident response procedures and regular security audits.
What is an Information Security Policy?
An Information Security Policy is a formal document that outlines an organisation's rules, protocols, and requirements for protecting digital and physical information assets, aligned with the Privacy Act 2020 and other relevant regulatory frameworks. This comprehensive policy establishes guidelines for data handling, access controls, cybersecurity measures, and incident response procedures, ensuring compliance with the New Zealand Information Security Manual (NZISM) and industry best practices.
The policy typically addresses key areas including data classification, employee responsibilities, acceptable use of technology, breach notification procedures, and risk management strategies. It serves as a cornerstone for maintaining digital resilience and safeguarding sensitive information, particularly in light of requirements set by the Government Chief Digital Officer (GCDO) and sector-specific regulations. Organisations must regularly review and update their Information Security Policy to address emerging threats, technological advances, and evolving compliance requirements, making it an essential tool for protecting business assets and maintaining stakeholder trust in today's interconnected digital environment.
When should you use an Information Security Policy?
You should implement an Information Security Policy when your organization handles sensitive data, operates digital systems, or needs to demonstrate compliance with the Privacy Act 2020 and industry regulations. This becomes particularly crucial if you're managing personal information, engaging in e-commerce, operating in regulated sectors like healthcare or finance, or working with government agencies under the NZISM framework. The policy is essential when establishing new digital operations, expanding your business scope, or responding to identified security vulnerabilities.
Consider developing this policy when onboarding new employees, implementing remote work arrangements, or adopting new technologies that process sensitive information. It's especially vital if you're seeking certification under standards like ISO 27001, participating in government tenders, or establishing business relationships requiring demonstrated security controls. Don't wait for a security incident to occur - proactive implementation helps protect against data breaches, maintains customer trust, and provides clear guidelines for staff regarding their security responsibilities, while potentially reducing insurance premiums and legal exposure in the event of security incidents.
What are the different types of Information Security Policy?
Information Security Policies come in various specialized forms to address different aspects of digital security and compliance requirements under New Zealand's regulatory framework. Each type focuses on specific security domains, operational needs, or risk areas, allowing organizations to build a comprehensive security framework that aligns with both their business objectives and compliance obligations.
- Security Logging And Monitoring Policy: Establishes protocols for tracking and recording system activities, security events, and user actions across digital infrastructure, essential for maintaining audit trails and detecting security incidents.
- It Security Audit Policy: Outlines procedures for conducting regular security assessments and evaluations of IT systems, ensuring ongoing compliance with security standards and identifying potential vulnerabilities.
- Email Security Policy: Focuses on protecting email communications, defining acceptable use, encryption requirements, and measures to prevent data leakage through email channels.
- Phishing Policy: Addresses specific protocols for preventing, identifying, and responding to phishing attempts, including employee training requirements and incident reporting procedures.
- Audit Log Policy: Details requirements for maintaining and protecting system logs, essential for security investigations, compliance reporting, and operational transparency.
When implementing these policies, consider your organization's specific risk profile, regulatory requirements, and operational needs. The most effective approach often involves combining multiple policy types to create a comprehensive security framework that addresses all relevant aspects of information security while maintaining compliance with the Privacy Act 2020 and industry standards.
Who should typically use an Information Security Policy?
The development, implementation, and enforcement of an Information Security Policy involves multiple stakeholders across different organizational levels, each playing crucial roles in ensuring its effectiveness within New Zealand's regulatory framework. The following parties typically interact with or are bound by this policy:
- Board of Directors/Executive Management: Responsible for approving the policy, ensuring adequate resources for implementation, and maintaining oversight of security governance in alignment with organizational risk appetite.
- Chief Information Security Officer (CISO): Leads the development, implementation, and regular review of the policy, ensuring it meets regulatory requirements and industry standards while addressing emerging threats.
- IT Department: Implements technical controls, monitors compliance, and manages day-to-day security operations as specified in the policy.
- Compliance Officers: Ensure the policy aligns with relevant legislation, including the Privacy Act 2020 and sector-specific regulations, while maintaining documentation for audit purposes.
- Department Managers: Responsible for ensuring their teams understand and comply with the policy, reporting security incidents, and implementing specific controls within their areas.
- Employees and Contractors: Must understand, acknowledge, and comply with the policy requirements in their daily operations.
- External Auditors: Review policy implementation and effectiveness as part of security assessments and compliance audits.
Successful implementation requires active engagement and clear communication between all parties, with each stakeholder understanding their specific responsibilities and accountability in maintaining the organization's security posture.
How do you write an Information Security Policy?
Successfully creating an effective Information Security Policy requires careful attention to both legal compliance and practical implementation considerations. Utilizing a custom-generated template from a reputable provider like Ƶ can significantly simplify the process and minimize the chance of mistakes, ensuring accuracy and compliance with legal requirements. The following key elements should guide your drafting process:
- Scope Definition: Clearly outline the policy's coverage, including systems, data types, and affected parties, ensuring alignment with the Privacy Act 2020 and relevant industry standards.
- Risk Assessment Integration: Incorporate findings from your organization's security risk assessment to address specific threats and vulnerabilities relevant to your operations.
- Compliance Framework: Reference specific requirements from the NZISM, relevant ISO standards, and industry-specific regulations that apply to your organization.
- Clear Responsibilities: Define specific roles, duties, and accountability measures for all stakeholders involved in policy implementation and enforcement.
- Incident Response Procedures: Detail step-by-step protocols for identifying, reporting, and managing security incidents, including breach notification requirements.
- Review and Update Mechanisms: Establish clear procedures for regular policy review and updates to maintain relevance with evolving threats and regulatory changes.
Before finalizing the policy, ensure it undergoes review by legal counsel and security experts to verify its enforceability and technical accuracy. Consider conducting a pilot implementation to identify practical challenges and refine the policy accordingly.
What should be included in an Information Security Policy?
A comprehensive Information Security Policy must incorporate specific elements to ensure compliance with New Zealand's regulatory framework, including the Privacy Act 2020, NZISM guidelines, and industry-specific requirements. Ƶ takes the guesswork out of this process by providing legally sound, custom-generated legal documents, ensuring all mandatory elements are correctly included and minimizing drafting errors. The following checklist outlines essential components for a robust and enforceable policy:
- Policy Statement and Scope: Define the policy's purpose, objectives, and scope of application, including covered systems, data types, and organizational boundaries.
- Legal Framework Reference: Explicitly cite relevant legislation, regulations, and standards (Privacy Act 2020, NZISM, industry-specific requirements) governing the policy.
- Data Classification Framework: Define categories of information (public, internal, confidential, restricted) and corresponding handling requirements.
- Access Control Requirements: Specify authentication standards, authorization levels, and access management procedures for different user categories.
- Security Controls and Measures: Detail specific technical, physical, and administrative controls for protecting information assets.
- Incident Response Protocol: Outline procedures for identifying, reporting, and managing security incidents, including mandatory breach notification requirements.
- User Responsibilities: Define acceptable use guidelines, security awareness requirements, and individual accountability measures.
- Compliance Monitoring: Specify audit procedures, monitoring mechanisms, and compliance verification processes.
- Enforcement and Consequences: Detail disciplinary measures for policy violations and enforcement procedures.
- Review and Update Procedures: Establish timeframes and processes for regular policy review and updates.
- Technical Requirements: Specify minimum security standards for systems, networks, and applications.
- Third-Party Management: Define security requirements for vendors, contractors, and external service providers.
- Business Continuity Provisions: Include references to disaster recovery and business continuity procedures.
Regular review and updates of these elements ensure the policy remains current with evolving security threats and regulatory requirements. Thorough internal review and compliance validation processes should be established to maintain the policy's effectiveness and legal compliance.
What's the difference between an Information Security Policy and a Cybersecurity Policy?
While both documents address organizational security measures, an Information Security Policy differs significantly from a Cybersecurity Policy in several key aspects. The Information Security Policy takes a broader approach to protecting all forms of information assets, while a Cybersecurity Policy specifically focuses on digital security threats and technological protection measures.
- Scope of Coverage: Information Security Policy encompasses both physical and digital information protection, including paper documents, verbal communications, and data handling procedures, while Cybersecurity Policy exclusively addresses digital assets and network security.
- Regulatory Alignment: Information Security Policy typically aligns with broader privacy and information handling requirements under the Privacy Act 2020, while Cybersecurity Policy focuses on technical compliance with digital security standards and NZISM guidelines.
- Implementation Focus: Information Security Policy establishes overarching governance frameworks and organizational responsibilities, while Cybersecurity Policy details specific technical controls, system configurations, and digital threat responses.
- Risk Management Approach: Information Security Policy addresses comprehensive information risk management across all formats and contexts, while Cybersecurity Policy concentrates on managing digital vulnerabilities and cyber threats.
- Stakeholder Involvement: Information Security Policy typically requires engagement from all organizational levels and departments, while Cybersecurity Policy primarily involves IT teams and digital system users.
Understanding these distinctions is crucial for organizations developing their security framework, as both policies serve complementary but distinct purposes in protecting organizational assets. While the Information Security Policy provides the overarching framework for information protection, the Cybersecurity Policy details the specific technical measures needed to secure digital assets and infrastructure.
Download our whitepaper on the future of AI in Legal
ұԾ’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; ұԾ’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our for more details and real-time security updates.
Read our Privacy Policy.