Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Information Security Policy
I need an information security policy that outlines the protocols for protecting sensitive data, includes guidelines for employee access and usage, and complies with New Zealand's data protection regulations. The policy should also address incident response procedures and regular security audits.
What is an Information Security Policy?
An Information Security Policy sets the rules and guidelines for protecting an organization's data and IT systems. It outlines how staff should handle sensitive information, use company devices, and respond to security incidents while following New Zealand's Privacy Act 2020 and other data protection requirements.
The policy helps organizations safeguard both digital and physical information assets by establishing clear security controls, access rights, and compliance procedures. It typically covers password standards, acceptable use of technology, data classification, and incident reporting - giving teams a practical framework for keeping information secure in their daily work.
When should you use an Information Security Policy?
Your business needs an Information Security Policy when handling sensitive data or facing cybersecurity risks. This is especially crucial for organizations subject to New Zealand's Privacy Act 2020, those managing customer information, or operating in regulated sectors like healthcare, finance, or government services.
Put this policy in place before a security incident occurs - it guides your response to data breaches, protects against cyber threats, and helps train staff on security practices. It's particularly important when expanding operations, adopting new technologies, or working with external partners who need access to your systems and data.
What are the different types of Information Security Policy?
- Security Logging And Monitoring Policy: Focuses on tracking and recording system activities and security events
- It Security Audit Policy: Establishes rules for regular security assessments and compliance checks
- Email Security Policy: Covers email-specific threats, safe communication practices, and data protection
- Phishing Policy: Details procedures for preventing and responding to phishing attacks
- Audit Log Policy: Sets requirements for maintaining and reviewing security-related activity logs
Who should typically use an Information Security Policy?
- IT Directors and CISOs: Lead the development and implementation of Information Security Policies, ensuring alignment with business goals and risk management
- Legal Teams: Review and validate policies to ensure compliance with NZ Privacy Act and other regulations
- Department Managers: Help tailor security requirements to their team's operational needs
- Employees: Follow policy guidelines in their daily work handling company data and systems
- External Consultants: Provide expertise in policy development and security best practices
- Compliance Officers: Monitor and enforce policy adherence across the organization
How do you write an Information Security Policy?
- Asset Inventory: List all IT systems, data types, and sensitive information your organization handles
- Risk Assessment: Document potential security threats and vulnerabilities specific to your business
- Legal Requirements: Review NZ Privacy Act 2020 obligations and industry-specific regulations
- Access Levels: Map out who needs access to which systems and data
- Incident Response: Plan your breach notification and response procedures
- Training Needs: Identify how you'll communicate and enforce the policy
- Review Process: Set up a schedule for regular policy updates and compliance checks
What should be included in an Information Security Policy?
- Purpose Statement: Clear objectives and scope of the information security program
- Data Classification: Categories of sensitive information and handling requirements under Privacy Act 2020
- Access Controls: Rules for system access, authentication, and authorization procedures
- Security Measures: Technical and physical safeguards for protecting information assets
- Incident Response: Procedures for identifying, reporting, and managing security breaches
- Compliance Requirements: References to relevant NZ laws and industry standards
- User Responsibilities: Clear staff obligations and consequences for non-compliance
- Review Process: Schedule for policy updates and effectiveness assessments
What's the difference between an Information Security Policy and a Cybersecurity Policy?
While often confused, an Information Security Policy differs significantly from a Cybersecurity Policy. Here are the key distinctions:
- Scope: Information Security Policy covers all forms of information (digital, physical, and verbal), while a Cybersecurity Policy focuses specifically on digital assets and online threats
- Compliance Focus: Information Security Policy aligns broadly with NZ Privacy Act requirements for all data types, whereas Cybersecurity Policy addresses technical compliance with digital security standards
- Implementation Level: Information Security Policy sets organization-wide principles and governance, while Cybersecurity Policy details specific technical controls and digital protection measures
- Risk Management: Information Security Policy covers comprehensive information risk management, while Cybersecurity Policy concentrates on digital threat prevention and response
Download our whitepaper on the future of AI in Legal
ұԾ’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; ұԾ’s AI improves independently