Information security policy content

Answer: According ISO 27001, the Information Security Policy must include:
- the information security objectives, or how the objectives are proposed, how they are approved, and how they are reviewed
- a statement of top management about its commitment to fulfill the requirements of all interested parties, and to continually improve the ISMS

There is no need to include specific controls in the Information Security Policy. If you need to describe details about the application of one or more controls you should consider writing them in a specific policy (e.g., Access control policy, backup policy, etc.).

These articles will provide you further explanation about Information Security Policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advi sera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

These materials will also help you regarding Information Security Policy:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/