The 12 ISO 27001 Policies Commonly Adopted by SMEs and Startups

Small businesses often find ISO 27001 complex – long lists of controls, detailed clauses, and extensive documentation. Developing a practical set of policies can support organisations in aligning with ISO/IEC 27001:2022 guidance, supporting day-to-day operations and linking to key ISMS processes where relevant. This guide outlines 12 ISO 27001 policies that SMEs and startups commonly adopt, with explanations and tips to support their practical implementation.

What You Will Learn in This Guide

• Overview of 12 ISO/IEC 27001:2022 policies commonly used by SMEs for information security considerations
• Approaches to structure each policy for clarity, simplicity, and practical implementation
• How policies can link to the Risk Register, Statement of Applicability (SoA), and day-to-day operations
• Practical steps to develop, document, and update your core ISO 27001 policies
  

Snapshot: The 12 ISO 27001 Policies SMEs May Find Useful

These 12 policies commonly serve as a starting point for SMEs and startups, and they may be adapted with additional policies depending on your organisation’s operations, risk profile, and regulatory requirements.

A focused set of around 12 core policies typically addresses key information security areas relevant to most SMEs. While ISO 27001 formally requires only a limited set of documented information (such as the main Information Security Policy) and records (like the Statement of Applicability), these topic-specific policies align with relevant Annex A controls and may help organisations organise their ISMS and support internal policy use.

• Information Security Policy
• Access Control Policy
• Asset Management Policy
• Cryptography Policy
• Operations Security Policy
• Supplier Management Policy
• Incident Management Policy
• Business Continuity / Disaster Recovery Policy
• Acceptable Use Policy
• Remote Work Policy
• Data Retention and Privacy Policy
• Internal Audit and Review Policy
  

Why ISO 27001 Policies Matter for Small Businesses

A core set of ISO 27001 policies may help form the backbone of your ISMS. Even for small teams, these policies can support a structured, practical approach to information security. Here’s why they are often considered important:

• Identify information security risks – Policies clarify which assets, processes, and data may need protection.
• Support the application of relevant ISO 27001 controls – Each policy can guide day-to-day operations and align with ISO/IEC 27001:2022 requirements.
• Monitor, review, and improve processes – Well-defined policies may support repeatable processes that can be updated as the business evolves.

By keeping your ISO 27001 policy set lean and focused, organisations may maintain a manageable and clear ISMS for staff.

How Many ISO 27001 Policies Do SMEs Typically Need?

A focused set of around 12 core policies typically addresses key information security areas for most SMEs. While ISO 27001 formally requires only a limited set of documented information (such as the main Information Security Policy), these topic-specific policies align with relevant Annex A controls and may help organisations maintain a manageable ISMS and support internal policy use.

The 12 ISO 27001 Policies Commonly Adopted

1. Information Security Policy

The Information Security Policy may cover these core aspects to support clarity, accountability, and practical implementation in your organisation.

Key Elements:

• Scope and ISMS boundaries – Define which information, systems, and processes are included.
• Roles and responsibilities – Assign clear ownership for policy enforcement and updates.
• High level risk approach and control selection – Outline how risks may be identified, assessed, and addressed.
• Leadership commitment – Document top management involvement or endorsement where appropriate.

Practical Tip: Consider keeping it clear and concise, with top management involvement where relevant to support accountability.

2. Access Control Policy

The Access Control Policy may help restrict access to authorised personnel which may support improved security practices in your organisation.

Key Elements:

• User access provisioning and deprovisioning – Manage account creation, modification, and removal.
• Password and multi-factor authentication requirements – Encourage or apply strong authentication practices where appropriate.
• Privileged account management – Control access for admin or sensitive accounts where appropriate.

Practical Link: Align with onboarding / offboarding checklists, periodic access reviews, and internal control processes to help maintain up-to-date permissions.

3. Asset Management Policy

The Asset Management Policy may help identify, classify, and protect information assets throughout their lifecycle, supporting operational security in your organisation.

Key Elements:

• Inventory of devices, systems, and data – Maintain an up-to-date register of all critical assets.
• Ownership assignment – Consider assigning responsibility for each asset.
• Handling and disposal procedures – Support secure handling, transfer, and decommissioning of assets.

Practical Tip: Include BYOD rules, encryption standards, and procedures for lost, stolen, or retired devices to help maintain security across all assets.

4. Cryptography Policy

The Cryptography Policy may help protect sensitive data through appropriate encryption across all environments, supporting overall information security in your organisation.

Key Elements:

• Approved algorithms and protocols – Use industry-standard encryption methods for data at rest, in transit, and in backups.
• Key management responsibilities – Assign roles for generating, storing, rotating, and retiring encryption keys.
• Usage rules for internal and cloud systems – Define when and how encryption is recommended or applied across devices and services.

Practical Tip: Keep instructions simple while covering essential protections. Focus on clear policies rather than overly complex enterprise-level manuals.

5. Operations Security Policy

The Operations Security Policy may help support more secure and reliable IT and business processes, reducing potential disruptions, errors, and cyber threats.

Key Elements:

• Change management procedures – Define how system or process changes are requested, approved, and documented where appropriate.
• Backup, monitoring, and logging requirements – Support regular backup of critical data, system monitoring, and log maintenance.
• Malware protection and patch management – Apply consistent updates and security measures to help safeguard systems.

Practical Tip: Align the policy with your Risk Register and operational workflows to support straightforward implementation for small teams.

6. Supplier Management Policy

The Supplier Management Policy may help manage risks associated with external suppliers and service providers, supporting your organisation in maintaining more secure operations and protecting critical information.

Key Elements:

• Supplier assessment and onboarding – Evaluate vendors’ security posture before engagement.
• Contractual security requirements – Include obligations for data protection, incident reporting, and compliance where applicable.
• Ongoing monitoring and annual reviews – Regularly review supplier performance and risk status.

Practical Tip: Include cloud services and critical vendors in scope, linking assessments to operational and risk management processes.

7. Incident Management Policy

The Incident Management Policy may help identify, report, and address security events promptly, supporting efforts to manage operational impact and help protect sensitive information.

Key Elements:

• Incident reporting channels – Clear pathways for employees and stakeholders to report security events.
• Severity classification – Categorise incidents by impact and urgency.
• Root cause analysis and post-incident reviews – Identify weaknesses and help prevent recurrence.

Practical Tip: Provide templates and workflows that link incident reporting to operational procedures and risk management processes, supporting a timely and coordinated response.

8. Business Continuity / Disaster Recovery Policy

The Business Continuity and Disaster Recovery Policy may help your organisation maintain critical operations during unexpected disruptions, supporting efforts to reduce downtime and help protect data and services.

Key Elements:

• Identification of core services – Prioritise functions that are required to continue under disruption.
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) – Define target or acceptable downtime and data loss limits.
• Testing and review schedules – Regularly check plans for effectiveness and potential improvements.

Practical Tip: Keep procedures simple, actionable, and easy for staff to follow. Include periodic drills or tabletop exercises to help make continuity planning practical.

9. Acceptable Use Policy

The Acceptable Use Policy may help your organisation manage risks from human error and cyber threats, supporting secure and recommended use of company IT systems, data, and resources.

Key Elements:

• Use of corporate devices and networks – Define permitted activities and access boundaries.
• Prohibited activities – Examples: installing unauthorised software, bypassing security controls, or falling for social engineering attempts.
• Remote access rules – Guidelines for securely connecting off-site.

Practical Tip: Keep the policy concise, easy to understand, and integrate with training programmes so employees can follow expectations clearly.

10. Remote Work Policy

The Remote Work Policy may support your organisation in maintaining data protection and operational consistency while employees work off-site.

Key Elements:

• VPN or secure network requirements – Encourage or apply the use of approved security protocols for remote connections.
• Device and data handling – Guidelines for managing laptops, mobile devices, and sensitive information.
• Incident reporting while remote – Procedures for promptly reporting security events or breaches.

Practical Tip: Align this policy with your Access Control and Acceptable Use Policies to promote consistent practices across all work environments.

11. Data Retention and Privacy Policy

The Data Retention and Privacy Policy may help your organisation manage personal and sensitive data throughout its lifecycle, supporting secure storage, proper disposal, and alignment with industry practices.

Key Elements:

• Retention periods – Define how long different types of data are kept before secure disposal.
• Secure disposal methods – Procedures for safely deleting or destroying data and devices.
• Privacy best practices – Guidelines for collecting, storing, and handling sensitive information.

Practical Tip: Apply simple, clear procedures that align with your Risk Register and other core ISMS policies to help maintain consistency across operations.

12. Internal Audit and Review Policy

The Internal Audit and Review Policy may support regular monitoring, evaluation, and improvement of your ISMS, helping your organisation promote consistent information security practices with minimal overhead.

Key Elements:

• Audit frequency and scope – Define how often reviews occur and which processes are checked.
• Roles and responsibilities – Assign accountability for conducting audits and reviewing findings.
• Corrective actions and follow-ups – Document improvements and updates based on review outcomes.

Practical Tip: Connect this policy to your Risk Register and Statement of Applicability to support consistency and track continuous improvement across your ISMS.

How to Implement ISO 27001 Policies Effectively

Consider these approaches when creating a set of policies that can support your ISMS:

1. Keep policies concise – Focus on clarity and practicality rather than length.
2. Assign clear ownership – Designate a responsible person for each policy to help maintain updates, promote accountability, and track usage.
3. Map to Annex A controls – Policies can be aligned with relevant ISO/IEC 27001:2022 controls to support risk management and ISMS traceability.
4. Use practical examples – Illustrate expectations with real-life scenarios tailored to your organisation, helping staff apply policies in day-to-day operations.
5. Review periodically – Update policies as needed to reflect operational changes, emerging risks, and evolving security practices.
   

Linking ISO 27001 Policies to Your ISMS

Policies may be connected to your ISMS to support practical use and alignment with ISO 27001 requirements. For SMEs and startups, this often includes:

• Referencing the Risk Register to justify controls.
• Linking each policy to the Statement of Applicability for Annex A mapping.
• Aligning processes, staff training, and daily operations with policy guidance.
  

Summary: Lean Policy Approach for SMEs

• A set of around 12 commonly used ISO 27001 policies can address key information security considerations for many small businesses.
• Focus on clarity, practicality, and alignment with operational processes.
• Policies may support controls, processes, and evidence collection.
• Templates may help accelerate documentation and maintain consistency.
• Successful use depends on ownership, practical application, and repeatable practices.
  

These 12 policies are commonly used by SMEs and startups to organise ISMS documentation and align operations with ISO 27001 guidance where applicable.

Further Resources

• ISO 27001 Templates – Pre-built policy and procedure templates that may help SMEs organise ISO 27001 efficiently.
• Risk Register Template – Organise and align risks, controls, and policies for easy tracking and reference.
• Statement of Applicability (SoA) Template – Map which ISO 27001 controls are relevant and link them to your policies.

Next Steps: Learn how to structure, control, and maintain your ISMS documents in the follow-up guide: ISO 27001 Clause 7.5 Explained: Documented Information Requirements for SMEs.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:

Start Here: Complete Guide

• ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

B. Documentation and ISMS Templates – Detailed Guides by Topic

• ISO 27001 Mandatory Documents Checklist for SMEs – A practical guide to the essential ISMS documents small businesses typically prepare for ISO 27001 and streamlined audit preparation.
  
• ISO 27001 Clause 7.5 Explained: Documented Information Requirements for SMEs – Learn how to manage ISMS documents and records efficiently using templates, registers, and clear structures.
• How to Build a Complete ISO 27001 ISMS Manual for SMEs – Step-by-step guide to assembling your main ISMS Manual, using templates and practical examples.
• ISO 27001 Templates vs Consultants vs Platforms – A practical guide to help SMEs choose between templates, consultants, and platforms for efficient ISO 27001 implementation.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.