Policy Template

Information Security
Management
Systems

ISMS Manual
Table of Contents

01 Purpose 01

02 Organization Overview 01

03 Terms & Definitions 01

04 Context of the Organization 05

05 Leadership 06

06 Planning 06

07 Support 06

08 Operations 06

09 Performance Evaluation 06

10 ISMS Improvement 06

11 Document Security Classification 06

12 Non-Compliance 06

13 Responsibilities 06

14 Schedule 06
Document Authorization:

Prepared By Reviewed & Authorized By

Name Name

Designation: Designation:
 Purpose This document details the Information Security Management
System (ISMS) of <Company Long Name> (hereafter
<Company Name>). This document is the framework for
designing, implementing, exercising, and maintaining the
ISMS. The manual references the <Company Name>’s
information security initiatives. 

This manual provides regulators and other interested parties

with appropriate information about the <Company Name>’s
information security management objectives and initiatives
undertaken.

The information security policies documented by <Company

Name> apply to all <Company Name> information asset
users. These policies apply to all Information Systems (IS)
environments operated by <Company Name>. The term “IS
environment” defines the total environment and includes,
but is not limited to, all documentation, personnel, hardware
(e.g., desktops, etc.), software, and information.

Organization 2.1. About <Company Name>

Overview
< Add a brief description of the company : Can Refer to
Sprinto’s description for example, Sprinto is in the business
of security compliance for cloud companies. Sprinto’s
platform works with cloud setup and helps monitor entity-
level risks and controls. Sprinto ensures compliance, healthy
operational practices, and the ability to grow and scale with
the industry's needs. Sprinto comes with framework specific
workflows, policy templates, and trading modules for
various security compliances. But it is the adaptive
automation capabilities that carry out their implementation.
The platform seamlessly integrates with the client’s cloud
setup to consolidate risk, map entity-level controls, and run
fully-automated checks. >

01
 2.2. Vision & Goals

<Add a brief description of the company’s vision and goals -

here is a sample: 

We envision global leadership by redefining industry

standards through innovation, excellence, and dedicated
stakeholder commitment. Our mission is to deliver
exceptional products and services that empower customers,
inspire teams, and positively impact communities. Guided by
integrity and collaboration, we prioritize customer delight
and operational excellence. Our focus on innovation
leadership drives market evolution while empowering
employees and nurturing creativity and ownership.
Sustainability and community engagement are integral to
our growth strategy, ensuring positive economic, social, and
environmental impact. Through these values, we aspire to
shape a brighter future for all stakeholders and contribute
meaningfully to a better world.>

Terms & Asset: Anything valuable to <Company Name>

Definitions
Audit: Independent review of an activity or process to
determine if it has functioned as intended

Audit Trail: The audit trail represents the path that a

particular transaction/ transaction cycle takes in the
system and can be generated by way of a report/log of
events describing the detailed history of system
activities and processing. Audit trails are generated with
definite control objectives, which reflect details of
activity, process, and events to be monitored

Confidentiality: relates to the protection of sensitive

information from unauthorized access

Integrity: relates to the accuracy and completeness of

information, as well as to the validity of information in
accordance with business values and expectations.

02
 Availability: relates to information being available when
required by the business process. It also deals with the
safeguarding of necessary resources and associated
capabilities

Control: Means of managing risk, including policies,

procedures, guidelines, practices or Organizational
structures, which can be of administrative, technical,
management, or legal nature

Data classification: Grouping of <Company Name>’ 's

entire information and business data into such
categories which denote the criticality and sensitivity of
the information. Data classification aims at achieving
three major attributes of information, viz. Confidentiality,
integrity, and availability.

Information: Applies to any storage, communication, or

receipt of knowledge, such as fact, data, or opinions,
including numerical, graphic, or narrative forms, whether
oral or maintained in any medium

Information Asset: Information that has value to our

company, including people, paper, Logical (Information),
Physical, Software and Service, and Site

Information Asset Custodian: Employees responsible for

maintaining the information protection measures defined
by the information asset owner

Information Asset Owner: Employees responsible for

creating and using information assets. Asset owners
decide the security requirements for the asset

Information Processing Facilities: Any information

processing system, service, or infrastructure, or the
physical locations housing them

Information Security: Preservation of confidentiality,

integrity, and availability of information; in addition, other
properties such as authenticity, accountability, non-
repudiation, and reliability can also be involved.

03
 Information Security Management System (ISMS): That
part of the overall management system, based on a
business risk approach, to establish, implement, operate,
monitor, review, maintain, and improve information
security. The management system includes
Organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes, and
resources

Information System: The organized collection,

processing, transmission, and dissemination of
information in accordance with defined procedures,
whether automated or manual

Media: All devices that can electronically hold and store

information. These include CDs, DVDs, tapes, and
portable hard disks and any development from these

Policy: Overall intention and direction as formally

documented and expressed by management

Standard: Standard is a definite way of doing things, a

series of steps to an end, or a set of established forms
and methods for conducting legal and business affairs.
The standards substantiate ways and means of
implementing policies.

Risk: Combination of the likelihood of an event and its

impact

Risk Acceptance: It is the decision to accept a risk

Risk Analysis: The systematic use of information to

identify sources and to estimate the risk

Risk Management: Coordinated activities to direct and

control <Company Name> with regard to risk

Safeguard: This is defined as the mechanism by which a

control may be implemented, optionally with others, to
reduce or eliminate an identified threat.

04
 Security Event: An identified occurrence of a system,
service, or network state indicating a possible breach of
information security policy or failure of safeguards, or a
previously unknown situation that may be security
relevant

Security Incident: A single or a series of unwanted or

unexpected information security events that have a
significant likelihood of compromising business
operations and threatening information security

Statement of Applicability: The document describing the

control objectives and controls that are relevant and
applicable to the organization’s ISMS

Third Party: That person or body that is recognized as

being independent of the parties involved, as concerns
the issue in question

Threat: Threat is the potential cause of an unwanted

event that may result in harm to the <Company Name>
and its assets

Virus: A computer virus is a piece of malicious software

designed to attach itself to other programs and to
replicate itself into other programs, ultimately very
possibly infecting every program in a system. There is
also a variant known as a macro virus, which attaches
itself to the macros, which are a part of some word
processor and spreadsheet programs. Other malicious
software goes by such names as worms, Trojan horses
or time bombs. These can all be very damaging to a
system but are free standing rather than replicating
attachments

Vulnerability: Vulnerability is defined as a flaw or

weakness in system security procedures, design,
implementation, or internal controls that could be
exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation of
the system’s security policy.

05
 Context of the 4.1. Understanding the Organization & its Context

Organization
<Company Name> has developed an organizational
governance structure, and has defined policies, strategies
and well-defined roles and responsibilities to ensure that
strategic objectives are met. Information Security
Management System (ISMS) is designed to be a subset of
the overall organizational governance framework.
<Company Name> has taken steps to determine risks and
opportunities which could impact the goals and objectives.

<Company Name> has determined external and internal

issues that are relevant to its purpose and that may affect
its ability to achieve the intended outcome(s) of its
Information Security Management System (ISMS).

<Company Name> has determined the internal and external

interested parties and their needs and expectations with
respect to ISMS. The requirements of these interested
parties are accommodated within the ISMS approach and
the scope of ISMS. Some of the internal and external issues
that have an impact on <Company Name> ISMS include:

Internal Issues

Availability of reliable qualified, and competent

workforce

Stability of workforce and Staff retention and congenial

work culture

Opportunities to improve technology

Expansion of Customer base/contractual arrangements/

SLA with suppliers; an

Inadequate awareness towards Information Security.

01
 External Issues

Compliance with the guidelines/ directives, regulations,

and Laws;

Compliance with the requirements and regulations

required by the clients and as agreed between
<Company Name> and Client as part of MSA

Overall economic performance of the country

Customer demographic

Protection of assets against damage due to external

factors like cyber-attacks, unrest, and natural calamities;
an

Competitive business environment.

4.2. Understanding the needs and expectations of

interested parties

<Company Name> shall identify the interested parties, i.e.,

individuals or organizations that can influence or can be
affected by <Company Name>’s information security. The
needs and expectations of the interested parties to
adequately enhance the security or meet disaster recovery
requirements shall be determined. <Company Name> has
identified the following requirements of internal/external
interested parties for its Information Security Management
system:

Internal Parties External Parties

Executive Management Customers

Consulting/Marketing Advisory Consultants

Employees (Part-time
 Vendors/Third party


Organisation
and Full-time) service providers/
Suppliers
Contractors
Government/ Regulators
Shareholders/owners

Media
of the business

01
 Interested Parties Internal/ External Requirements

Executive Management Internal Minimal business

interruptions

Business growth

Maintenance of brand
value and reputation 

Ensuring customer
satisfaction

Ensuring continued
relationships with key
partners and vendors

Adherence to legal &

regulatory requirements

Adherence to contractual
requirements

Consulting/Marketing Internal
Group

Employees/ staff Internal

Government/ Regulators External

Customers External

Media External

Vendors/ Suppliers External

Legal bodies External

01
If you're looking for an automated compliance platform to help maximize your
cyber security budget, talk to Sprinto's experts today! Sprinto is a compliance
automation platform that helps organizations much like yours get compliance-
ready in as short a time as possible.

Get Demo

sales@sprinto.com www.sprinto.com