The Regulatory Requirements for Written Information Security Policies

Some organizations still receive little management support or funding for a sound information security policy program. Within the last several years, however, numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements.

In some cases, these regulations are very specific about the requirements for written security and privacy policies.  Examples include HIPAA and PCI-DSS.  In other cases, a regulation simply requires safeguards that are “appropriate” for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the  Control Objectives for Information Technology (COBIT™) and ISO/IEC 27002.

The following table contains a partial list of security or privacy-related regulations and their specific information security policy requirements. Where appropriate, the list includes the security policy requirements of several key frameworks used to manage compliance with various regulations.

Regulatory Requirements for Information Security Policies
Regulation/Framework Industry/Country Policy Requirement
HIPAA (Health Insurance Portability and Accountability Act of 1996)
Security Final Rule

Healthcare (U.S.)
Policies and Procedures 164.316 (a)
(R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.
Sarbanes-Oxley Act, Section 404 – based on COBIT (Control Objectives for Information Technology)
Control Objectives, Section 6: Communicate Management Aims and directions.
All Publicly Traded Companies (U.S)
6.2 Management’s Responsibility for Policies
“Management should assume full responsibility for formulating, developing, documenting, promulgating and controlling policies covering general aims and directives.”
Payment Card Industry Data Security Standard
Financial Services
Requirement 12: Maintain a policy that addresses information security
Gramm-Leach-Bliley Act (GLBA) Title V – Section 501
FFIEC – Interagency Guidelines Establishing Standards For Safeguarding Customer Information
Financial Services (U.S.)
“Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards.”
NERC-FERC Cyber Security Standard
CIP-003-1 Security Management Controls
Energy/Infrastructure (U.S.)
Requirement 1.
The Responsible Entity shall create and maintain a cyber security policy that addresses the requirements of this standard and the governance of the cyber security controls.
Federal Information Security Management Act (FISMA)


NIST SP 800-53
Federal Government (U.S.)
“(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;”
PIPEDA (Bill C6) – Personal Information Protection and Electronic Document Act
All Industries (Canada)
4.1 Principle 1 – Accountability
Organizations shall implement policies and practices to give effect to the principles.
EU Data Protection Directive
All Industries (European Union)
Organizations must “implement appropriate technical and organizational measures to protect personal data.”
ISO/IEC  27002:2013
Section 1.1 Information Security Policy Document
Information Security Framework
A written policy document should be available to all employees responsible for information security.
US Cyber Security Framework (CSF)
Security Framework
ID.GV-1: Organizational information security policy

This table is one of the many resources available within Information Security Policies Made Easy.