Information Security Policy Template for the Philippines

Generate a bespoke document

What is an Information Security Policy?

An Information Security Policy outlines how an organization protects its digital and physical information assets from threats and unauthorized access. For Filipino businesses, it serves as the cornerstone of cybersecurity compliance, especially under the Data Privacy Act of 2012 and NPC guidelines.

This policy sets clear rules for handling sensitive data, from customer information to trade secrets. It guides employees on proper password management, device usage, and data sharing protocols while establishing response procedures for security incidents. Companies use it to demonstrate their commitment to data protection and maintain trust with stakeholders.

Frequently Asked Questions

When should you use an Information Security Policy?

Every business handling digital information needs an Information Security Policy from day one of operations. This is especially crucial for Philippine companies processing personal data, as the Data Privacy Act requires documented security measures to protect sensitive information.

Use this policy when setting up new IT systems, onboarding employees, or responding to cybersecurity incidents. It becomes vital during security audits, when expanding digital operations, or if your organization handles financial data, healthcare records, or customer databases. Having it ready before a breach occurs helps avoid penalties from the National Privacy Commission and maintains customer trust.

What are the different types of Information Security Policy?

  • Phishing Policy: Focuses on protecting employees and systems from email-based cyber attacks and social engineering attempts
  • Email Security Policy: Establishes guidelines for secure email communication, including proper handling of confidential information
  • Email Encryption Policy: Details requirements for encrypting sensitive email communications to meet data protection standards
  • Vulnerability Assessment Policy: Outlines procedures for identifying and addressing system security weaknesses
  • Secure Sdlc Policy: Guides security integration throughout software development lifecycle stages

Who should typically use an Information Security Policy?

  • IT Security Teams: Draft and implement the Information Security Policy, monitor compliance, and update security measures
  • Data Protection Officers: Ensure alignment with Philippine Data Privacy Act requirements and NPC guidelines
  • Company Executives: Approve policies, allocate resources, and demonstrate leadership commitment to information security
  • Department Managers: Help tailor policies to their unit's needs and enforce compliance among team members
  • Employees: Follow security protocols, attend training, and report potential security incidents
  • Third-party Vendors: Comply with security requirements when accessing company systems or handling data

How do you write an Information Security Policy?

  • Asset Inventory: Document all IT systems, data types, and physical information assets your organization handles
  • Risk Assessment: Identify potential security threats and vulnerabilities specific to your business operations
  • Legal Requirements: Review Data Privacy Act compliance needs and NPC guidelines for your industry
  • Access Levels: Map out who needs access to what information and under which circumstances
  • Security Controls: List existing technical and administrative safeguards already in place
  • Incident Response: Plan your breach notification and recovery procedures before drafting
  • Training Needs: Determine how you'll communicate and enforce the policy across your organization

What should be included in an Information Security Policy?

  • Purpose Statement: Clear objectives and scope of the security policy aligned with Data Privacy Act requirements
  • Security Measures: Technical, physical, and organizational controls to protect information assets
  • Access Controls: Detailed procedures for granting, monitoring, and revoking system access
  • Data Classification: Categories of information and their corresponding protection levels
  • Incident Response: Steps for handling and reporting security breaches per NPC guidelines
  • User Responsibilities: Employee obligations and acceptable use guidelines
  • Compliance Requirements: References to relevant Philippine laws and industry standards
  • Review Process: Schedule and procedures for policy updates and assessments

What's the difference between an Information Security Policy and an IT Security Policy?

While often confused, an Information Security Policy differs significantly from an IT Security Policy. Let's explore their key distinctions to help you choose the right document for your needs.

  • Scope: Information Security Policy covers both digital and physical information protection across the entire organization, while IT Security Policy focuses specifically on technical systems and digital assets
  • Compliance Focus: Information Security Policy directly addresses Data Privacy Act requirements and NPC guidelines for overall information handling, whereas IT Security Policy concentrates on technical compliance standards
  • Implementation Level: Information Security Policy sets organization-wide principles and governance frameworks, while IT Security Policy provides detailed technical specifications and protocols
  • Stakeholder Involvement: Information Security Policy requires input from legal, management, and operations teams, while IT Security Policy primarily involves IT department and technical staff

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Philippines

Publisher

GenieAI

Category

Policies

Cost

Free to use

Last updated

About the Information Security Policy

  • Asset Inventory: Document all IT systems, data types, and physical information assets your organization handles
  • Risk Assessment: Identify potential security threats and vulnerabilities specific to your business operations
  • Legal Requirements: Review Data Privacy Act compliance needs and NPC guidelines for your industry
  • Access Levels: Map out who needs access to what information and under which circumstances
  • Security Controls: List existing technical and administrative safeguards already in place
  • Incident Response: Plan your breach notification and recovery procedures before drafting
  • Training Needs: Determine how you'll communicate and enforce the policy across your organization

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it