Information security policy template

Information security is no longer just an IT concern. It’s a fundamental part of running a modern business. From employee records and payroll data to customer information and commercial insights, New Zealand businesses handle vast amounts of sensitive data every day. Without clear rules and safeguards in place, even a small mistake can lead to serious financial, legal and reputational consequences.

An information security policy provides the framework your business needs to protect its data, systems and people. It sets clear expectations for how information should be handled, defines responsibilities across the organisation and helps ensure you meet your legal and regulatory obligations.

Understanding an information security policy template

An information security policy template gives you a clear starting point, not a rigid set of rules. It provides a structure covering the essential areas of information security, including data classification, access controls, acceptable use, incident response and employee responsibilities. These sections reflect best practice and regulatory expectations, while remaining customisable to your business size, industry and risk profile.

To get the most from a template, start by assessing your specific risks and operational realities. Adapt the language so it’s clear and practical for your team, and align it with your existing tools and processes. A policy your people can actually follow is far more valuable than one they ignore.

The importance of information security in modern businesses

Every organisation relies on data to operate, from employee payroll records and customer payment details to intellectual property and commercially sensitive information. This data has real value, making it a target for cybercriminals. But it’s not just about stopping attacks. Customers, employees and partners expect their data to be handled responsibly, and a breach can make that trust extremely difficult to rebuild.

In New Zealand, businesses must comply with the Privacy Act 2020, overseen by the Office of the Privacy Commissioner (OPC). A serious breach can result in significant fines, enforcement action and lasting reputational damage. A robust information security policy helps protect against all of these risks and signals reliability to those you work with.

Best practices for data protection

Strong data protection comes from consistent, sensible habits embedded into everyday working practices. Key steps include:

• Access control: Apply the principle of least privilege. People should only access information they need for their role. Use your HR or identity management tools to manage permissions and restrict access to sensitive data.
• Strong authentication: Enforce strong, unique passwords and enable Multi-Factor Authentication (MFA) wherever possible. This single measure blocks the vast majority of credential-based attacks.
• Secure onboarding: Require new starters to read and formally acknowledge your information security policy before accessing company systems, setting clear expectations from day one.
• Regular updates: Keep operating systems, applications and devices set to update automatically so security patches are applied promptly.
• Encryption: Protect data at rest and in transit. If a device is lost or stolen, encryption ensures the data it holds remains secure.

Responding effectively to data breaches

Breaches are a realistic possibility for any organisation. The key is planning ahead so you can respond effectively rather than reactively.

Your policy should include a clear, step-by-step response plan:

• Containment: Isolate affected devices, disable compromised accounts and stop further unauthorised access.
• Assessment: Identify what happened, what systems were affected and whether sensitive data was accessed.
• Notification: Under the Privacy Act 2020, you must notify the OPC of a privacy breach that has caused, or is likely to cause, serious harm. Affected individuals should also be informed promptly and honestly.
• Review: Once resolved, analyse what went wrong and use the findings to strengthen your controls and update your policy.

Crafting a comprehensive information security policy

A comprehensive policy doesn’t need to be lengthy. It just needs to be clear, practical and easy for anyone in your team to understand.

Start by defining your security objectives: what information are you protecting and why does it matter? Then outline employee responsibilities in specific, plain-language terms – things like locking screens, using secure networks and following approved data handling processes. Avoid jargon and legalese. If employees don’t understand the policy, they won’t follow it consistently.

The aim is to create a security-first culture where protecting information feels like a normal part of the working day, not an inconvenient IT imposition.

Developing a robust security policy for your organisation

Your business isn’t static, and your security policy shouldn’t be either. Review it at least annually, and whenever you introduce new technology or make significant changes to how you operate. Ask yourself: are these rules still practical? Do they enable safe work, or do they create unnecessary friction? Overly restrictive policies drive workarounds and shadow IT, often creating more risk than they prevent.

Addressing disciplinary action in security policy breaches

Clear rules only work if there are clear consequences when they’re not followed. If an employee disregards the policy — sharing passwords, bypassing controls or installing unauthorised software — the issue needs to be addressed. Without defined outcomes, a policy becomes optional guidance rather than a genuine requirement.

Disciplinary matters should always be handled fairly, consistently and in line with your wider HR policies and employment law obligations under the Employment Relations Act 2000. Your policy should explain how breaches will be investigated and what action may follow, depending on severity and intent. For complex cases, access to HR advisory support can help you navigate these situations confidently and lawfully.

Your next step: Create an information security policy

A well-crafted information security policy is one of the most valuable investments you can make in protecting your business. By defining your security goals, outlining employee responsibilities and putting practical procedures in place, you create a strong foundation for safeguarding your data, systems and reputation.

Not sure where to start?

The information in this article is current as at 5 March 2026, and has been prepared by Employment Hero Pty Ltd (ABN 11 160 047 709) and its related bodies corporate (Employment Hero). The views expressed in this article are general information only, are provided in good faith to assist employers and their employees, and should not be relied on as professional advice. Some information is based on data supplied by third parties. While such data is believed to be accurate, it has not been independently verified and no warranties are given that it is complete, accurate, up to date or fit for the purpose for which it is required. Employment Hero does not accept responsibility for any inaccuracy in such data and is not liable for any loss or damages arising directly or indirectly as a result of reliance on, use of or inability to use any information provided in this article. You should undertake your own research and seek professional advice before making any decisions or relying on the information in this article.