Information Security Guideline

What if a company is the victim of a targeted attack tomorrow — and no one knows who has to do what?

This is exactly where the information security guideline comes in: It is like a lighthouse in fog, it shows the direction when it gets stormy. As the strategic foundation of an effective information security management system (ISMS), it describes the desired target state, provides orientation and sets the framework for all security activities in the organization.

But what exactly goes into it? And how can artificial intelligence (AI) help not only to write the guideline, but also to bring it to life? This article is intended for information security managers, ISOs, CISOs, top management and anyone interested in information security and setting up an ISMS with or without previous experience.

Note: To simplify matters, I use the term “top management” as a collective term for management, board of directors and other senior functions at the top level.

What is the purpose of an information security guideline?

Imagine that the information security guideline was a map: It doesn't show every path in detail, but it makes it clear where the journey should go and what is particularly important along the way.

It documents the “what” and “why,” not the “how.” It provides the long-term framework for all ISMS measures and supports key corporate goals such as trust, resilience and compliance.

A guideline on information security documents the strategic objectives in the area of information security and is also referred to in the standard as a policy or information security policy.

What should be included in an information security guideline?

Each section of the guideline should formulate specific questions that should be answered in a binding manner by specific people in an organization.

1. Purpose

• Why is the ISMS being established?
• Which strategic goals should be supported?
• Who is in demand? Top management, CISO/ISO

2. Scope

• Which areas and resources does the ISMS apply to?
• Who is in demand? CISO, ISO

3. Management statement

• Why is information security a top priority?
• What importance does top management attach to the issue?
• Who is in demand? Top management

4. Principles of Information Security

• Which values and principles apply?
• For example: confidentiality, integrity, availability, authenticity

5. Safety goals

• What specific safety goals should be achieved — technically, organizationally and culturally?
• Who is in demand? CISO, ISO

6. Legal & contractual requirements

• What are the legal, regulatory and contractual requirements?
• Who is in demand? Top management, compliance managers

7. Security organization & resources

• How is the ISMS organisationally anchored?
• Who is responsible?
• What resources are being provided?
• Who is in demand? Top management, CISO, ISO

8. Risk management

• How are information security risks identified, assessed, handled and documented?
• Who is in demand? ISO, risk owner

9. Dealing with security incidents

• What are the basic principles for identifying, reporting and processing incidents?
• Who is in demand? ISO, IT, all employees

10. Obligations to cooperate

• What is the role of employees in implementing the security strategy?
• Who is in demand? All employees, top management

11. Communication & awareness raising

• How is security awareness built up and anchored in the company?
• Who is in demand? Top management, CISO/ISO

12. Enforcement

• What happens if the policy is violated?
• What consequences are foreseen?
• Who is in demand? Top management, HR, compliance

13. Continuous improvement

• How is the ISMS regularly reviewed and developed?
• Who is in demand? Top management, CISO/ISO

14. Validity & Revision

• When does the guideline come into force?
• How often is it reviewed and, if necessary, revised?
• Who is in demand? CISO, documentation team

And now AI comes into play — but how?

Let's think in pictures again: An AI is like a well-trained co-pilot who doesn't fly himself, but can find out exactly which route is safe and efficient.

What does that look like in practice?

A company — such as a financial start-up or an energy supplier — must regularly adjust its information security guidelines. The reasons for this may be:

• New legal requirements (e.g. NIS2 Directive or DORA)
• Introduction of new technologies
• Changes in corporate strategy

An AI can help by:

• Automatically detects which sections are affected
• Makes suitable suggestions for adjustment
• Keep the text consistent in style
• Adapts the content to the goals of the ISMS

What does that mean in practice?

• Generate templates automatically — Language models suggest suitable text modules based on ISO/IEC 27001.
• Test for compliance with standards — AI recognizes missing sections and checks against ISO 27001:2024.
• Versioning & change tracking — Intelligent tools document what changed, when and why.
• Prepare audits — AI detects weak points and provides relevant evidence.
• Facilitate access to knowledge — Employees get quick orientation via an interactive Q&A tool.
• Risk-based recommendations — AI links real-time data with security goals and suggests preventive measures.

And responsibility?

Responsibility remains — in line with ISO 27001 — with the roles in the company. AI only helps to implement this responsibility more easily and effectively.

conclusion

The guideline on information security is not just an audit document, but the central control instrument for information security. With the right tools — including AI — it is not only created more efficiently, but is also actually used in everyday life.

Do you want to make your own guideline fit, strategic, understandable and audit ready? Then let's talk.