Build a free ISMS: how to create a great landing page

A landing page is a key part of your ISMS. Learn how to create the perfect one to help your colleagues and auditors

An ISO 27001 Information Security Management System (ISMS) landing page is a resource that provides information about an organisation’s ISMS. It can be used to educate employees about information security, communicate the organisation’s commitment to information security, and demonstrate that the organisation is meeting the requirements of ISO 27001.

Creating a good landing page is not at all complicated: a few simple building blocks are needed and the trick is to know what ISMS pages to include within the different sections of the landing page.

In a rush? Here’s the post summary

  • A landing page is a key part of your ISMS. It helps employees and auditors with rapidly accessing information security documentation relevant to their role
  • A landing page must include, at a minimum, a header, an introduction to the ISMS, a policies library and quick links to additional information security resources
  • Absence of a landing page within your ISMS can lead to audit findings. One such common finding is that ISMS documentation is hard for employees to locate and, therefore, consume

A landing page for an ISMS is important to both the company and auditors. For the company, the landing page can help to:

  • Raise awareness of information security: The landing page can educate employees about the importance of information security and the risks associated with not having a strong ISMS

  • Communicate the organisation’s commitment to information security: The landing page can show potential and existing customers that the organisation takes information security seriously

  • Demonstrate compliance with ISO 27001: The landing page can provide auditors with the information they need to assess the organisation’s compliance with ISO 27001

An ISMS landing page should contains at a minimum the below four sections:

  1. Landing page header
  2. Introduction to the ISMS
  3. ISMS policies library
  4. Quick links to additional resources

We’ll go into the details of each section in order to know the exact content to include within.

Landing page header

A header at the top of an ISMS landing page serves primarily as a timesaver that immediately directs the attention of visitors to the information that will be presented within the ISMS.

In addition to providing some links to key ISMS information. It should also convey the organisation’s commitment to information security and highlight the landing page’s core message: ensuring that visitors understand the purpose of the ISMS and also what type of information they can expect to find.

The header is composed of two sections. Ideally both should be placed at the same level, one on the left and the other on the right. The two sections of the header should be 1) Key ISO 27001 certification information and contacts and, 2) quicklinks to essential ISO documents.

Key ISO 27001 certification information and contacts

This section should be placed on the left side of the header. It should include a brief statement that outlines:

  • Date since the company has been certified and when does the ISO 27001 certification expire. This will be key information for 80% of readers reaching your ISMS landing page as most will be looking to understand the certification’s date of expiry. This will also prove a useful reminder to the CISO as well as the Governance, Risk & Compliance (GRC) team
  • Key contact point for all questions regarding the company ISMS. This part of the statement should include a picture and contact details (such as email or phone number) of the contact point so that readers may immediately get in touch. Suitable contact points to include here can be the CISO or the Head of GRC

Above the statement you can include, optionally and at your discretion, a certification badge. Such badges are typically granted by the certification entity. They serve no specific purpose in the header and are mostly added for aesthetic effect.

This section should be placed on the right side of the header. It should include, at a minimum, these documents:

  1. The ISO 27001 certification itself. It is key to add the certification at the top of the landing page as the vast majority of page readers will want to retrieve and share the certification with someone else (i.e. a prospect or internally with other departments)
  2. Link to copies of the ISO 27001 standard requirements, vocabulary and code of practice. While most readers will not be interested in viewing the ISO standard, your internal GRC team (and CISO) will appreciate having a trusted location where the standard can be rapidly retrieved. Make sure to include only documents that are aligned with the ISO 27001 version against which your company is certified

Introduction to the ISMS

After the header a short introduction is needed explaining what information security exactly means for your company and why it matters. The title of this section should be clear and unambiguous (i.e. Information Security at Acme Inc.) and the opening paragraph should explain how each individual - whether a manager or not - has an obligation to uphold information security within the company.

In addition to the above, the paragraph should clearly explain what information is provided on the page. Finally, a statement must be included to specify that every company employee is obliged to read and understand the documents relevant to their job role. This is fundamental from an audit perspective as it provides yet another piece of evidence showcasing how employees at your company are reminded of their obligations to read and understand ISMS policies.

Below the introductory paragraph you should finally include a high level description of the key ISMS stakeholders and their specific responsibilities when it comes to upholding the ISMS throughout the organisation. A simple table should do: you should, at a minimum, list the names of the CEO and CISO and their corresponding responsibilities regarding the ISMS. You should also include a row describing the ISMS responsibilities that team leaders, project managers or department heads should upload during their tenure.

ISMS policies library

The ISMS policies library is the heart of the landing page. Its purpose is to list essential ISMS policies and make them easily discoverable to different divisions and employee groups within the company. This section is not provided just for the sake of convenience. It will, in fact, serve as audit proof that the ISMS can be easily found by employees and effectively used to find policies relevant to their job role.

How you build the outline of your ISMS policies library will largely depend on the size and structure of your company. However, the basic structure of the library should contain the following groupings and policies:

  1. General personnel section: Under this grouping you should list the essential ISMS policies that all employee groups within your company are required to know and understand. Policies that should be incorporated within this group include, but are not limited to, any policy that employees are required to read and acknowledge as part of their security induction during their first onboarding weeks. However, at a minimum, the below policies should always be listed in this section:
    • Information security policy: Gives employees an overview of the company’s information security strategy and objectives
    • Acceptable use policy: Outlines the security obligations to be respected while working for the company
    • Information classification policy: Describes how information should be classified (according to confidentiality levels) and handled
    • Incident reporting policy: Assists employees with behaving properly during an information security incident
    • Data protection policy: Helps employees understand how to treat data in a compliant manner while working for the company
    • Visitor policy: Outlines the procedures to be followed when inviting external guests on company premises
  2. (Optional) Management personnel section: Under this grouping you should list the essential ISMS policies that your company management is required to know and understand. Adding a dedicated section for management may not make sense in every case, for example within large enterprises where upper management could have access to dedicated intranets. Confidentiality reasons could also prevent the inclusion of this section. If you decide in any case to include this section within your ISMS landing page, then you should list the below ISMS policies:
    • Leadership and commitment policy: outlines in detail the information security commitment that management promotes and upholds within the company
    • Communication: outlines who communicates what across the company when it comes to ISMS changes and activities
    • Monitoring, measurement, analysis and evaluation policy: explains in detail how information security is monitored and evaluated within the company
    • Continual improvement policy: explains how information security is continually improved within the company
    • Risk management policy: a core policy for management explaining how risk is managed within the company according to the Plan, Do, Check and Act cycle
    • Business continuity management policy: another core management policy outlining the organisation’s plan to stay resilient during major incidents threatening business continuity
  3. Software development personnel section: Under this grouping you should list policies that help software engineering teams what are the company’s high level rules when it comes to developing and maintaining software products. The list of policies to include in this section should be:
    • Secure software development policy: provides top level guidance on how software is expected to be developed securely within the organisation
    • Change management policy: helps understand how changes to software code and software products should be controlled and managed
    • Logging management policy: a key policy providing the minimum mandatory logging requirements that developers must follows when developing software
    • Vulnerability management policy: describes how software vulnerabilities must be monitored and patched when software is deployed to production

  1. Information Technology personnel section: Under this grouping you should list all policies that every member of internal IT functions is required to know. policies to list under this grouping include:
    • Backup management policy: outlines procedures for regularly copying and storing data securely, ensuring company employees can recover files lost due to accidents, errors, or cyberattacks
    • Asset management policy: guides how employees track, use, and care for company resources, helping them work efficiently and responsibly with valuable equipment and information
    • Access controls policy: dictates who can access specific data and systems, empowering employees to work confidently knowing confidential information is protected while promoting accountability and preventing misuse
  2. (Optional) Supplier management personnel section: This grouping is also optional. It should be included only if your company does business with many suppliers (for e.g. a SaaS company). In such cases, it would be advisable to include the below list of policies:
    • Supplier management policy: establishes guidelines for selecting, evaluating, and collaborating with vendors, helping employees make informed choices that protect the company’s security, reputation, and resources
    • List of suppliers: provides a link to a supplier management platform or database, so employees may reference a centralised suppliers list during their day-to-day activities
  3. Human resources personnel section: This is a high importance grouping of policies and it should be included without exception. It will give your HR team all the tools they need to keep the company safe and compliant when dealing with internal and external people in the company. The minimum list of policies to list here is as follows:
    • Security awareness policy: educates and empowers company employees to recognize and combat cybersecurity threats, fostering a culture of vigilance and protecting sensitive information
    • Security awareness training plan: equips company employees with the knowledge and skills to identify and mitigate security risks, strengthening their defenses against cyber threats and safeguarding company data
    • (Optional) Security screening policy: ensures qualified and trustworthy individuals gain access to company information and systems, protecting employees by reducing internal security risks and fostering a safer work environment. Depending on the sensitivity of the information contained within, you may choose not to list this policy on your landing page.
  4. Legal and auditor personnel section: Under this section you should include all policies that need to be known and regularly inspected by your legal and audit teams (both external and internal). The policies to include in this grouping are:
    • Scope of the ISMS: clarifies which information and systems need protection, helping employees understand their security responsibilities and focus their efforts on securing what truly matters. Additionally, it clarifies the boundaries of the ISMS, allowing auditors to efficiently assess compliance and focus on relevant controls
    • Interested parties needs and expectations policy: list all information security requirements derived and imposed externally by the laws and directives of the countries within which the company operates
    • Documented information policy: outlines ISMS documentation standards as well as retention periods in line with applicable legislation
    • Understanding the organisation and its context policy: provides auditors with a detailed explanation of the company’s purpose, structure and business activity
    • Audit concept: outlines how external and internal audits should be carried out throughout the lifetime of the organisation
    • Statement of applicability: outlines which controls from the ISO 27001 standard apply to the company, helping employees, auditors and prospects understand how the organisation fulfils the security responsibilities outlined within the ISMS framework during day-to-day operations

In the bottom section of your landing page you should include links to resources that you expect employees using frequently. The exact list of resources will vary between companies but a good set of resources to consider should be as follows:

  • Product security packages: If your company provides SaaS products chances are that it typically furnishes prospective customers with information packs regarding security and compliance topics. Linking them here will save sales teams a great time in finding them and sharing them externally
  • Link to your trust center: Similar to the above, if your company has a trust center or a security page you should also link it in this section. The aim here is, again, to help your sales and customer management team get quickly to additional security resources
  • Links to security whitepapers: If your company is in the business of selling security products or services then it may be a good idea to include any whitepapers providing detailed information on the products and services offered
  • Security team wiki: It is always a good idea to link your security team’s internal wiki space with the ISMS intranet. That way readers may jump to more detailed operational information if needed
  • Audit centre or statement of applicability: Audit resources are also frequently shared with customers or prospects. Providing a link to your company’s trust centre or statement of applicability will be of great convenience to customer management or governance and compliance teams

Conclusion

In conclusion, an ISO 27001 ISMS landing page that provides an introductory section, an ISMS policies library, as well as quick links to additional resources can be extremely helpful to a cybersecurity team and the wider organisation.


By effectively communicating the organisation’s commitment to information security, the landing page can raise awareness and encourage employee engagement in cybersecurity initiatives. Additionally, providing easy access to policies and additional resources empowers employees to take informed decisions and actions when it comes to security in your company.

Hopefully the landing page guidance provided in the above paragraphs will be of great use to you and your team.