SecAware materials

SecAware logo

~3-page information security policy template on the management of information risk.


The purpose of information risk management is to identify, evaluate and treat the organisation’s information risks in an appropriate, cost-effective manner.  While it is neither sensible nor feasible to eliminate information risks completely, information risks must be managed proactively using the approach described in this policy.


Despite today's prominence of cybersecurity, a wider perspective suggests other, more creative and often more effective ways to treat (deal with) information risks.  Security controls are necessary but not sufficient.  For one thing, various residual risks (including those arising from the practical limitations of the information risk management process itself) must be accepted.  Others are well worth accepting for business reasons, in the sense that taking calculated risks is good for business.


Supplied as an MS Word document, readily customised for your organisation's specific situation.

Information risk management policy