A security policy is a formalized set of strategic elements, guidelines procedures, codes of conduct, organizational and technical rules, with the objective of protecting the business’ information system(s).
As a security policy often contains sensitive information about the business, it can therefore not be made publicly available (on your website for example).
However, when contracting with a processor, a controller must ask for its Information security policy.
Based on ISO 27001 standards, it contains at least the following chapters: employee awareness raising on security, user authentication, authorization management, access tracking and incident management, workstation securing, mobile computing securing, protection of internal computer network, server securing, website securing, business continuity planning, archive securing, maintenance and data destruction, subcontractor management, secured exchanges with third parties, physical security, IT development supervision, data encryption.