With the increasing reliance on information technologies, cloud services and internet as communications media, businesses, public and societal organizations face growing threats from cyberspace and, respectively, demands to protect sensitive data and information they collect, use, and disseminate. This paper elaborates on the key considerations organisations with more limited resources, such as schools, universities, research institutes and public organizations need to take into account in designing and implementing a respective information security policy. We start with a description of context and definition of the scope of information security policy, in particular delineating 'information' and 'cyber' security, and provide an overview of the most prominent frameworks and standards. On that basis we elaborate and structure the main areas of an information security policy, the main implementation challenges, and the need to review and amend the policy in a continuous cycle and comprehensive risk management framework. Depending of the specifics of their work, any school, university, institute and municipality may use this elaboration as a starting point in devising its own information security policy.