Policies for Information Security - ISO 27001 Annex A Control
ISO 27001 Annex A 5.1
The policy framework defines what good looks like before things go wrong.
ISO 27001 Annex A 5.1 - Policies for Information Security
Every other control in Annex A draws its authority from the policy. Without an approved, communicated information security policy, there is no anchor for the rules staff are expected to follow, and nothing to point new starters at when they need to understand what good looks like.
The control has four practical parts. The organisation must define an information security policy. That policy must be approved by management. It must be communicated to staff and to relevant interested parties such as suppliers and contractors. And it must be reviewed at planned intervals and whenever significant changes occur.
Beyond the headline policy, the standard expects topic-specific policies covering areas such as access control, acceptable use, supplier relationships, incident management, backup, cryptography and secure development. The number of topic policies depends on what the organisation actually does. The test is whether the policy framework as a whole gives staff clear direction on the parts of information security relevant to their role.
Communication and Review
A policy that nobody has read does not satisfy the control. Communication has to be active, not passive. New starters should see the policy as part of induction. Existing staff should be reminded of it through awareness training or short refreshers. External parties who fall within scope should receive the relevant policies as part of their onboarding or contract.
Most organisations set an annual review cycle, but the standard also requires review when significant changes occur. A change to the business, a new technology, a major incident, a regulatory change or a finding from an audit can all trigger an out-of-cycle review. The review needs to be evidenced even if no change is made.
When I audit Annex A 5.1, I am looking for three things. Is the policy approved by someone with the authority to approve it. Is there evidence the policy has been communicated. And is the policy current.
For approval, I want to see the version, date and approver. For communication, I want something more concrete than a claim that the policy is on the intranet - induction records, training logs or signed acknowledgements work. For currency, I want to see a review date within the last twelve months.
Practical Compliance Guidance
The information security policy framework is described in the IMS1 manual, with the headline approach in section 2.1 and the supporting policies summarised in section 8.5. The headline policy and the topic-specific policy-procedure are the two documents that do most of the work for this control.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists. |
| PP-8-100 Information Security Policy Procedure | The policy-procedure that sits under the headline policy, containing the topic-specific policies covering ICT equipment, passwords, remote working, access control, classification, backup, cryptography and other detailed areas. |
Note - all the above files can be downloaded with an alphaZ subscription.
