ISO 27001 Annex A 5.1: Information Security Policies

Within the ISO27001:22 standard, Annex 5.1 requires that an information security policy document is held by an organisation to mitigate risk and protect against information security threats.

The document itself will outline the organisation’s approach to security and communicate them clearly and transparently to employees, stakeholders, associates and clients.

In the creation of an information security policy, an organisation may consider relevant regulations and legislation, as well as the broader needs of the business. Once drafted, the policies must be reviewed and then made available both internally and externally to interested parties.

A feature of the 2022 version of the standard is the requirement to include a programme of education, training and awareness to interested parties – as described in People Controls A.6.3.

Information security policies should be kept under constant review and updated as is necessary. Changes may include management adjustments, corporate standards, governing laws or technology updates. Policies may also require revisions in light of an information security breach.

An information security policy should always follow best practice and sound procedures in order to protect the confidentiality, integrity and availability of files.

Information security policies: what you need to know

The purpose of an information security policy is to provide a clear framework for information and data – including computer networks – to internal staff and external parties such as suppliers and customers.

An information security policy can help to ensure that all employees are aware of their responsibilities in relation to protecting the organisation’s information and more able to reduce the risk of data loss in the event of an internal or external threat.

Information security policies not only demonstrate compliance with standards such as ISO27001 but also reflect adherence to laws and regulations.

What’s changed from ISO27001:2013?

ISO27001:2022 Annex A control 5.1 Information Security Policies merges Annex A controls 5.1.1 and 5.1.2 from the ISO27001:2013 standard. In the updated version of the standard, more detail is given to the purpose of the control and guidance on its implementation is provided.

Within Annex A 5.1, information security and topic-specific policies must be clearly defined and approved by senior managers before being published, communicated to and acknowledged by relevant employees and stakeholders.

According to both ISO27001:2013 and ISO27001:2022 a security policy should be developed that outlines how organisational data will be protected and that this framework has been approved by senior management.

‍