A.5.1: Management direction for information security
The first section of the annexure is dedicated to providing guidance and support to manage information security and all actions must apply to the scope of the business and comply with any laws governing the company’s jurisdiction.
A.5.1.1: Policies for information security
AS per ISO 27001 all companies must ensure transparent behaviour with its employees, stakeholders, associates and clients. All interested parties must be aware of the relevant policies being implemented within the firm to protect their data.
Any policies drafted by the organization must first be reviewed, approved and then published to staff and external parties as these policies play a fundamental role in the entire information security process. They must also be included in the education and training programs implemented in A.7 and all staff must abide by them.
A.5.1.2: Review of the policies for information security
The company’s ISMS policies must be updated regularly to keep up with any changes whether internal or external. These changes can be management adjustments, governing laws, corporate standards or technology. An information security breach may also result in policy revision and improvement, the documents should always reflect sound procedures to protect the confidentiality, integrity and availability of files.