ISO 27001 - Annex A.5: Information Security Policies
What is the objective of Annex A.5.1 of ISO 27001:2013?
Annex A.5.1 is about management direction for information security. The objective in this Annex is to manage direction and support for information security in line with the organisation’s requirements, as well as in accordance with relevant laws and regulations. It includes the two controls listed below. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.
A.5.1.1 Policies for Information Security
A set of policies for information security must be defined, approved by management, published and communicated to employees and relevant external parties. The policies must be led by business needs, alongside the applicable regulations and legislation affecting the organisation too. These policies in effect are the Annex A controls, also summarised up into a higher level master information security policy document that reinforces the organisation’s key statements around security to share with stakeholders like customers. That overarching policy becomes much more believable and powerful with independent certification for ISO 27001:2013 from UKAS behind it.
Policies also provide the backbone of information security and should be part of the education, training and awareness programme in line with A7.2.2. The policies set out the principles that members of the organisation and key parties like suppliers must follow. These policies need to be reviewed regularly and updated when necessary in line with A.5.1.2 below.
A.5.1.2 Review of the policies for information security
The policies for information security need to be reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy and effectiveness. Whenever changes are made to the business, its risks & issues, technology or legislation & regulation or if security weaknesses, events or incidents indicate a need for policy change.
Policies must be also reviewed and updated on a regular basis. ISO considers ‘regular’ to be at least annually, which can be hard work if you are manually managing that many reviews and also dovetailing it with the independent review as part of A.18.2.1.
In addition to many other features, ISMS.online includes visible and automated processes to help simplify that whole review requirement and save huge amounts of admin time versus other ways of working.
ISMS.online gives you actionable ISO 27001 policies and controls to give you this great head start…
“Our staff immediately took to the ISMS.online platform and it has really expedited our route to achieving ISO 27001 and GDPR. The Policy Pack feature makes it easy to track who has read company policies, giving us an instant audit trail documenting compliance – a big tick in the box when it comes to our audit for ISO 27001!”
Sandra Lewy – Director, Business Operations and Research Coordinator at IACCM
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement