ISO 27001 – Annex A.5: Information Security Policies

What is the objective of Annex A.5.1 of ISO 27001:2013?

Annex A.5.1 is about management direction for information security. The objective in this Annex is to manage direction and support for information security in line with the organisation’s requirements, as well as in accordance with relevant laws and regulations. It includes the two controls listed below. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Let’s understand those requirements and what they mean in a bit more depth now.

All you need is our all-in-one, cloud-based solution

Cluster-headline
  • Trusted by hundreds of companies around the world
  • Get a 77% head start on your ISO 27001 ISMS from the minute you log on
  • Our Assured Results Method will get you to ISO 27001 certification first time
  • Maintain your certification with our simplified, secure, sustainable platform

A.5.1.1 Policies for Information Security

A set of policies for information security must be defined, approved by management, published and communicated to employees and relevant external parties. The policies must be led by business needs, alongside the applicable regulations and legislation affecting the organisation too.  These policies in effect are the Annex A controls, also summarised up into a higher level master information security policy document that reinforces the organisation’s key statements around security to share with stakeholders like customers. That overarching policy becomes much more believable and powerful with independent certification for ISO 27001 from UKAS behind it.

Policies also provide the backbone of information security and should be part of the education, training and awareness programme in line with A7.2.2. The policies set out the principles that members of the organisation and key parties like suppliers must follow.   These policies need to be reviewed regularly and updated when necessary in line with A.5.1.2 below.

A.5.1.2 Review of the policies for information security

The policies for information security need to be reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy and effectiveness. Whenever changes are made to the business, its risks & issues, technology or legislation & regulation or if security weaknesses, events or incidents indicate a need for policy change.

Policies must be also reviewed and updated on a regular basis.  ISO considers ‘regular’ to be at least annually, which can be hard work if you are manually managing that many reviews and also dovetailing it with the independent review as part of A.18.2.1.

In addition to many other features, ISMS.online includes visible and automated processes to help simplify that whole review requirement and save huge amounts of admin time versus other ways of working.

ISMS.online gives you actionable ISO 27001 policies and controls to give you this great head start…

fa-bolt
See how simple it is with ISMS.online
Book your demo

How to easily demonstrate A.5 Information security policies

The ISMS.online platform makes it easy for you to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence controls A.5.1.1-A.5.1.2 within our platform and easily adapt it to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. A.6 is part of the second section that ARM will guide you on, where you’ll begin to describe your current information security policies and controls in line with Annex A controls.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it

ISO 27001 requirements

ISO 27001 Annex A Controls

About ISO 27001

See ISMS.online in action

Simple and easy to use | Comprehensive in scope | Affordable and lower cost than alternatives

Book your free demo today