Information Security Policies
ISO 27001 Annex A.5What is the objective of Annex A.5.1 of ISO 27001:2013?
Annex A.5.1 is about management direction for information security. The objective in this Annex is to manage direction and support for information security in line with the organisation’s requirements, as well as in accordance with relevant laws and regulations. It includes the two controls listed below.
A.5.1.1 Policies for information security
Control
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
Note: the organisational Information Security Policy is a mandatory document under both ISO 27001 (requirements 5.2) and GDPR compliance requirements (Data protection assurance – security policy). This mandatory policy is included in ISMS.online policies and controls documentation, ready to adopt, adapt or add to.
A.5.1.2 Review of the policies for information security
Control
The policies for information security shall be reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy and effectiveness.
Note: this is another policy included in the ISMS.online policy documentation. The ISMS.online software also includes features and tools to manage the maintenance and review of your ISMS. This includes management reviews, audits and corrective actions and improvements which can all be evidenced in the platform and with reminders set to ensure no review is ever missed.
More help on the ISO 27001 requirements and Annex A Controls can be found in the ISMS.online Virtual Coach
which complements our frameworks, tools and policy content.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001