- See ISO 27002:2022 Control 5.1 for more information.
- See ISO 27001:2013 Annex A 5.1.1 for more information.
- See ISO 27001:2013 Annex A 5.1.2 for more information.
The Essentials of Annex A 5.1: A Guide to Information Security Policies
As part of ISO 27001:2022, Annex A 5.1 specifies that organisations must have an information security policy document in place. This is to protect themselves against information security threats.
Business needs, as well as applicable regulations and legislation, must be considered when developing policies.
An information security policy document is essentially a compendium of Annex A controls that reinforces the organisation’s key statements about security and makes them available to stakeholders.
In the 2022 version of the standard, policies should also be included in the education, training, and awareness program, as described in People Controls A.6.3.
Organisational policies specify the principles that members and key parties like suppliers must adhere to. These policies should be reviewed regularly and updated as necessary.
What Are Information Security Policies?
An information security policy aims to provide employees, management, and external parties (e.g., customers and suppliers) with a framework for managing electronic information, including computer networks.
A security policy must be defined, approved by management, published and communicated to employees and relevant external parties.
In addition to reducing the risk of data loss due to internal and external threats, information security policies ensure that all employees understand their role in protecting the organisation’s data.
In addition to meeting standards such as ISO 27001, an information security policy can also demonstrate compliance with laws and regulations.
Information Security Threats and Cyber Security Explained
Cyber security threats include corporate spies and hacktivists, terrorist groups, hostile nation-states, and criminal organisations. These threats seek to unlawfully access data, disrupt digital operations, or damage information.
Threats to cyber security and information security include:
- Viruses, spyware, and other malicious programs are considered malware.
- An email that appears to be from a trustworthy source but contains links and attachments that install malware on your computer.
- Viruses prevent users from accessing their data until they pay a ransom.
- The process of manipulating people into divulging sensitive information is known as social engineering.
- Phishing emails that appear to come from high-profile individuals in an organisation are known as whale attacks.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
How Does ISO 27001:2022 Annex A 5.1 Work?
Information security policies are designed to protect your company’s sensitive information from theft and unauthorised access.
In accordance with ISO 27001, Annex control A 5.1 guides the purpose and implementation of establishing an information security policy in an organisation.
An overall information security policy is required by Annex A Control 5.1 for organisations to manage their information security. Senior management must approve the guidelines, which must be reviewed regularly if changes occur in the information security environment.
The appropriate approach is to meet regularly, at least once a month, with additional meetings as needed. In addition to sharing policies with internal and external stakeholders, management must approve any changes before they are implemented.
Getting Started and Meeting the Requirements of Annex A 5.1
A detailed operating procedure that describes how the information security policy will be implemented should be based on and supported by an information security policy.
The policy should be approved by top management and communicated to staff and interested parties.
In addition to giving direction to the organisation’s approach to managing information security, the policy can be used to develop more detailed operating procedures.
As required by ISO/IEC 27000 standards, a policy is essential to establishing and maintaining an information security management system (ISMS). A well-defined policy remains critical even if the organisation doesn’t intend to implement ISO 27001 or any other formal certification.
Information security policies should be reviewed regularly to ensure their continued suitability, adequacy and effectiveness.
When changes are made to the business, its risks, technology, legislation, or regulations, or if security weaknesses, events, or incidents indicate policy changes are needed.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What Are the Changes and Differences From ISO 27001:2013?
As part of ISO 27001 revision 2013, this control merges Annex A controls 5.1.1 Policies for Information Security and 5.1.2 Review of Policies for Information Security.
Annex A control 5.1 in ISO 27001:2022 has been updated with a description of its purpose and expanded implementation guidance, as well as an attributes table that allows users to reconcile Annex A controls with industry terminology.
According to Annex A 5.1, information security and topic-specific policies should be defined, approved by management, published, communicated to, and acknowledged by the appropriate personnel.
An organisation’s information security policy should consider the size, type, and sensitivity of information assets, industry standards and applicable government requirements.
According to clause 5.1.2 of ISO 27001:2013, the purpose of Annex A is to ensure that information security policies are regularly evaluated if changes in the information security environment arise.
According to ISO 27001: 2013 and ISO 27001: 2022, top management should develop a security policy that is approved by top management and describes how the organisation will protect its data. Nevertheless, both versions of the policies cover different requirements.
Comparative Analysis of Annex A 5.1 Implementation Guidelines
According to ISO 27001:2013, information security policies should address the following requirements:
- The business strategy.
- Contracts, regulations, and legislation.
- A description of the current and projected threat environment for information security.
Information security policies should include the following statements:
- All activities pertaining to information security should be guided by a definition of information security, objectives and principles.
- Information security management responsibilities are assigned to defined roles in a general and specific manner.
- The process for handling deviations and exceptions.
In contrast, ISO 27001:2022 has more comprehensive requirements.
As part of the information security policy, the following requirements should be taken into consideration:
- Strategy and requirements of the business.
- Legislation, regulations, and contracts.
- Information security risks and threats that exist today and in the future.
Statements concerning the following should be included in the information security policy:
- Information security definition.
- A framework for establishing information security objectives.
- Information security principles should guide all activities.
- A commitment to comply with all applicable information security requirements.
- An ongoing commitment to improving the information security management system.
- Role-based assignment of responsibilities for information security management.
- Exceptions and exemptions are handled in accordance with these procedures.
In addition, ISO 27001:2022 was revised to include topic-specific policies for information security incident management, asset management, networking security, incident management, and secure development as topic-specific policies. For the purpose of creating a more holistic framework, some of the requirements of ISO 27001:2013 were removed or merged.
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
How ISMS.Online Helps
With ISMS.online, you will have access to a complete set of tools and resources to help manage your own ISO 27001 Information Security Management System (ISMS), whether you are a newcomer or already certified.
Furthermore, ISMS.online provides automated processes to help simplify the entire review process. These processes save considerable amounts of admin time compared to other working methods.
You will get a head start with ISO 27001 policies and controls from ISMS.online.
Intuitive workflows, tools, frameworks, policies and controls, actionable documentation and guidance, as well as actionable guidance make it easy to implement ISO 27001 by defining the scope, identifying risks, and implementing controls based on our algorithms – whether they are created from scratch or based upon industry-best practice templates.
Contact us today to schedule a demo.
