ISO 27001:2022 Annex A Control 5.1

Information Security Policies

Book a demo

business,man,using,mobile,smart,phone,,busy,working,on,laptop

As part of ISO 27001:2022, Annex A 5.1 specifies that organisations must have an information security policy document in place. This is to protect themselves against information security threats.

Business needs, as well as applicable regulations and legislation, must be considered when developing policies.

An information security policy document is essentially a compendium of Annex A controls that reinforces the organisation’s key statements about security and makes them available to stakeholders.

In the 2022 version of the standard, policies should also be included in the education, training, and awareness program, as described in People Controls A.6.3.

Organisational policies specify the principles that members and key parties like suppliers must adhere to. These policies should be reviewed regularly and updated as necessary.

What Are Information Security Policies?

An information security policy aims to provide employees, management, and external parties (e.g., customers and suppliers) with a framework for managing electronic information, including computer networks.

A security policy must be defined, approved by management, published and communicated to employees and relevant external parties.

In addition to reducing the risk of data loss due to internal and external threats, information security policies ensure that all employees understand their role in protecting the organisation’s data.

In addition to meeting standards such as ISO 27001, an information security policy can also demonstrate compliance with laws and regulations.

Information Security Threats and Cyber Security Explained

Cyber security threats include corporate spies and hacktivists, terrorist groups, hostile nation-states, and criminal organisations. These threats seek to unlawfully access data, disrupt digital operations, or damage information.

Threats to cyber security and information security include:

  • Viruses, spyware, and other malicious programs are considered malware.

  • An email that appears to be from a trustworthy source but contains links and attachments that install malware on your computer.

  • Viruses prevent users from accessing their data until they pay a ransom.

  • The process of manipulating people into divulging sensitive information is known as social engineering.

  • Phishing emails that appear to come from high-profile individuals in an organisation are known as whale attacks.
Jump to Topic
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

How Does ISO 27001:2022 Annex A 5.1 Work?

Information security policies are designed to protect your company’s sensitive information from theft and unauthorised access.

In accordance with ISO 27001, Annex control A 5.1 guides the purpose and implementation of establishing an information security policy in an organisation.

An overall information security policy is required by Annex A Control 5.1 for organisations to manage their information security. Senior management must approve the guidelines, which must be reviewed regularly if changes occur in the information security environment.

The appropriate approach is to meet regularly, at least once a month, with additional meetings as needed. In addition to sharing policies with internal and external stakeholders, management must approve any changes before they are implemented.

Getting Started and Meeting the Requirements of Annex A 5.1

A detailed operating procedure that describes how the information security policy will be implemented should be based on and supported by an information security policy.

The policy should be approved by top management and communicated to staff and interested parties.

In addition to giving direction to the organisation’s approach to managing information security, the policy can be used to develop more detailed operating procedures.

As required by ISO/IEC 27000 standards, a policy is essential to establishing and maintaining an information security management system (ISMS). A well-defined policy remains critical even if the organisation doesn’t intend to implement ISO 27001 or any other formal certification.

Information security policies should be reviewed regularly to ensure their continued suitability, adequacy and effectiveness.

When changes are made to the business, its risks, technology, legislation, or regulations, or if security weaknesses, events, or incidents indicate policy changes are needed.

What Are the Changes and Differences From ISO 27001:2013?

As part of ISO 27001 revision 2013, this control merges Annex A controls 5.1.1 Policies for Information Security and 5.1.2 Review of Policies for Information Security.

Annex A control 5.1 in ISO 27001:2022 has been updated with a description of its purpose and expanded implementation guidance, as well as an attributes table that allows users to reconcile Annex A controls with industry terminology.

According to Annex A 5.1, information security and topic-specific policies should be defined, approved by management, published, communicated to, and acknowledged by the appropriate personnel.

An organisation’s information security policy should consider the size, type, and sensitivity of information assets, industry standards and applicable government requirements.

According to clause 5.1.2 of ISO 27001:2013, the purpose of Annex A is to ensure that information security policies are regularly evaluated if changes in the information security environment arise.

According to ISO 27001: 2013 and ISO 27001: 2022, top management should develop a security policy that is approved by top management and describes how the organisation will protect its data. Nevertheless, both versions of the policies cover different requirements.

Comparative Analysis of Annex A 5.1 Implementation Guidelines

According to ISO 27001:2013, information security policies should address the following requirements:

  • The business strategy.

  • Contracts, regulations, and legislation.

  • A description of the current and projected threat environment for information security.

Information security policies should include the following statements:

  • All activities pertaining to information security should be guided by a definition of information security, objectives and principles.

  • Information security management responsibilities are assigned to defined roles in a general and specific manner.

  • The process for handling deviations and exceptions.

In contrast, ISO 27001:2022 has more comprehensive requirements.

As part of the information security policy, the following requirements should be taken into consideration:

  • Strategy and requirements of the business.

  • Legislation, regulations, and contracts.

  • Information security risks and threats that exist today and in the future.

Statements concerning the following should be included in the information security policy:

  • Information security definition.

  • A framework for establishing information security objectives.

  • Information security principles should guide all activities.

  • A commitment to comply with all applicable information security requirements.

  • An ongoing commitment to improving the information security management system.

  • Role-based assignment of responsibilities for information security management.

  • Exceptions and exemptions are handled in accordance with these procedures.

In addition, ISO 27001:2022 was revised to include topic-specific policies for information security incident management, asset management, networking security, incident management, and secure development as topic-specific policies. For the purpose of creating a more holistic framework, some of the requirements of ISO 27001:2013 were removed or merged.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2		Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1		Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2		Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3		Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3		Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2		Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3		Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6		Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2		Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3		Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5		Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3		Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3		Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6		Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
 Annex A 11.2.5		Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8		User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3		Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3		Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2		Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2		Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3		Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9		Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6		Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4		Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How ISMS.Online Helps

With ISMS.online, you will have access to a complete set of tools and resources to help manage your own ISO 27001 Information Security Management System (ISMS), whether you are a newcomer or already certified.

Furthermore, ISMS.online provides automated processes to help simplify the entire review process. These processes save considerable amounts of admin time compared to other working methods.

You will get a head start with ISO 27001 policies and controls from ISMS.online.

Intuitive workflows, tools, frameworks, policies and controls, actionable documentation and guidance, as well as actionable guidance make it easy to implement ISO 27001 by defining the scope, identifying risks, and implementing controls based on our algorithms – whether they are created from scratch or based upon industry-best practice templates.

Contact us today to schedule a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more