ISO/IEC 27001 •

ISO 27001 Requirement 5.2 – Information Security Policy

See how you can achieve ISO 27001 faster with ISMS.online

See it in action
By Mark Sharron | Updated 14 December 2023

Clause 5.2 of the ISO 27001 standard requires that top management establish an information security policy. This requirement for documenting a policy is pretty straightforward. However, it is what is inside the policy and how it relates to the broader ISMS that will give interested parties the confidence they need to trust what sits behind the policy.

Jump to topic


What does Clause 5.2 involve?

Senior management must do a range of things around that policy to bring it to life – not just have the policy ready to share as part of a tender response! In the recent past, when a customer asked a prospective supplier for a copy of their information security policy, that document might say some nice and fluffy things around information security management, risk management and information assurance to meet a tick box exercise by a procurement person in the buying department. No longer is that (generally) the case. Smart buyers will not only want to see a security policy, they might want it backed up by evidence of the policy working in practice – helped of course with an independent information security certification body like UKAS underpinning it, and a sensible ISMS behind it.

Some of the other things that top management needs to do around this clause beyond establishing the policy itself include:

  • Making sure it is relevant to the purpose of organisation (so not just copying one from Google;)
  • Clarifying the information security objectives (covered more in 6.2) or at least sets the conditions for them – tip, this should include the relevant and measurable aspects of protecting confidentiality, integrity and availability around the information assets identified in 4.1 and held in line with A8.1
  • A commitment to satisfy the applicable requirements of the information security needs of the organisation (i.e. those covered across ISO 27001 core requirements and the Annex A controls)
  • Ensuring its ongoing continual improvement – an ISMS is for life, and with surveillance audits each year that will be obvious to see (or not)
  • Sharing and communicating it with the organisation and interested parties as needed

How ISMS.online helps you

ISMS.online provides all the evidence behind the information security policy working in practice, and it includes a template policy as documentation for organisations to easily adopt and adapt too.

Book a platform demo to see it in action.

Book a platform demo

Make it simpler with ISMS.online

The ISMS.online platform makes it easy for top management to establish an information security policy that is consistent with the purpose and context of the organisation.

Your ISMS will include a pre-built information security policy that can easily be adapted to your organisation. This policy serves as a framework for reviewing objectives and includes commitments to satisfy any applicable requirements and continually improve the management system. This policy can easily be shared with interested parties and submitted for tenders or other external communications.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more