Information Security Policy – ISO 27001 Requirement 5.2

What is covered under ISO 27001 Clause 5.2?

Clause 5.2 of the ISO 27001 standard requires that top management establish an information security policy.  This requirement for documenting a policy is pretty straightforward. However, it is what is inside the policy and how it relates to the broader ISMS that will give interested parties the confidence they need to trust what sits behind the policy.

Senior management must also do a range of other things around that policy to bring it to life – not just have the policy ready to share as part of a tender response!  In the recent past, when a customer asked a prospective supplier for a copy of their information security policy, that document might say some nice and fluffy things around information security management, risk management and information assurance to meet a tick box exercise by a procurement person in the buying department.  No longer is that (generally) the case.  Smart buyers will not only want to see a security policy, they might want it backed up by evidence of the policy working in practice – helped of course with an independent information security certification body like UKAS underpinning it, and a sensible ISMS behind it.

Some of the other things that top management needs to do around this clause beyond establishing the policy itself include:

  • Making sure it is relevant to the purpose of organisation (so not just copying one from Google;)
  • Clarifying the information security objectives (covered more in 6.2) or at least sets the conditions for them – tip, this should include the relevant and measurable aspects of protecting confidentiality, integrity and availability around the information assets identified in 4.1 and held in line with A8.1
  • A commitment to satisfy the applicable requirements of the information security needs of the organisation (i.e. those covered across ISO 27001 core requirements and the Annex A controls)
  • Ensuring its ongoing continual improvement – an ISMS is for life, and with surveillance audits each year that will be obvious to see (or not)
  • Sharing and communicating it with the organisation and interested parties as needed provides all the evidence behind the information security policy working in practice, and it includes a template policy as documentation for organisations to easily adopt and adapt too.

Read our free guide to achieving ISO 27001 first time

How to easily demonstrate 5.2 Information security policy

The platform makes it easy for top management to establish an information security policy that is consistent with the purpose and context of the organisation. Your ISMS will include a pre-built information security policy that can easily be adapted to your organisation. This policy serves as a framework for reviewing objectives and includes commitments to satisfy any applicable requirements and continually improve the management system. This policy can easily be shared with interested parties and submitted for tenders or other external communications.

Step 1 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 1 : Demonstrate to your auditors

Step 2 : Adopt, adapt and add

Our pre-configured ISMS makes it straightforward to evidence requirement 5.2 within our platform and can easily be adapted to your organisation’s needs.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 2 : Adopt, adapt and add

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 5.2 is part of the first section that ARM will guide you on, which will help you to understand your organisation in relation to information security. This will then help you to determine which assets, systems, people, locations etc. This falls within the scope of your Management system, which will enable you to think about the risks that affect them.
Step 3 : A time-saving path to certification

Step 4 : Extra support when you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support when you need it

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.