What Is Control 5.1?
An information security policy provides employees, management and external parties (e.g., customers and suppliers) with a framework for the management of electronic information, including computer networks.
The purpose of an information security policy is to reduce the risk of data loss or theft from internal and external threats. An information security policy also ensures that all employees are aware of their responsibilities for protecting the data held by their organisations.
An information security policy can also be used to demonstrate compliance with laws and regulations, and helps to meet standards such as ISO 27001.
Cyber Security and Information Security Threats Explained
Cyber security threats are any possible malicious attack that seeks to unlawfully access data, disrupt digital operations or damage information. Cyber threats can originate from various actors, including corporate spies and hacktivists, terrorist groups, hostile nation-states and criminal organisations.
Some of the more popular cyber security and information security threats are:
- Malware: viruses, spyware and other malicious programs.
- Phishing emails: messages that appear to be from trustworthy sources but contain links and attachments that install malware.
- Ransomware: malware that prevents users from accessing their own data until they pay a ransom.
- Social engineering: attackers manipulating people into giving sensitive information, usually by appearing to be trustworthy.
- Whaling attacks: phishing emails designed to appear as if they come from high-profile individuals within an organisation.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Is the Purpose of Control 5.1?
The purpose of the information security policy is to ensure management support for the protection of your company’s sensitive information from theft and unauthorised access.
Control 5.1 covers the control, purpose and implementation guidance for establishing an information security policy in an organisation according to the framework as defined by ISO 27001.
Control 5.1 states that organisations need to have high- and low-level policies on how they manage their information security. The organisation’s senior management needs to approve the policies, which should be reviewed regularly and also if changes in the information security environment occur.
The best approach is to meet regularly at least once a month, with additional meetings scheduled as needed. If changes are made to the policies, management must approve them before they’re implemented. The policies should also be shared with internal and external stakeholders.
Attributes of Control 5.1
Attributes are a means of categorising controls. These allow you to quickly align your control selection with common industry language and standards. In control 5.1 these are.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Governance | #Governance and Ecosystem |
| #Integrity | #Resilience | |||
| #Availability |
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What Is Involved and How to Meet the Requirements
The information security policy should provide the basis for, and be supported by, detailed operating procedures which describe how information security will be managed in practice.
The policy should be approved by top management, who should ensure that it is communicated to staff and made available to interested parties.
The policy gives direction on the organisation’s approach to managing information security, and can be used as a framework for developing more detailed operating procedures.
The policy is an essential element in establishing and maintaining an information security management system (ISMS), as required by the ISO/IEC 27000 family of standards, but even if the organisation does not intend to implement formal certification to ISO 27001 or any other standard, a well-defined policy is still important.
Changes and Differences from ISO 27002:2013
In ISO 27002: 2022, control 5.1 Information Security Policies is not a new control, rather it is the result of the merging of controls 5.1.1 Policies for Information Security and 5.1.2 Review of Policies for Information Security from ISO 27002 revision 2013.
In ISO 27002:2022, control 5.1 has been updated to include a description of its purpose and expanded implementation guidance. It also came with an attributes table that allows users to reconcile controls with industry terminologies.
In ISO 27002:2022, control 5.1 states that information security and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties.
The information security policy of an organisation should reflect the organisation’s size, type, and sensitivity of information assets. It should also be consistent with industry standards and applicable government regulations.
While the essence of the control itself is similar to 5.1.1 of ISO 27002: 2013, version 2022 specifically states that these information security policies should be reviewed regularly and also if changes in the information security environment occur. This rider is covered in clause 5.1.2 of ISO 27002:2013.
ISO 27002: 2013 and ISO 27002: 2022 states that the highest level of the organisation should define a security policy that top management approves and that states how they will oversee the protection of their information. However, the requirements covered by the policies for both versions are different.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Control 5.1 2013 – 2022 Implementation Guidelines Compared
In ISO 27002:2013, Information security policies should address requirements created by:
- Business strategy.
- Regulations, legislation and contracts.
- The current and projected information security threat environment.
The information security policy should contain statements concerning:
- Definition of information security, objectives and principles to guide all activities relating to
information security. - Assignment of general and specific responsibilities for information security management to
defined roles. - Processes for handling deviations and exceptions.
But the requirements for ISO 27002:2022 are a bit more comprehensive.
The information security policy should take into consideration requirements derived from:
- Business strategy and requirements.
- Regulations, legislation and contracts.
- The current and projected information security risks and threats.
The information security policy should contain statements concerning:
- Definition of information security.
- Information security objectives or the framework for setting information security objectives.
- Principles to guide all activities relating to information security.
- Commitment to satisfy applicable requirements related to information security.
- Commitment to continual improvement of the information security management system.
- Assignment of responsibilities for information security management to defined roles.
- Procedures for handling exemptions and exceptions.
At the same time, topic-specific policies were reworked in ISO 27002:2022 to include; information security incident management, asset management, networking security, information security incident management, and secure development. Some of the ones in ISO 27002:2013 were either removed or merged to form a more holistic framework.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.Online Helps
At ISMS.online, our easy-to-use, yet powerful, cloud system will provide you with a complete set of tools and resources to help you manage your own ISO 27001/27002 Information Security Management System (ISMS), whether you are new to ISO 27001/27002 or already certified.
Our intuitive step-by-step workflow, tools, frameworks, policies & controls, actionable documentation and guidance walks you through the process of implementing ISO 27002, making it simple for you to define the scope of the ISMS, identify risks and implement controls using our algorithms – either from scratch or from best practice templates.
Get in touch today to book a demo.
