ISO 27001 Annex A 5.1 is about policies for keeping information safe. A policy is a written rule that tells people what to do. This part of the standard says that a company must have a main information security policy and other specific policies.
The Main Policy
This is a top-level document. It explains how a company will keep its information safe. It should be approved by senior leaders and then shared with everyone. It should be reviewed at least once a year.
This policy should include:
- A clear statement about what information security means for the company.
- The goals for keeping information safe.
- A promise from leaders to meet the rules and laws.
- A promise to always make the security system better.
Other Policies
In addition to the main policy, a company should have other specific policies. These policies give more details on a certain topic, like how to handle a computer or an email. It is a good idea to have separate policies for these topics. This makes them easier to share with the right people.
Examples of specific policies:
- Access Control: Rules about who can see what information.
- Acceptable Use: Rules for how employees can use company computers and the internet.
- Data Handling: Rules for how to keep information safe, like how to store or get rid of it.
- Information Classification: Rules for giving data a label, like “private” or “public.”
Frequently Asked Questions
The main goal is to make sure that a company’s approach to information security is fitting, proper, and works well.
First, you write a policy. Then, you have leaders approve it. After that, you share it with everyone and make sure they understand it.
An auditor will check that you have a policy. They will also make sure it has been approved, shared, and is being followed by everyone.