What is the requirement for Annex A 5.1?

The core requirement is defining and communicating security direction through documented policies. Management must approve these policies. They must also review them at planned intervals. Host these documents in native repositories like SharePoint to prove ownership.

How many policies do I need for ISO 27001?

You need one high-level policy and several topic-specific policies. Common topics include access control and data classification. The number depends on your business context and risk assessment. Document these in a centralized company repository.

Why avoid SaaS policy templates?

Generic templates decouple security from your actual business operations. Auditors see these as surface-level compliance. Using native tools like Confluence proves active management involvement. This creates a cultural change rather than a software installation.

ISO 27001:2022 Annex A 5.1 Guide

What is Annex A 5.1 in ISO 27001?

Annex A 5.1 requires high-level and topic-specific security policies. These must be documented within existing business tools like SharePoint. Management must review them at planned intervals. This ensures security rules align with organisational goals. Avoid using external software to host these core documents.

Auditor’s Eye: The Shortcut Trap

SaaS platforms provide generic policy templates. This often results in “copy-paste” compliance. Auditors want to see policies drafted within the organisation. Native version history in Confluence proves active management ownership. This prevents the “Black Box” trap. Security remains coupled with daily work when using native repos. External platforms decouple security from daily operations. This leads to surface-level compliance failures.

Feature	ISO 27001:2013	ISO 27001:2022
Control Number	A.5.1.1 & A.5.1.2	Annex A 5.1
Focus	Policy set and review.	Merged requirements for simplicity.
Documentation	Documented information required.	Stronger focus on communication evidence.

How to Implement Annex A 5.1 (Step-by-Step)

The core requirement is defining and communicating security direction through documented policies approved by management. Use existing organisational tools to host these documents. This ensures staff can access them during daily operations. Treat implementation as a cultural change. Follow these steps for an integrated approach.

Step 1: Draft the Main Policy

Create the high-level Information Security Policy in SharePoint. This document must state management intent. It should define clear security objectives. Use your organisation’s standard document template for consistency.

Step 2: Develop Granular Policies

Identify topics requiring specific rules. These include access control, encryption, and data handling. Use Confluence pages to draft these policies. Collaboration features allow department heads to provide input. This ensures policies are practical and realistic.

Step 3: Executive Review and Approval

Senior management must approve all policies. Conduct a formal review meeting. Record the minutes in SharePoint. Use digital signatures or version approvals to log this. This provides clear evidence of leadership commitment.

Step 4: Communicate to Personnel

Publish the approved policies on your internal wiki. Ensure all employees and contractors can access them. Use Jira tasks to track policy acknowledgement. This embeds security awareness into standard workflows.

Annex A 5.1 Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent. Provide these items to the auditor:

A high-level Information Security Policy signed by the CEO.
Topic-specific policies hosted in SharePoint or Confluence.
Meeting minutes showing annual policy reviews by management.
Version history logs for every policy document.
Evidence of policy distribution via company intranet.

Relational Mapping

Annex A 5.1 supports Clause 5.2 Policy. It provides the granular detail needed for Clause 6.2 Objectives. Furthermore, it informs Annex A 5.10 Acceptable Use. It also guides Annex A 5.15 Access Control. All technical controls must align with these high-level rules.

Auditor Interview: Policy Management

Question: How does management approve security policies?

Answer: Executives review and sign policies within our SharePoint system.

Question: Where can staff find the current encryption policy?

Answer: All security rules are published on our internal Confluence wiki.

Question: How often are these documents updated?

Answer: We review them annually or after major business changes.

Common Non-Conformities

Failure Mode	Cause	Auditor Finding
Automated Complacency	Using SaaS templates without customisation.	Major NC: Policies do not reflect organisational reality.
Static Policies	Failing to review documents for several years.	Minor NC: Policies are outdated and irrelevant.
Hidden Rules	Storing policies in a portal staff never visit.	Minor NC: Failure to communicate security direction.

Frequently Asked Questions

What is a topic-specific policy?

The bottom line is that it covers one specific area. Examples include mobile devices or clear desk rules. These policies provide granular instructions for staff. Store them alongside your main policy in SharePoint. This ensures all rules are easy to find.

How do I prove policies are reviewed?

Use version history in your Document-Based Management System. Every review should create a new version entry. Document the review meeting in your management minutes. This shows auditors that policies remain effective. It proves active management of the security system.

Can I host policies in Confluence?

Yes, Confluence is excellent for hosting policies. It allows for easy search and staff access. You can link policies directly to Jira technical tasks. This integrates security rules with daily business work. It is superior to disconnected SaaS tools.

LA CASA DE CERTIFICACIÓN