ISO 27001 Annex A 5.1 is about policies for keeping information safe. A policy is a written rule that tells people what to do. This part of the standard says that a company must have a main information security policy and other specific policies.
Table of contents
What is ISO 27001 Annex A 5.1?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Policies for Information Security”.
What is the ISO 27001 Annex A 5.1 control objective?
The formal definition and control objective in the standard is: “Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.“
What is the purpose of ISO 27001 Annex A 5.1?
The purpose of ISO 27001 Annex A 5.1 is “To ensure the suitability, adequacy and effectiveness of managements direction and support for information security.”
Is ISO 27001 Annex A 5.1 Mandatory?
ISO 27001 Annex A control 5.1 (Identity Management in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.1 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
The Main Policy
This is a top-level document. It explains how a company will keep its information safe. It should be approved by senior leaders and then shared with everyone. It should be reviewed at least once a year.
This policy should include:
- A clear statement about what information security means for the company.
- The goals for keeping information safe.
- A promise from leaders to meet the rules and laws.
- A promise to always make the security system better.
Other Policies
In addition to the main policy, a company should have other specific policies. These policies give more details on a certain topic, like how to handle a computer or an email. It is a good idea to have separate policies for these topics. This makes them easier to share with the right people.
Examples of specific policies:
- Access Control: Rules about who can see what information.
- Acceptable Use: Rules for how employees can use company computers and the internet.
- Data Handling: Rules for how to keep information safe, like how to store or get rid of it.
- Information Classification: Rules for giving data a label, like “private” or “public.”
What an Auditor Will Check
An auditor will check that you have a policy. They will also make sure it has been approved, shared, and is being followed by everyone.
