If you are transitioning your Information Security Management System (ISMS) from the 2013 version of ISO 27001 to the 2022 update, one of the first things you will notice is a change in how policies are structured. In the older version, policies were split across multiple controls. Now, they have been brought together under a single, more cohesive banner: Annex A 5.1.
Understanding these changes is crucial because policies are the foundation of your entire security framework. They aren’t just documents meant to sit on a digital shelf; they are the “voice of management” that dictates how your organisation protects its most valuable assets. Let’s explore what actually changed and what you need to do differently now.
Table of contents
The Main Change: Consolidation and Simplification
In the ISO 27001:2013 version, the requirements for policies were divided into two distinct controls: A.5.1.1 (Policies for information security) and A.5.1.2 (Review of the policies for information security). While this structure worked, it often led to a fragmented approach where the creation of a policy was viewed separately from its ongoing maintenance.
In the 2022 version, these two have been merged into one comprehensive control: Annex A 5.1 – Policies for Information Security. According to Hightable.io, this merge signifies a shift toward a more holistic lifecycle approach. It’s no longer enough to just “have” a policy; the new standard reinforces that the policy must be defined, approved, communicated, acknowledged, and reviewed all under the same strategic umbrella.
New Categories and Themes
Another major shift is the broader context of where this control sits. The 2013 version used 14 domains, whereas the 2022 version has consolidated everything into four “themes”: People, Physical, Technological, and Organisational. Annex A 5.1 is now classified as an Organisational Control.
This reclassification highlights that policy management is a fundamental business process rather than just a technical or IT requirement. It places the responsibility squarely on the shoulders of management to ensure that security direction is aligned with business objectives and legal requirements.
High-Level vs. Topic-Specific Policies
The 2022 standard brings more clarity to the types of policies you need. It explicitly differentiates between the high-level Information Security Policy and “topic-specific” policies. While the 2013 version implied this, the 2022 update is much clearer about the hierarchy:
- The High-Level Policy: This is a brief, strategic document approved by top management that outlines the organisation’s overall approach to security.
- Topic-Specific Policies: These are the “nitty-gritty” documents that cover specific areas like Access Control, Physical Security, or Clear Desk and Clear Screen protocols.
This separation makes it easier for organisations to communicate relevant rules to the right people. For example, your developers need to see your Secure Coding policy, while everyone in the building needs to understand the Physical Access policy.
The Requirement for “Acknowledgement”
A subtle but significant addition in the 2022 version of Annex A 5.1 is the explicit mention of acknowledgement. In the 2013 version, the focus was heavily on “communication.” The 2022 update takes this a step further by requiring that policies are not just sent out, but that relevant personnel and interested parties actually acknowledge them.
As noted by HighTable.io, an auditor will now look for evidence that staff have actively agreed to follow these rules. This usually takes the form of a digital signature or a timestamped confirmation within a policy management platform. It moves the needle from “I sent the email” to “The employee understands and accepts their responsibilities.”
Living Documents: The Review Cycle
While the 2013 version required “planned intervals” for reviews, the 2022 version places more emphasis on event-driven reviews. You still need to review your policies annually, but the new standard expects you to trigger a review whenever “significant changes occur.” This could mean a major change in technology (like moving to the cloud), a change in legislation (like updated data privacy laws), or even a significant security incident.
How to Transition Your Policies
If you are currently aligned with the 2013 version, you don’t need to throw everything away. Instead, follow these steps to meet the 2022 requirements:
- Merge your processes: Combine your policy creation and review procedures into a single lifecycle management process.
- Update your register: Ensure your list of policies covers both the high-level strategic goals and the necessary topic-specific details.
- Implement acknowledgement: If you don’t already have a way to track who has read and agreed to your policies, now is the time to set that up.
- Check alignment: Ensure your policies specifically reference current business goals and the latest regulatory requirements.
The move to ISO 27001:2022 Annex A 5.1 is a positive step toward more practical, manageable, and effective security. By streamlining the requirements into a single control, the standard makes it easier for organisations to prove that their security direction is active, understood, and consistently improved.