ISO 27001:2022 Clause 5.2: Policy

ISO27001-2022 Clause 5.2 Policy

The Definitive Governance Requirement.

Clause 5.2 mandates that Top Management must establish an Information Security Policy. This document is not a formality. It is the Constitution of your Information Security Management System (ISMS). It sets the tone, the direction, and the legal basis for every control you implement.

The Mandate

The standard requires a policy that is not just written, but authorized. It must be the voice of the Board speaking to the organization.

The policy must:

  1. Be Appropriate: It must match the purpose of your organization. A 5-person startup does not need the same policy as a multinational bank.
  2. Set the Framework: It provides the mechanism for setting information security objectives (Clause 6.2).
  3. The Double Commitment: It must explicitly include a commitment to satisfy applicable requirements (legal/contractual) and a commitment to continual improvement of the ISMS.

The Verdict: If your policy lacks the commitment to “continual improvement,” it is non-compliant. Rewrite it.

The Implementation Strategy

Do not download a generic template and just change the logo. That is a tactical error that will be exposed during the interview stage.

  1. Draft for Intent: The policy should be high-level. It states what you do, not how you do it. “We encrypt data” is a policy. “We use AES-256” is a procedure. Keep them separate.
  2. Authorize: It must be signed and dated by Top Management.
  3. Publish (Availability): It must be available as documented information.
  4. Communicate: This is critical. You must communicate the policy within the organization. Sending an email is the bare minimum; ensuring understanding is the goal.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The Secret Policy.” During the audit, I will stop a random employee in the corridor and ask: “Where is the Information Security Policy?” If they say “I don’t know,” or “Ask IT,” you have failed Clause 5.2(d). The policy must be communicated and understood.

Required Evidence

An auditor requires physical proof that the policy exists and has been distributed.

  • The Information Security Policy: Signed, dated, and version-controlled.
  • Communication Records: Emails, Slack logs, or Intranet read-receipts proving staff have seen it.
  • Onboarding Records: Signed confirmations from new hires that they have read the policy.
  • Public Facing Policy: (Optional but recommended) A version available for interested parties (e.g., on your website).

Strategic Acceleration

Writing a policy that balances “Audit Compliance” with “Business Reality” is an art form. If you make it too strict, you trip yourself up. If you make it too loose, you fail the audit.

The Hightable™ Information Security Policy is architected to be the perfect median. It satisfies the standard without strangling your operations.

The Next Move: Download the Policy Template