ISO 27001 Annex : A.5 Information Security Policies

5. 1 Management direction for information security

ISO 27001 Annex : A.5 Information Security Policies – Its objective is to provide management guidance and information security assistance in accordance with business requirements and relevant laws and regulations.

5.1.1 Policies for Information Security


A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties.

Implementation Guidance

At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals.

Information security policies should meet criteria that have been created by:

1. Business strategy;
2. Regulations, legislation and contracts;
3. The present and projected information security threat environment

The information security policy should contain statements concerning:

1. Information security concept, goals and principles that guide all information security activities;
2. Assigning general and specific responsibilities of information security management to defined roles;
3. Deviation and exception handling processes.

At the very least, Information security policy should be accompanying with topic-specific policies that also enforce the implementation of information security controls which are usually designed to meet the needs of certain target groups within the organization or to cover other topics.

Few policy topics are: Access Control (Clause 9), cryptographic control (Clause 10), physical and environmental security (Clause ), etc.

Other information

The need for internal information security policies varies across organizations. Internal policies are particularly useful in larger and more complex organizations where those defining and approving the expected levels of control are separated from those implementing the controls or in situations where the policy applies to a number of different people or functions within the organization. Information security policies are often issued in the context of a single “information security policy” document or as a group of individual but related documents.

If some of the information security policies are shared publicly, it is important to be careful not to reveal details. In such policy documents, certain companies use certain terminology such as “standards,” “directives” or “regulations.”

5.1.2 Review of the policies for information security


The information safety policies should be reviewed at regular intervals or where there are major corrections to ensure that they are acceptable, relevant, and efficient.

Implementation Guidance

Each policy should include an owner who has agreed to manage and evaluate policies for the event. The evaluations will include identifying opportunities to improve the procedures and practices and addressing the management of information security corresponding to the changes in business environment, regulatory requirements or technical environment.

The results of the management reviews should be taken into account for the review of information security policies. Management approval of a new policy should be obtained.

Related Questions

1. What should be in an information security policy?
2. What are the three types of security policies?
3. What are security policies and procedures?
4. Are security policies distinct from guidelines standards procedures and controls?
5. what is ISO 27001 Annex : A.5 Information Security Policies?
6. What is benefits of ISO 27001 Annex : A.5 Information Security Policies?


About Author /

Start typing and press Enter to search