This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.5.1 Policies for information security
ISO 27001: 2022 Control Description
Information security policy and topic-specific policies shall be de fined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Purpose
To ensure the ongoing suitability, adequacy, and effectiveness of management’s direction and support for information security, in line with business, legal, statutory, regulatory, and contractual requirements.
Guidance on Implementation
At the highest level, the organisation should establish an “information security policy” that is approved by top management and outlines the organisation’s approach to managing information security. This policy should take into account requirements from:
a) Business strategy and requirements
b) Regulations, legislation, and contracts
c) Current and projected information security risks and threats
The information security policy should include statements on:
a) Definition of information security
b) Information security objectives or a framework for setting these objectives
c) Principles guiding all information security activities
d) Commitment to meeting applicable information security requirements
e) Commitment to continual improvement of the information security management system
f) Assignment of information security management responsibilities to specific roles
g) Procedures for handling exemptions and exceptions
Top management should approve any changes to the information security policy.
At a more detailed level, this policy should be supported by topic-specific policies to enforce the implementation of information security controls. These policies are typically designed to address the needs of specific target groups within the organisation or to cover particular security areas and should align with and complement the overall information security policy.
Examples of such topics include:
a) Access control
b) Physical and environmental security
c) Asset management
d) Information transfer
e) Secure configuration and handling of user endpoint devices
f) Network security
g) Information security incident management
h) Backup
i) Cryptography and key management
j) Information classification and handling
k) Management of technical vulnerabilities
l) Secure development
The development, review, and approval of these topic-specific policies should be assigned to relevant personnel based on their authority and technical expertise. Reviews should assess opportunities for improving the organisation’s information security policy and topic-specific policies in response to changes in:
a) Business strategy
b) Technical environment
c) Regulations, statutes, legislation, and contracts
d) Information security risks
e) Current and projected information security threats
f) Lessons learned from security events and incidents
Reviews should take into account management review results and audit outcomes. When one policy is updated, other related policies should be reviewed for consistency.
The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a manner that is accessible and understandable. Recipients should acknowledge their understanding and agreement to comply with the policies where applicable. Organisations can determine the formats and names of these policy documents that best suit their needs, which may be consolidated into a single document or labelled as standards, directives, or policies.
If the information security policy or any topic-specific policy is shared outside the organisation, care must be taken to avoid disclosing confidential information.