ISO27001 – Control 5.1 – Policies for Information Security


Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

What this means

This control is all about the importance of having robust security information policies in place and reviewing them regularly.

Information security policies provide the foundation for managing risks and protecting information assets and there are certain policies required by the standard.  At the top level, organisations must have an overarching information security policy endorsed by leadership and signed off. This high-level policy outlines the organisation’s approach, objectives, and principles toward information security. It’s the backbone that sets out your entire information security program.

Additionally, there will be more detailed, topic-specific policies focused on particular areas like access control, asset management, incident response, business continuity, suppliers etc. These topic-specific policies provide more information about that particular area and may provide guidance for specific audiences such as staff or suppliers.

There is also an obligation to ensure that your policies remain up to date so regular review is required. I know that when an organisation first implements ISO 27001, we reword and update policies at least annually. Once the information security management system (ISMS) has matured we set the review periods at a longer timescale. We review documents and update wording to make them easy to read and ensure they reflect the current position within the organisation. If a policy does not reflect what actually happens, it could result in a non-conformity. You must keep track of versions and dates for review, it doesn’t have to be anything complicated, for most of our clients we have a spreadsheet with this information on.

By ensuring policies are in place, reviewed regularly and can be tracked (the spreadsheet) as well as being available to the staff team, you will ensure compliance with this control.

If you want to know about our template policies or ISO27001 implementation then book a free call here or email us here