Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Control A.5.1 Information Security Policies - ISO27001 Annex A

 

We just wanted to give you some thoughts about control A.5.1 from Annex A of the ISO27001 2022 standard which is all about information security policies. You’re probably going to have two types of policy here. Firstly, you’ll have the information security policy, which is going to include some of the things that are mentioned in the management system parts of the standard, in terms of commitments and so on.

Topic-specific Policies

The other area is going to be topic-specific policies, and you may have quite a few of these as there are a lot of areas that information security is now relevant to. The key thing is to make sure that your approach to policies is consistent, in terms of recognising who the audience is for any particular policy, and that the level that it goes to is appropriate. You’re going to have some policies that are appropriate for users to read, and so they need to be written in language that they will be able to relate to and understand, and you’re going to have some policies that are more technical in nature; they are more relevant to techies within your organisation – things like server hardening and network security controls.

Policy Signoff and Language

So you do need to think about the structure of your policies, in terms of how they are actually signed off as well – you may have several different levels of signoff of policies within your organisation. For higher level policies that’s probably going to be at board level and for lower-level policies on particular topics it may be at a lower departmental head level, so you need to document that and make sure that that’s fully understood, and that the policies are signed off with their current versions. In terms of policies themselves, basically they are a set of rules, so you need to make sure that the language that’s used within your policies is appropriate; it’s not a case of you “should” do this, it’s a case of you “must” or you “will” follow these rules, and each policy will be backed by appropriate disciplinary procedures in the event that someone doesn’t follow the policy or contravenes something that’s in the policy.

Policy Length

The first step really once you’ve created your main information security policy is to make a list of those topic areas that you’re going to create individual policies for. How long should a policy be? Well, there is a trend nowadays to make policies relatively short, and certainly it’s one of those situations where you don’t want them to be too long, because they lose some of their focus if that is the case. But by the same topic they also need to address the subject that is covered within the policy itself, so you need to strike a middle balance with that. As we said before, it needs to be appropriate to the audience

Publish and Communicate Your Policies

Once you’ve created your policies you also need to make sure that they are published and people know that they exist – people have read them. You may want to have, certainly within the induction of new staff, some indication that they have read the appropriate policies and that they have digested them. They may need to sign them and you may decide to use some electronic tools perhaps to distribute these policies and indicate the fact that they have read them. You may also want to have quizzes perhaps, to verify that people have read these policies and they understand them.

Final Tips

You will need to keep previous versions of policies, because if there is some sort of contravention and you end up in court, where you’re saying they didn’t follow the policy, you need to have the exact copy of the document that should have been followed at that time, even if it has been superseded by something later.
Policies are a very important part of the ISMS and of the controls, and it’s worth putting a bit of effort into making sure that you have the right policies in place, and that they are signed off, communicated and published appropriately.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I really love the introductions and guidance in each document. This makes it so easy to use for my team and the uninitiated to quality management.

Chauncery Ventures
UK

View all Testimonials