The basics
ISO 27001 sub-clause 5.2 is called “Policy” — it requires the top management to establish an information security policy, which is aligned with the organization’s purposes and provides a framework for setting information security objectives, including a commitment to fulfill applicable requirements and the continual improvement of the ISMS.
Documentation
ISO 27001 clause 5.2 Policy requires writing the following document:
- Top-level Information Security Policy
Implementation
To comply with clause 5.2 Policy, you must write the top-level Information Security Policy – follow these steps:
- Discuss with the top management what the company should achieve with the implementation of ISO 27001.
- Based on this discussion, define the top-level information security objectives.
- Define the process of how the objectives will be set in the future.
- Define the most important responsibilities for information security.
- Write the Information Security Policy.
Audit evidence
During the audit, an auditor might ask for the following evidence regarding clause 5.2 Information Security Policy:
- If the policy includes a commitment to comply with security requirements and a commitment to continual improvement of the ISMS
- If the policy defines the top-level objectives or the framework for setting the objectives
- If it is communicated to relevant people
- If the policy includes any other responsibilities or rules, the certification auditor will look for evidence that these are complied with
