The basics
ISO 27001 control A.5.1 Policies for information security requires companies to write relevant information security policies to provide proper guidance on specific information security topics, ensure interested parties are aware of them, and update them when necessary. An information security policy provides high-level guidance like information security objectives, while an Access control policy and Information classification policy provide guidelines for specific information security areas.
Documentation
ISO 27001 control A.5.1 Policies for information security can be documented by writing topic-specific policies to fulfill security requirements (e.g., laws, regulations, or contracts), or treat relevant risks.
Such policies are not mandatory documents but are recommended for all companies.
Implementation
In order to comply with control A.5.1 Policies for information security you might implement the following:
- Technology — the technology to enable the management of policies for information security in most cases will be already available in the company. Companies of all sizes will probably be able to manage documents by organizing them in corporate folders with controlled access, or by using document management software.
- Organization/processes — you should set up a process for defining, approving, publishing, communicating, and reviewing/updating information security policies.
- People — make employees aware of why information security policies are needed, and train them on how identify required policies and manage them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.1 Policies for information security: if relevant information security policies are written, and if they are regularly updated.
