Skip to main content
Sep 18, 2018 Craig Thornton

ISO 27001 Information Security Management Standard - Clause A5.1

Part 24 - Clause A5.1 Information security policies

The controls listed in Annex A of ISO 27001 are just great.

They essentially tell you what you should do to minimise (or eliminate) the risks associated with your information security management system (ISMS). 

For me, one of the reasons I highly recommended certification to ISO 27001 is the power of the controls listed in Annex A.

Policies Concept. Word on Folder Register of Card Index. Selective Focus.

So let’s get started with Annex A5.

 

A.5.1 Management direction for information security

As with most standards getting Management “buy-in” and setting a managerial direction is key to a successful implementation of your ISMS.

I have previously blogged about this in both Part 14 - Clause 5.1 Leadership and Comnittment and Part 15: Clause 5.2 Information Security Policy.

In the second blog I described how to create, establish and implement a policy. The main takeaways were:

  • The Policy must be communicated, understood and applied.
  • Management needs to show commitment to the Policy.
  • Commitment needs to be shown at all levels of the organisation.
  • The Policy does not need to be complicated.

Here at Mango, our manual just links through to the information security policy that was created in Part 15 above.

The second part of A5 is that the policies need to be reviewed at planned intervals or if significant changes occur.

Again here at Mango we created an event to review the information security policy annually to check for the suitability, adequacy and effectiveness of the policy.

Meeting this clause is easy.  You have done the work already in Parts 14 and 15.

 

Takeaways

  1. Just link this section to the policy created previously.
  2. Set an event to review the policy (typically an annual review is fine).

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Published by Craig Thornton September 18, 2018