Part 24 - Clause A5.1 Information security policies
The controls listed in Annex A of ISO 27001 are just great.
They essentially tell you what you should do to minimise (or eliminate) the risks associated with your information security management system (ISMS).
For me, one of the reasons I highly recommended certification to ISO 27001 is the power of the controls listed in Annex A.
So let’s get started with Annex A5.
A.5.1 Management direction for information security
As with most standards getting Management “buy-in” and setting a managerial direction is key to a successful implementation of your ISMS.
I have previously blogged about this in both Part 14 - Clause 5.1 Leadership and Comnittment and Part 15: Clause 5.2 Information Security Policy.
In the second blog I described how to create, establish and implement a policy. The main takeaways were:
- The Policy must be communicated, understood and applied.
- Management needs to show commitment to the Policy.
- Commitment needs to be shown at all levels of the organisation.
- The Policy does not need to be complicated.
Here at Mango, our manual just links through to the information security policy that was created in Part 15 above.
The second part of A5 is that the policies need to be reviewed at planned intervals or if significant changes occur.
Again here at Mango we created an event to review the information security policy annually to check for the suitability, adequacy and effectiveness of the policy.
Meeting this clause is easy. You have done the work already in Parts 14 and 15.
Takeaways
- Just link this section to the policy created previously.
- Set an event to review the policy (typically an annual review is fine).
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2