Skip to contentCYBERINFO
|

Control 5.1 : Information Security Policies

Summary

This control requires the definition, approval, and communication of a high-level information security policy and topic-specific policies. These documents serve as the governing framework for an organization's security posture, ensuring that management direction is formalized and acknowledged by all relevant personnel.

Applicability

In-Scope: Mandatory for all organizations seeking ISO 27001:2022 certification. It is required to establish legal authority for security enforcement, meet regulatory requirements (such as Law 25 or GDPR), and provide a baseline for internal audits.

Out-of-Scope: This control is rarely excluded. Only in highly specific, low-risk edge cases, such as a single-person entity with no external data processing, might the complexity be reduced, but a documented statement of intent remains a requirement for the ISMS.

Implementation Guidance

Microsoft 365 / Entra ID

  • Distribution: Deployment via a secured SharePoint Communication Site or a "Single Source of Truth" document library.

  • Enforcement: Integration with Entra ID Conditional Access. Users are required to review and digitally accept the "Terms of Use" policy before being granted access to corporate resources.

  • Compliance: Monitoring via Microsoft Purview to ensure version control and distribution to the correct user groups.

Evidence Checklist

  • Information Security Policy: A formally approved document signed by top management within the current review cycle.

  • Topic-Specific Policies: Documentation addressing specific areas (e.g., Access Control, Asset Management, Physical Security).

  • Acknowledgment Records: Evidence (logs or signatures) confirming that all employees and relevant third parties have acknowledged the policies.

  • Management Review: Minutes of meetings proving that policies are reviewed at planned intervals or following significant organizational changes.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does top management ensure this policy remains aligned with the organization's current strategic business objectives and risk appetite?

  • Can the CISO demonstrate the specific process used to trigger a policy review when a "significant change" occurs outside of the annual review cycle?

  • When asked during a spot check, can a random staff member identify where the governing policies are hosted and confirm the last time they acknowledged a change?

  • Can the governance team show the direct link between this high-level policy and the topic-specific standards (e.g., Access Control) used by technical departments?