ISO 27001 A.5.1: Policies for information security
What This Control Requires
Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
In Plain Language
Every organisation needs a clear set of security policies that management has formally signed off on. Without them, there is no baseline for what 'good' looks like, and auditors will flag it immediately. You need a top-level information security policy that sets the direction, plus topic-specific policies for things like access control, data classification, incident management, and acceptable use. These should reflect your actual environment - not just boilerplate copied from a template. Policies cannot just sit in a SharePoint folder gathering dust. They must be actively communicated to everyone who needs them, and you need proof that people have actually read and acknowledged them. That means a distribution process with tracked acknowledgements. Finally, policies must stay current. Review them at least annually and whenever something significant changes - a restructure, new regulation, or major incident. Document who reviewed what, when, and what changed. Auditors will check this.
How to Implement
Start with a gap analysis. Compare what you already have against ISO 27001:2022 requirements and your statement of applicability. Identify which topic-specific policies you actually need - common ones include acceptable use, access control, data classification, backup, cryptography, mobile devices, and incident management. Use a consistent template for all policies. Each one should cover purpose, scope, roles and responsibilities, the actual policy statements, an exceptions process, and a review schedule. Write in plain language - if a policy is meant for all staff, skip the technical jargon. Get formal approval from senior management. Document it with signatures and dates. Then set up somewhere central to publish them - an intranet page or policy management portal works well - and build in acknowledgement tracking so you can prove who has read what. Set up a review calendar with clear ownership. Each policy needs an owner who is responsible for triggering reviews and updates. Keep version control tight and maintain change logs. After each update, redistribute and require fresh acknowledgements from everyone affected.
Evidence Your Auditor Will Request
- Approved information security policy document with management signatures and dates
- Set of topic-specific policies aligned with the statement of applicability
- Records of policy communication and employee acknowledgments
- Policy review schedule and evidence of completed reviews with change logs
- Minutes from management meetings where policies were approved or reviewed
Common Mistakes
- Policies exist but have not been reviewed or updated in over a year
- No evidence of employee acknowledgment or communication of policies
- Policies are too generic and do not address organization-specific risks and context
- Topic-specific policies are missing for areas identified in the risk assessment
- Policy documents lack version control, approval signatures, or review dates
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC1.1 | Related |
| SOC 2 | CC5.3 | Related |
| GDPR | Art.24 | Related |
| NIS2 | Art.21(2)(a) | Related |
Frequently Asked Questions
How many policies do we need for ISO 27001 compliance?
How often should information security policies be reviewed?
Who should approve the information security policy?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment