Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and when significant changes occur.
Plain-language meaning
The organization needs a formal information security policy structure, not random documents sitting in a shared folder.
A policy is useful only if it is:
- written;
- approved;
- controlled;
- published;
- communicated;
- acknowledged by relevant audiences;
- maintained;
- reviewed regularly and after significant changes;
- linked to risk and business requirements.
A policy that nobody knows exists is not an effective control.
Top-level policy vs topic-specific policies
Top-level information security policy
The top-level policy is the high-level management statement of intent.
It should explain:
- why information security matters;
- what the organization is trying to protect;
- the general ISMS scope;
- management commitment;
- high-level security objectives;
- key responsibilities;
- the risk-based control approach;
- compliance expectations;
- exception and non-compliance handling;
- references to supporting policies.
The top-level policy should normally be short and understandable. A one-page policy is often stronger than a long policy nobody reads.
Topic-specific policies
Topic-specific policies provide detailed rules for specific security areas.
Examples:
| Topic-specific policy | Purpose |
|---|---|
| Access Control Policy | Access approval, least privilege, access review, privileged access |
| Acceptable Use Policy | Acceptable use of company systems and information |
| Asset Management Policy | Ownership, classification, inventory, return, disposal |
| Information Classification Policy | Labels and handling rules |
| Cryptography Policy | Encryption and key management requirements |
| Supplier Security Policy | Vendor and third-party security requirements |
| Incident Management Policy | Reporting, escalation, response expectations |
| Backup Policy | Backup scope, frequency, retention, testing |
| Logging and Monitoring Policy | What must be logged, monitored, retained, and reviewed |
| Remote Work Policy | Secure remote access, endpoint, VPN, home-working rules |
| Secure Development Policy | Secure coding, code review, testing, release control |
The top-level policy says what the organization commits to.
The topic-specific policies say how specific security areas are governed.
Procedures and standards then explain how the policies are executed.
Policy hierarchy
| Level | Purpose | Example |
|---|---|---|
| Policy | Management intent and mandatory rules | Access must be based on least privilege |
| Standard | Specific mandatory requirements | MFA is required for all remote access |
| Procedure | Step-by-step instructions | How to request, approve, and remove user access |
| Guideline | Recommended practice | Secure use of password managers |
| Record/evidence | Proof something happened | Access approval ticket, LMS acknowledgement |
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Keep policies simple and usable
Policies should be clear enough that people understand their responsibilities.
Bad pattern:
Users shall protect information according to business requirements and applicable laws.
This is too generic to be useful.
Better pattern:
Users must protect company information according to its classification, use approved storage locations, report suspected incidents immediately, and comply with access control, acceptable use, and data handling requirements.
2. Obtain management approval
Management approval matters because the policy represents organizational authority.
A draft policy written by the security team is weak evidence if it was never approved.
Good evidence includes:
- signed policy;
- workflow approval;
- board or executive committee minutes;
- GRC approval record;
- policy register showing approved status;
- version history showing approver.
3. Publish and communicate policies
Publication and communication are different.
| Requirement | Example evidence |
|---|---|
| Published | Intranet page, policy portal, GRC repository, employee handbook |
| Communicated | Email announcement, onboarding, awareness campaign, team briefing |
| Acknowledged | Signed attestation, LMS completion, annual policy acknowledgement |
A policy hidden in a folder may exist, but it may still fail the communication and awareness test.
4. Require acknowledgement where relevant
Relevant personnel and interested parties should acknowledge relevant policies.
“Relevant” is important. Not every person needs every topic-specific policy.
| Audience | Relevant policy exposure |
|---|---|
| All employees | Top-level policy, acceptable use, incident reporting |
| Developers | Secure development, source code handling, vulnerability management |
| HR | Screening, disciplinary process, joiner/mover/leaver requirements |
| IT admins | Access control, privileged access, logging, backup, change management |
| Suppliers | Supplier security requirements, confidentiality, incident notification |
| Contractors | Acceptable use, access control, confidentiality, remote access |
5. Control external distribution
External parties may need policy information, but internal policies can contain sensitive details.
Use:
- redacted policies;
- supplier security schedules;
- contractual security requirements;
- third-party code of conduct;
- confidentiality agreements;
- controlled access to current versions.
6. Protect policies from tampering
Policies are controlled documents.
Expected controls include:
- version control;
- named document owner;
- restricted edit permissions;
- approval workflow;
- review history;
- read-only publication copy;
- archived previous versions;
- change log.
7. Review policies
Policies should be reviewed:
- at planned intervals; and
- when significant changes occur.
Review triggers include:
| Trigger | Why it may require review |
|---|---|
| New risk assessment results | Policies may no longer match actual risks |
| Security incident | Control expectations may need adjustment |
| New vulnerability or threat | Requirements may need strengthening |
| New technology | Cloud, AI, SaaS, remote work, or architecture changes may alter controls |
| Legal/regulatory change | Compliance obligations may change |
| Organizational change | New departments, acquisitions, outsourcing, restructuring |
| Supplier model change | Third-party requirements may need updating |
| Audit finding | Policies may be unclear, outdated, or not communicated |
A policy review that only checks grammar is weak. The review should confirm that the policy remains suitable, accurate, risk-aligned, and implementable.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
An auditor should not only check whether a policy document exists.
A good audit asks:
Does the policy support the ISMS, and can the organization prove it is approved, communicated, understood, maintained, and reviewed?
Audit tests
| Audit area | What to check | Evidence |
|---|---|---|
| Existence | Does the top-level information security policy exist? | Policy document |
| Approval | Was it approved by appropriate senior management? | Signature, approval workflow, minutes |
| Ownership | Is there a named policy owner? | Policy metadata, RACI, job role |
| Version control | Is the document controlled? | Version history, change log |
| Scope | Does it align with ISMS scope? | Policy scope statement, ISMS scope document |
| Management commitment | Does it state leadership support? | Policy statement, signed approval |
| Responsibilities | Are responsibilities defined? | Policy, RACI, job descriptions |
| Risk management link | Does it reference risk assessment/treatment? | Risk methodology reference |
| Supporting policies | Are topic-specific policies linked? | Policy manual, policy register |
| Communication | Was it communicated to relevant people? | Email, LMS, onboarding records |
| Acknowledgement | Did relevant users acknowledge it? | Attestation records |
| Accessibility | Can employees find it? | Intranet, GRC portal, employee handbook |
| External parties | Are relevant third parties informed? | Contracts, supplier requirements |
| Review | Is it reviewed at planned intervals? | Review schedule, review records |
| Triggered review | Is it reviewed after significant changes? | Incident records, change logs, risk review minutes |
| Exceptions | Is there a process for exceptions/non-compliance? | Exception register, approval records |
| Updates | Are employees informed of changes? | Change communications, LMS updates |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control or process operated for real cases.
- Top-level policy signed by an appropriate executive.
- Document has owner, version, approval date, and next review date.
- Policy is published on intranet or a GRC platform.
- Employees complete annual acknowledgement.
- New hires acknowledge policy during onboarding.
- Topic-specific policies are linked from the top-level policy.
- Policy changes are controlled and tracked.
- Review records show planned and event-driven reviews.
- Exception process exists and has real examples.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.
- Policy is marked draft.
- No management approval.
- No named owner.
- No review date.
- Outdated references to old systems or teams.
- Employees do not know where to find it.
- No communication evidence.
- No acknowledgement records.
- Topic-specific policies contradict each other.
- Policies exist but are not followed.
- External parties are expected to comply with policies they were never given.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| One huge policy document | Hard to read, maintain, communicate, and audit |
| No policy owner | No accountability for maintenance |
| No version control | Cannot prove which policy was active |
| No acknowledgement process | Cannot prove relevant personnel accepted responsibilities |
| No external redaction | May expose sensitive internal security details |
| Policy not linked to risk | Becomes generic compliance paperwork |
| Policies not updated after changes | Control expectations become stale |
| Employees unaware of policy | Control may be ineffective |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Having a policy document is not enough.
- Top-level policy should not contain every operational detail.
- Relevant external parties may need access to policy requirements.
- Not all policies should be public.
- Reviews are both scheduled and triggered by significant changes.
- The auditor checks communication, acknowledgement, ownership, version control, and review, not just the document.
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.1 requires a formal information security policy structure. The top-level policy should express management commitment and link to detailed topic-specific policies. Policies must be approved, published, communicated, acknowledged by relevant audiences, controlled, protected from unauthorized modification, and reviewed periodically and when significant changes occur.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Policy
- Audit
Note Metadata
Aliases: A.5.1, Policies for Information Security, Information Security Policy
Source: 02 Annex A Organizational Controls/A.5.1 Policies for Information Security.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
5
links
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO27001 ISMS KB - Start Here
- Information Security Policy
- Management Responsibilities
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- A.5 Organizational Controls MOC
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- A.5.1 Audit Evidence Pack
- AQ-ISO27001-A.5.1 Policies for Information Security
- A.5 Organizational Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO27001-A.5.1 Policies for Information Security
- A.5 Controls Implementation Audit Risk Mapping
- GDPR to ISO 27001 Engineering Crosswalk
- EXAM-004 - Policy vs Procedure vs Standard
- ISO 27002 Annex A Control Interpretation Map
- Template - A.5.1 Audit Checklist
- Disciplinary Process Checklist
- Personnel Security Responsibility Acknowledgement
- Template - Policy Communication and Acknowledgement Tracker
- Template - Policy Register
- Template - Policy Review Checklist
- Security Awareness and Training Plan
- Security Terms and Conditions Checklist
- Template - Top-Level Information Security Policy
- Annex A Controls MOC
- ISO 27001 Overview