Inverifi logo

ISO:27001

Annex A.5 - Information Security Controls

Get compliant with ISO:27001 – Annex A.5 and simplify compliance for your organisation.

This annex was created to ensure policies about how information is accessed, utilised and maintained are written and reviewed in line with the general direction of the organisation’s information security practices. This annex also addresses how to report on information security policies and how they relate to other corporate policies. The objective is to help protect an organisation’s capital and operations from a cyberattack, and includes two controls.

A.5.1 – Information security policy

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant stakeholders.

Implementation guidance

The information security policy document should express management commitment and set out the organisation’s approach to managing information security. 

The policy document should contain:

  • Definition of information security, overall objectives and capacity, and the importance of security as an enabling mechanism for information sharing. 
  • Statement of management intent, supporting the goals and principles of information security in line with the business objectives and strategy.
  • A framework for setting control objectives and controls, including the structure of risk assessment and risk management.
  • A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organisations.
  • Definition of general and specific responsibilities for information security management, including reporting security incidents.
  • More documentation which may support the policy.

The policies should be communicated all round the organisation to users in a relevant, accessible and understandable manner.

A.5.2- Review of the policies for information security

To keep updated with any changes, whether internal or external, the organisation’s ISMS (information security management system) policies must be updated on a regular basis. Management changes, governing laws, industry standard, and technology examples of these developments. 

The documentation should always represent standards and procedures to preserve the confidentiality, integrity, and availability of files, and an information security breach may result in policy change and improvement.

Implementation guidance

The information security policy should have an owner who has approved management responsibility for the development, review, and evaluation of the security policy. The review should include evaluation of opportunities for improvement of the organisation’s information security policy and approach to managing information security in response to changes to the organisational environment, business circumstances, legal conditions, or technical environment. 

There should be defined management review procedures, including a schedule or period of the review. 

The input to the management review should include:

  • Feedback from interested parties.
  • Result of independent reviews.
  • Status of preventive and corrective actions.
  • Result of previous management reviews.
  • Process performance and information security policy compliance.
  • Chances that could affect the organisation’s approach to managing information security. 
  • Trends related to threats and vulnerabilities.
  • Reported information security incidents.
  • Recommendations provided by relevant authorities,

A record of the management review should be maintained.