ISO/IEC 27001 is an international standard on how to manage information security. It describes the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The only aim of which is to help organizations make the information they hold more secure, to inspire customer confidence and display to regulators that your organisation meets the best practices of cybersecurity and data integrity.
These systems maintain the confidentiality, integrity, and availability of information. ISO 27000 series has a list of controls and its objectives in its AnnexureA provide a managed security program.
Today we are going to start explaining the series of Controls for 27001 in Annexure A.
A5. Information Security Policies
A.5.1: Directions for Information Security – Objective
Annex A.5.1 is all about management direction for information security. The objective of this Annex 5 is to manage direction and support for information security. These controls must be followed in consideration of an organization’s legal governance. It includes the two controls as explained below.
A.5.1.1 : Policies for Information Security
Any organization seeking the 27001 series of certifications must explain its policies to the management, employees, and its relevant stakeholders. The policies must be led by business requirements, along with complying with the law and the regulations of the organization.
These Policies inclusive and a part of the education, training, and awareness program relates to A7.2.2. The policies set out the principles that members of the organization and key parties like suppliers must follow.
A.5.1.2: Review of the policies for information security
While implementing the ISO 27000 series of information security management, the organization must be able to review the policies.
Clause 5.1 in Annexure determines the information security management to review the policies at planned intervals.
Always review the policies if any:
- large scale change in the management;
- corporate law or regulation renewed;
- a major significant change occurs; and
- violation of information security.
Maintaining the policies regarding Information Security must be an integral part of any organization. Management of the organization must be giving direction and support information security to avoid any threat to their data.
The organization shall determine any external and internal issues that are relevant to its purpose and that affects its ability to achieve the intended outcome of its information security management systems.
Implementing an ISO Management System?
If you are implementing an ISO management system in your organization and you’re preparing your organization for an external audit, an ISO Gap Analysis Checklists will give you the list of items you need to prepare.