ISO 27001 Annex A.5 – Information Security Policies
Simplifying Information Security Certification
What is the objective of ISO 27001 Annex A.5?
Annex A.5.1 aims to provide management direction and support for information security in accordance with the company’s requirements and relevant laws and regulations. It forms part of the information security management system (ISMS) and is an integral step to achieve ISO 27001 certification. It contains the 2 controls listed below.
A.5.1.1 Policies for information security
Annex 5.1.1 or Control 5.1.1.requires a set of information security policies to be created, approved by the management team, published and communicated to staff and relevant external parties. Each policy should also be classified with the level of data sensitivity it contains as outlined within the company’s Data Classification Policy.
The policies should reinforce a culture of security and should be part of the company’s education, training and awareness programme in line with Annex 7.2.2.
A parent Information Security Management policy outlines the company’s approach to managing information security within the company. Being independently audited and certified as ISO 27001 compliant gives clients and potential clients confidence in your company’s security policy.
Adoptech provides the full set of policies required for certification and the workflow required to be compliant with control A.5.1.2 below.
A.5.1.2 Review of the policies for information security
Annex 5.1.2 or Control 5.2.1 stipulates that the company’s information security policies must be reviewed regularly to ensure they are up to date, remain fit for purpose and aligned with the company’s information security objectives.
Each time a change is made to a policy, senior management approval is required before the policy is considered “live” and made available to staff and or stakeholders.
ISO considers ‘regular’ to be at least annually, which seem like a lot of work but with the Adoptech workflow for reminders, updating policies and approving them, this is process efficient and manageable no matter what size your company.
Start simplifying your Information Security Certification
Do you need more info about ISO 27001? Take a look at our InfoSec Certification Guide
Annex A Domains & Controls
A.9 – Access control
A.9.1.1 – Access control policy
A.9.1.2 – Access to networks and network services
A.9.2.1 – User registration and de-registration
A.9.2.2 – User access provisioning
A.9.2.3 – Management of privileged access rights
A.9.2.4 – Management of secret authentication information of users
A.9.2.5 – Review of user access rights
A.9.2.6 – Removal or adjustment of access rights
A.9.3.1 – Use of secret authentication information
A.9.4.1 – Information access restriction
A.9.4.2 – Secure log-on procedures
A.9.4.3 – Password management system
A.9.4.4 – Use of privileged utility programs
A.9.4.5 – Access control to program source code
A.11 – Physical and environmental security
A.11.1.1 – Physical security perimeter
A.11.1.2 – Physical entry controls
A.11.1.3 – Securing offices, rooms and facilities
A.11.1.4 – Protecting against external and environmental threats
A.11.1.5 – Working in secure areas
A.11.1.6 – Delivery and loading areas
A.11.2.1 – Equipment siting and protection
A.11.2.2 – Supporting utilities
A.11.2.3 – Cabling security
A.11.2.4 – Equipment maintenance
A.11.2.5 – Removal of assets
A.11.2.6 – Security of equipment and assets off-premises
A.11.2.7 – Secure disposal or reuse of equipment
A.11.2.8 – Unattended user equipment
A.11.2.9 – Clear desk and clear screen policy
A.12 – Operations security
A.12.1.1 – Documented operating procedures
A.12.1.2 – Change management
A.12.1.3 – Capacity management
A.12.1.4 – Separation of development, testing and operational environments
A.12.2.1 – Controls against malware
A.12.3.1 – Information backup
A.12.4.1 – Event logging
A.12.4.2 – Protection of log information
A.12.4.3 – Administrator and operator logs
A.12.4.4 – Clock synchronization
A.12.5.1 – Installation of software on operational systems
A.12.6.1 – Management of technical vulnerabilities
A.12.6.2 – Restrictions on software installation
A.12.7.1 – Information systems audit controls
A.13 – Communications Security
A.13.1.1 – Network controls
A.13.1.2 – Security of network services
A.13.1.3 – Segregation in networks
A.13.2.1 – Information transfer policies and procedures
A.13.2.2 – Agreements on information transfer
A.13.2.3 – Electronic messaging
A.13.2.4 – Confidentiality or nondisclosure agreements
A.14 – Systems acquisition, development and maintenance
A.14.1.1 – Information security requirements analysis and specification
A.14.1.2 – Securing application services on public networks
A.14.1.3 – Protecting application services transactions
A.14.2.1 – Secure development policy
A.14.2.2 – System change control procedures
A.14.2.3 – Technical review of applications after operating platform changes
A.14.2.4 – Restrictions on changes to software packages
A.14.2.5 – Secure system engineering principles
A.14.2.6 – Secure development environment
A.14.2.7 – Outsourced development
A.14.2.8 – System security testing
A.14.2.9 – System acceptance testing
A.14.3.1 – Protection of test data
A.15 – Supplier relationships
A.15.1.1 – Information security policy for supplier relationships
A.15.1.2 – Addressing security within supplier agreements
A.15.1.3 – Information and communication technology supply chain
A.15.2.1 – Monitoring and review of supplier services
A.15.2.2 – Managing changes to supplier services
A.16 – Information security incident management
A.16.1.1 – Responsibilities and procedures
A.16.1.2 – Reporting information security events
A.16.1.3 – Reporting information security weaknesses
A.16.1.4 – Assessment of and decision on information security events
A.16.1.5 – Response to information security incidents
A.16.1.6 – Learning from information security incidents
A.16.1.7 – Collection of evidence
A.17 – Information security aspects of business continuity management
A.17.1.1 – Planning information security continuity
A.17.1.2 – Implementing information security continuity
A.17.1.3 – Verify, review and evaluate information security continuity
A.17.2.1 – Availability of information processing facilities
A.18 – Compliance
A.18.1.1 – Identification of applicable legislation and contractual requirements
A.18.1.2 – Intellectual property rights
A.18.1.3 – Protection of records
A.18.1.4 – Privacy and protection of personally identifiable information
A.18.1.5 – Regulation of cryptographic controls
A.18.2.1 – Independent review of information security
A.18.2.2 – Compliance with security policies and standards
A.18.2.3 – Technical compliance review
Some of the companies trusting Adoptech
