From the course: ISO 27001:2022-Compliant Cybersecurity: The Annex A Controls
Policies for information security (Control 5.1)
From the course: ISO 27001:2022-Compliant Cybersecurity: The Annex A Controls
Policies for information security (Control 5.1)
- [Instructor] A good security program is driven from the top down. Top management needs to provide clear direction for their organization's information security, and the way they do that is through information security policies. Policies are so important for the ISO 27001 standard, they're the very first clause in the Annex A Controls. In this video, you'll learn about Control 5.1, Policies for Information Security. This control requires that information security policies in your organization are defined and approved by management, published and communicated to relevant personnel, and reviewed at planned intervals and if significant changes occur. The purpose of having information security policies is to ensure the continuing suitability, adequacy, and effectiveness of management direction and support, and to comply with business, legal, statutory, regulatory, and contractual requirements. Control 5.1 provides guidance for complying with the requirements of this clause. The guidance starts by saying your organization should define a policy hierarchy within information security policy at the highest level. At a lower level, the information security policy should be supported by topic-specific policies as needed. Let's look at the guidance for the information security policy. Control 5.1 says your organization should define an information security policy, which is approved by top management, and which sets out the organization's approach to managing its information security. When writing your information security policy, you should consider requirements from business strategy, regulations, and information security risks and threats. Your information security policy should include statements on the definition of information security, the information security objectives and principles, your organization's commitment to information security, and the assignment of information security responsibilities. Procedures for handling exemptions and exceptions to the information security policy should also be included. See ISO 27001 for specific guidance about the information security policy. I also have a video with suggestions about how to write this policy in part one of this course. At a lower level, the information security policy should be supported by topic-specific policies as needed. These policies mandate the implementation of information security controls and typically address the needs of certain target groups or cover certain security areas within the organization. Topic-specific policies should be aligned with and complementary to the top-level information security policy. Examples of topic-specific policies include access control, asset management, and cryptography and key management policies. For a longer list of topic-specific policies, review the handout for this video and take a moment to note which policies you might implement for your organization. Unlike the information security policy, which should be reviewed and approved by your organization's top management, topic-specific policy should be developed, reviewed, and approved by relevant personnel based on their level of authority and technical competency. Policy review should look for opportunities to improve the policies in response to changes in business strategy, technical environment, regulations, and information security risks and threats. Policy reviews should also consider the results of management reviews and audits. If one policy is updated, make sure the other related policies are reviewed and updated, if needed, to maintain consistency. After your organization's security policy and topic-specific policies are written, they need to be communicated to relevant personnel and interested parties in a form that is accessible and understandable to them. For certain policies, like your information security policy, consider requiring recipients to acknowledge that they understand and agree to comply with the policies. Every organization is different, so some might have one giant policy document that covers everything, and others might have various written standards, directives, or procedures. If any policies are distributed outside of your organization, make sure they don't accidentally disclose any confidential information. You can demonstrate compliance with Control 5.1 by writing, publishing, and communicating an information security policy that is approved by top management, writing, publishing, and communicating supporting topic-specific policies that are approved by relevant personnel, and reviewing the information security policies at planned intervals or when significant changes happen to make sure they're still adequate and effective. The best way to capture your management's direction for information security and comply with Control 5.1 is to write information security policies and review them regularly.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.