How to implement ISO 27001 Clause 5.2 Policy and Pass the Audit

Home / ISO 27001 Clauses / How to implement ISO 27001 Clause 5.2 Policy and Pass the Audit



Hello, I am the iso 27001 ninja and this is ISO 27001 Clause 5.2 policy. So, we’re going to do a deep Dive, we’re going to have a look at how  you implement Clause 5.2 policy, we’re going to look at some of the common mistakes that people make and we’re going to look at what an auditor is going to look for. So, we’re going to give you all of the knowledge that you need for free, for ISO 2701 certification. Let’s dump jump, let’s jump straight in. So first of all I’m going to start with the definition. This is the book definition direct from the standard, remembering the iso 27001 as a standard only has 10 pages of valuable content and what I’m about to read to you is the maximum amount of guidance that you’re going to get but we have all the tips and tricks and we can show you what you need to do to satisfy it. Let’s start with that book definition. 

Definition of ISO 27001 5.2 Policy

So ISO 27001 Clause 5.2 policy – top management shall establish an information security policy that is appropriate to the purpose of the organisation, includes information security objectives or provides the framework for setting information security objectives, includes a commitment to satisfy applicable requirements related to information security, includes a commitment to continual Improvement of the information security management system. The information security policy shall be available as documented information, be communicated within the organisation and be available to interested parties as appropriate.

So that’s the guidance that 5.2 is giving you in terms of the Standards. So let’s have a little bit of a think.

What are policies?

So what are policies? Information security policy and Information security policies are statements of what we do, they communicate to people both internally and externally to the organisation, what we do when it comes to information security. They are not statements of how we do it. How we do it is covered within process documents. Often times when people are coming at this new or don’t quite understand, they’ll put a combination, they will put process steps within policies, policy statements within, within, processes and they will confuse the two. Now that isn’t to say that what they are doing is wrong but what they are doing is going to make things incredibly difficult, so we have to think about the audience and the reason and the purpose for policy and once we start to understand that this is something that could be shared with customers, with clients, this could be shared externally, is going to be published internally, then we can start to see that maybe having process steps that are in there, things that may be proprietary to how we do things, may include system names, technology names, names of individuals, staff members, then it isn’t necessarily the best thing to be able to share that and to be wanting to share that externally with clients. So we don’t want to muddy the waters, so we have an information security policy that sets out for the organisation what we do and this particular part of the standard is very explicit in what it wants us to include.

The 2022 Update

When we move to 2022 version of the standard it actually aligned itself with how I have approached this in the past and continue to approach it and that is by having a headline information security policy and then a series of topic specific policies. There is a feeling when you first come to this to create one large policy document and, again, that’s not to say that that is wrong but again let’s think about the purpose and how we’re going to use these policies. These policies are going to be communicated to individuals, they’re going to set out what we do. If we have topic specific policies, there are The advantages of topic specific policies advantages that are put into play. With that those advantages include – we can allocate those policies to individuals, we can allocate those policies to the people that do the work, we can allocate those policies to the people who are accountable for that particular policy, so rather than having one individual, one document owner, one policy owner, we can now give that to the subject matter experts or the leadership of those particular departments. When it comes to the communication of the policy as well we have many many, many requirements that require policy statements and some of them are quite technical. So we may have a network security policy, we may have a cryptography and encryption policy and these technical policies are not necessarily policies that either a wider audience would understand or would appreciate having to read through. Okay so if we think about the individual that works on our reception desk is it appropriate and are they going to benefit from reading through our crypto, our detailed technical cryptography policy and the answer to that is probably going to be no.

How to structure policies

So, we’re going to have a high-level information security policy and then we’re going to have topic specific policies that sit under that and as we go through ISO 27001 and as we go through the annex a Controls, ISO 27002, the 2022 update to ISO 27002 has now introduced the wording around topic specific policies. It is very explicit for certain controls that there is a requirement for a topic specific policy, so we’re going to put those policies in place.  

Policy implementation

When it comes to the implementation of the policies it’s not my intent to sell at you but I have created a subset of my ISO 27001 ultimate toolkit and it is a ISO 27001 policy bundle. That policy bundle has over 25 individual topic specific policies in it that are pre-written and ready to go. The basics you know all you have to do really is just rebrand them but it also comes with an implementation guide about how you can implement them and how you can tweak them but for 99% of the people they’re there and they’re ready to go so I’m not going to go through writing each individual policy each, individual policy is available on, each individual policy can be downloaded individually but the benefit of downloading it in the bundle is you get everything that you need and and you save money, I mean it’s just an easier way of doing it but if there’s a specific policy that you think oh I need a software development policy, a clear desk policy, a physical security policy – head over to and those individual policies are available for a very, very, very, small amount of money.

How to satisfy ISO 27001 Clause 5.2 Policy

So when it comes to the policies themselves let’s go through how you can satisfy, how you can satisfy this Clause. The standard is asking us to say is this policy and are our policies appropriate to the purpose of the organisation? Well, the way that we’re going to demonstrate that is by what we complete in Clause four context of organisation. So, we’ve understood within our context of organisation our internal and our external issues, we’ve understood what our stakeholders are, so we’ve understood who we are as an organisation with our organisational overview and we’re starting to build up that picture so we can start to make sure that our policies are appropriate to us as an organisation. There is an entire section on information security objectives and again yes there are templates to download and yes I show you how to write it from scratch if you don’t want to buy the template but we have to create our information security objectives and those information security objectives ideally will go in our headline information security policy. Now the standard says it’s either the objectives or the framework for setting the objectives, it is my advice to you that you include the actual objectives. The benefit of including the actual objectives is that this is a great way to communicate those so when we’re communicating our policy to staff at the same time we are communicating our objectives, we don’t have to do two separate communications, plus when these policies go externally our external stakeholders can see straight away what the objectives are.

Our headline policy is going to include a commitment to satisfy applicable requirements related to information security and again you’re going to see in that the way that I suggest that you do that is you make a statement and a call out to your legal contractual register. So in our legal and regulatory and contractual register we record all of the laws regulations and customer requirements on us for information security. For me if I call out to that then it makes this document a lot more lightweight and it’s just a more efficient way of managing the system. Yes there is a template for the legal register and again you can find that but we’re going to cover the requirements for legal and contractual and regulatory when we get to that section. 

The policy is also going to include a commitment to the continual Improvement of the information security management system again within my headline information security policy I would include a statement in there that references both our continual improvement policy a topic specific policy and our continual improvement process. Again, we are going to come to that, it is a clause in its own right and we are going to cover continual improvement but you need some kind of statement in there that shows that level of commitment.

The standard wants these policies to be available as documented information so to make these available as documented information is easy, you’re going to make sure that these documents are on your internal document storage that is accessible by all staff. That could be Dropbox that could be SharePoint that could be Confluence that could be any document management system that you are using today. Make sure the policies are on there and available and as part of the other clauses we’ve covered things like communication about letting people know where they are about including our policies within our onboarding process, our annual training our annual re acknowledgement but the basics for this close are make them available as documented information, I.E, stick it on your document storage.

They should be communicated within the organisation. Refer back just to what I’ve said – so our communication plan is going to regularly communicate where our policies are, at least annually we’re going to communicate where the policies are and get people to acknowledge that they have read and understood and accept them as part of our annual review. If at any point we do a mid-cycle review through some change within our organisation then we’re going to communicate that change, we’re going to communicate that policy out to people. One of the things that I found that is another top tip is including policies within your training tool or training package, many training online training tools allow you to create your own specific modules and many clients have had success in creating bespoke modules in the online training tools,  distributing the policies to be read and understood through that tool and then using the signature and acceptance technology that’s built in to then be able to prove and record that people have read and accepted them.

And the final part of this policy is that it’s going to be available to interested parties as appropriate. Now making it available to interested parties the first part is put it on your document storage so everybody can see it, communicate it tell people about it but there are going to be other interested parties, there are going to be people external to your organisation that want access to this we would say that we normally would share these documents externally under either NDA or under contract because we’ve made a conscious decision not to include process steps within our policies we are only concentrating on what we do not How We Do It the risk exposure that we have of sharing these externally is vastly reduced but we would still ideally want to do that under contract or NDA. That will come down to your document classification again there’s a little bit of a sidebar we cover classification in in one of our other videos but when it comes to the classification of policies I would classify them as internal, so you require some level of mechanism in place before you share them you don’t just put them on your website. So that is ISO 27001 5.2 policy. 

What will an auditor check?

What is an external auditor going to look for? So when an auditor comes to audit you they’re going to look at a number of different things.

Firstly, do you have any policies? They’re going to look where are those policies, they’re going to do a quick review of the policy and make sure the document hygiene is in place, it has a document owner, it has a document classification, it has a document Version Control, they’re going to check that that document has been  reviewed and approved within the last 12 months, that it is a live and active policy they’re going to look for evidences that you’ve communicated that so maybe evidences of emails that you’ve sent out or other communications that you’ve done around that and they’re going to look for acknowledgement that people have accepted those particular policies through whatever mechanism of acceptance that you’ve got.

3 Commons Mistakes People Make

The common mistakes that we see when it comes to satisfying this particular clause and in particular policies are number one including process steps in policy is because that confuses things and a policy owner may be separate from a process owner so we don’t need to cover that again but that’s one of the one of the biggest problems that we see we see policies that are out of date, I mean they’re not actively being reviewed so you can see policies with last review date one two three four years ago, you know nobody’s touched it in a while so the document hygiene is going to be absolutely you know one of the things that you want to look, that you want to look for. So, so I think they’re probably the two biggest things when it comes to policy number three, it isn’t a mistake to have one large policy but it can be confusing it can help sorry it can hinder you from communicating, it can hinder people from reading it, so you know having one large policy and not topic specific individual policies isn’t necessarily a mistake but I’ll include it in the mistake section because it just creates more problems than it does in terms of benefits. So that was bit of a deep dive. 


Today we’ve just done high level high level Deep Dive if you can do both of those on ISO 27001 policy. So the headlines are have a high level information security policy, include this the requirements of the standard within there have topic specific policies that address the topic specific areas that you have implemented  from ISO 27001 annex A in your organisation, make sure they’re communicated, make sure that they’re approved, make sure that they’re annually reviewed, to FastTrack this you know that I have the iso 27001 policy bundle which you can download from my  website for an incredibly reasonable price and it’s going to save you what maybe two, three month’s worth of work you know to research what you need for each individual policy, then to work out the wording of it and then to like write it and document it and blah blah blah and they come with the implementation guide, so the very specific implementation guide about how you implement that into your organisation. If you don’t do that and you’re going to write them yourselves then good luck I wish you well with that journey and please do look on because a number of the policies actually I tell you how to write them so the education is on there so that you can do it for free. So, for today I am Stuart Barker, I am the iso 27001 Ninja, be sure to subscribe to the channel this is where all the gold is, all the knowledge, I’m giving you all the information for free that Consultants would charge you thousands and thousands of pounds for. So be sure to subscribe to my Channel today and until the next one peas out.

ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing