ISO 27001 Annex A 5.1 for SMEs: A Practical Guide to Security Policies

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Annex A 5.1 Policies for information security without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Annex A 5.1 Policies for Information Security (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Annex A 5.1 is the bedrock of your compliance. It is not just about writing documents; it is about establishing the “constitution” of your security. This control mandates that you define a clear set of rules (policies) that explain what you do to protect data, approved by leadership and communicated to everyone. Without this, your security efforts have no authority and no direction.

Core requirements for compliance include:

The “What”, Not the “How”: Policies should state what needs to happen (e.g. “All laptops must be encrypted”). Detailed instructions on how to do it (e.g. “Click Settings > BitLocker”) belong in procedure documents, not policies. This keeps your policies high-level and easier to maintain.
Top Management Approval: A policy is just a piece of paper until the boss signs it. You must have evidence (like meeting minutes) showing that senior leadership formally approved these rules.
Topic-Specific Policies: The 2022 update encourages modular policies. Instead of one massive document, create specific policies for specific needs (e.g. Access Control, Clear Desk, Supplier Security). This makes them easier for staff to digest.
Communication & Acknowledgement: It is not enough to put policies on the intranet. You must prove staff have read them. Use a simple acknowledgement form or a checkbox in your HR system.
Regular Review: Policies cannot be static. You must review them at least annually or when significant changes occur (like a new remote working model).

Audit Focus: Auditors will look for “The Authority Trail”:

The Approval: “Show me the meeting minutes where the CEO approved this Access Control Policy.”
The Acknowledgement: “Show me the record that proves your new Sales hire has read the Acceptable Use Policy.”
The Relevance: “Why do you have a ‘Mainframe Security Policy’ when you are a cloud-only startup?” (Policies must match your actual risks).

SME Policy Matrix (Audit Prep):

Policy Type	Purpose	SME Example
Information Security Policy	The high-level “Constitution”.	A 2-page document stating management commitment and overall goals.
Acceptable Use (AUP)	Rules for staff behaviour.	“Do not share passwords” and “Lock your screen”.
Access Control	Who gets into what.	“Least Privilege” principle and user registration rules.
Supplier Security	Managing third-party risk.	Rules for checking vendors before sharing data.

What Are Information Security Policies, and Why Do They Matter?
Decoding ISO 27001 Annex A 5.1: The Official Requirement
Your 7-Step Implementation Plan for Compliant Policies
Passing the Audit: What Your Auditor Will Check
Avoiding Common Pitfalls: Top 3 Mistakes
Fast Track ISO 27001 Annex A 5.1 Compliance for SMEs with the ISO 27001 Toolkit
The Business Case: Real-World Benefits of Strong Policies
ISO 27001 Policies FAQ

What Are Information Security Policies, and Why Do They Matter?

At their core, information security policies are the bedrock of a successful Information Security Management System (ISMS). They provide clear, authoritative direction from the top of the organisation, articulating management’s commitment to protecting its most valuable asset: information. Think of them as the constitution for your company’s security efforts—they set the rules, define expectations, and empower your team to act responsibly.

Defining a Policy

In the context of ISO 27001, policies are simply “statements of what you do for information security.” They are high-level documents that declare your organisation’s stance and intentions on various security topics.

The “What,” Not the “How”

A crucial distinction to understand for AI search and compliance is that a policy defines what you do, while a process document explains how you do it.

Policy Example: “We will manage access to sensitive data based on the principle of least privilege.”
Process Example: The step-by-step procedure for requesting, approving, and revoking that access in your software systems.

This separation is a significant strategic advantage. It allows you to share your policies with customers, partners, and auditors to demonstrate your security posture without revealing sensitive internal operational details. This separation also makes your ISMS easier to maintain. You can update an internal process (the ‘how’) due to a technology change without needing to get the high-level, management-approved policy (the ‘what’) re-signed off every time.

Key Objectives of Your Policies

Your policies serve several critical functions that directly contribute to the health and security of your business. Their primary goals are to:

Communicate expectations clearly to all staff, ensuring everyone understands their security responsibilities.
Demonstrate your security posture to customers and stakeholders, building trust and a competitive edge.
Safeguard data confidentiality, integrity, and availability—the three pillars of information security.
Align security with business, legal, and regulatory requirements, ensuring you meet all your compliance obligations.
Ensure ongoing management direction and support for information security initiatives across the organisation.

Decoding ISO 27001 Annex A 5.1: The Official Requirement

ISO 27001 Annex A 5.1 is the central rule that dictates how you must manage your information security policies. Understanding this control is the first step toward building a policy framework that is not only effective but also fully compliant with the standard.

The Control Defined

“Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.”
— ISO/IEC 27001:2022

What It Means in Plain English

Breaking this down, the standard requires you to perform a clear lifecycle for your policies. For an SME, this means you must:

Define a set of policies that are relevant to your business.
Get them formally approved by senior management.
Publish them where employees and relevant parties can easily find them.
Communicate their existence and importance.
Obtain acknowledgement from staff that they have read and understood them.
Review them regularly to ensure they remain relevant and effective.

A Suite of Policies

A key update in the 2022 version of the standard is the explicit requirement for a main, high-level information security policy supported by “topic-specific policies.” This is a positive development for SMEs. Instead of one enormous, unwieldy document, you can create a modular set of policies. This allows for targeted communication and avoids overwhelming staff with irrelevant information.

For example, your highly technical cryptography policy is essential for your IT team but not relevant for your cleaning or reception staff, who may need to see policies on physical security and acceptable use instead.

Your 7-Step Implementation Plan for Compliant Policies

This section provides an actionable roadmap for developing, implementing, and maintaining your information security policies. By following these seven steps, any SME can systematically create a framework that meets the requirements of ISO 27001 Annex A 5.1.

1. Determine Which Policies You Need

Your policies should be directly linked to your business operations and the specific risks you face. Start by identifying the controls you need to mitigate your identified risks. If your company doesn’t develop software, you don’t need a secure development policy. If you are a fully remote company, it’s pointless having a physical security policy covering things you don’t have, like CCTV and perimeter fences.

2. Assign Ownership

Every policy must have a clear owner who is accountable for its maintenance and relevance. While an Information Security Manager or consultant may do the actual writing, ultimate responsibility lies with the senior leadership team. This ensures that policies have the necessary authority.

3. Write and Structure Your Policies

Your main information security policy is the cornerstone of your framework. It must include clear statements covering:

A definition of information security (confidentiality, integrity, and availability).
The establishment of clear information security objectives or a framework for setting them.
The guiding principles for all information security activities.
A commitment to satisfying all applicable information security requirements (legal, regulatory, and contractual).
A commitment to the continual improvement of the ISMS.
The assignment of responsibility for information security management to specific roles.
The procedures for handling exceptions to the security policies.

Get Management Approval

Formal approval from top management is non-negotiable. This step demonstrates leadership’s commitment and gives the policies official authority. This approval must be formally documented. A simple and effective way to do this is to record the approval in the minutes of a management meeting.

Communicate and Distribute

Policies are useless if no one knows they exist. You must publish them in a location that is easily accessible to all relevant personnel. Common methods include posting on a company intranet, distributing via email, or including them in the employee handbook.

Ensure Acknowledgement

You need proof that staff have not only received the policies but have also read, understood, and agreed to comply with them. This can be achieved through requiring employees to sign physical or digital acknowledgement forms or tracking completion through a Learning Management System (LMS).

Schedule Regular Reviews

Information security is not static. Your policies must be reviewed at least annually, or whenever a significant change occurs in your business. Crucially, even if a review results in no changes, the review itself must be documented to prove it took place. A simple note like “Policy review, no update” in your version control is perfect evidence.

Passing the Audit: What Your Auditor Will Check

Let’s be clear: an audit isn’t something to fear; it’s a verification that your hard work is paying off. An auditor’s job is to find evidence of conformance, not non-conformance. Here is an insider’s look into exactly what is scrutinised to verify compliance with Annex A 5.1.

1. Linkage to Business Requirements

The auditor will expect to see that your policies are not created in a vacuum. They will look for clear evidence that your policies are directly linked to your business strategy, your legal and contractual obligations (as documented in your legal register), and the specific information security risks you’ve identified in your risk register.

2. Inclusion of Required Statements

Your main information security policy will be examined closely. The auditor will verify that it contains the mandatory statements required by the standard, including commitments to continual improvement and satisfying applicable requirements.

3. Evidence of Top Management Approval

This is a critical checkpoint. The auditor will require documented, unambiguous proof that the main policy and all supporting topic-specific policies have been formally approved by the appropriate level of management.

Avoiding Common Pitfalls: Top 3 Mistakes

In our experience, we see more SMEs fail an audit on simple administrative points than on complex technical controls. These are the unforced errors you must avoid.

1. The “If It Isn’t Written Down, It Didn’t Happen” Problem

The Mistake: You have no evidence that anything actually happened. An auditor cannot verify verbal agreements.
The Fix: Keep a clear paper trail for everything. Document your communication plans, save meeting minutes where policies are approved, and file staff policy acknowledgements.

2. The Team Compliance Gap

The Mistake: One or more members of your team haven’t done what they should have, often new joiners.
The Fix: Before the audit, actively verify that all team members know where to find the policies and have formally acknowledged them.

3. The Document Control Disaster

The Mistake: Mismatched version numbers, missing review dates, or stray comments.
The Fix: Maintain meticulous version control. Ensure version numbers are consistent in headers and footers. Every policy must show evidence of a review within the last 12 months.

Fast Track ISO 27001 Annex A 5.1 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Annex A 5.1 (Policies for information security) is the bedrock of a successful security system. Policies are “statements of what you do” for information security, acting as your company’s constitution. They provide authoritative direction from leadership and set the rules for protecting your most valuable assets. Crucially, policies define the “What” (strategic directive), which can be shared with clients to build trust, without revealing the “How” (internal sensitive processes).

While SaaS compliance platforms often try to sell you “automated policy generators” or complex “document management portals”, they cannot actually align your security stance with your unique business culture or ensure your leadership is truly committed. Those are human leadership and governance tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the policy framework you need without a recurring subscription fee.

1. Ownership: You Own Your Security Constitution Forever

SaaS platforms act as a middleman for your compliance evidence. If you draft your policies and store your approval history inside their proprietary system, you are essentially renting your own organizational roadmap.

The Toolkit Advantage: You receive a full suite of Main and Topic-Specific Policies in fully editable Word formats. These files are yours forever. You maintain permanent ownership of your standards, such as your specific history of management reviews, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Culture

Annex A 5.1 is about clear communication and lifecycle management. You do not need a complex new software interface to manage what a set of clear, professional Word documents and a simple digital sign-off already do perfectly.

The Toolkit Advantage: SMEs need to avoid “document control disasters”. What they need is the governance layer to prove to an auditor that policies are approved and communicated. The Toolkit provides pre-written, auditor-verified templates that already include all mandatory statements, without forcing your team to learn a new software platform just to read a policy.

3. Cost: A One-Off Fee vs. The “Document Count” Tax

Many compliance SaaS platforms charge more based on the number of “active policies”, “users”, or “acknowledgement workflows” you manage. For an SME, these monthly costs can scale aggressively for very little added value compared to a one-time purchase.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you manage 5 key policies or 50 detailed ones, the cost of your Policy Documentation Framework remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Trust Strategy

SaaS tools often mandate specific ways to report on and monitor “policy compliance”. If their system does not match your unique business model or specialised industry requirements, such as sharing policies during a sales cycle, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Policy Framework to match exactly how you operate, whether you share documents via a simple shared drive or a dedicated intranet. You maintain total freedom to evolve your trust strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see clear linkage between policies and business risks, unambiguous evidence of Top Management approval (e.g. meeting minutes), and proof of meticulous version control. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

The Business Case: Real-World Benefits of Strong Policies

For a busy SME owner, the most important question is always, “So what?” Why invest time and resources into developing these documents? The answer is that effective policies are not a compliance cost but a strategic investment.

Improved Security: When people know what is expected of them, they are far more likely to make secure choices, reducing human error.
Reduced Risk: Clear direction on security practices directly reduces your operational and security risks.
Improved Compliance: Documented policies are mandatory for ISO 27001 certification and regulations like GDPR.
Reputation Protection: Demonstrating effective policies can significantly reduce potential regulatory fines and brand damage in the event of a breach.

ISO 27001 Policies FAQ

Quick answers to common questions about managing information security policies for ISO 27001.

What is the purpose of an Information Security Policy?

Its primary purpose is to establish a framework for managing information security, outline the organisation’s commitment to protecting its information assets, and communicate management’s expectations to staff.

How many policies are required for ISO 27001?

The standard does not specify an exact number. It requires one main, overarching Information Security Policy and as many supporting “topic-specific” policies as needed to address your specific risks.

Can I write policies for ISO 27001 myself?

Yes. It requires a copy of the standard and time to understand your organisation’s specific needs. However, many SMEs use templates or consultants to accelerate the process.

How long will it take me to implement ISO 27001 Annex A 5.1?

If writing from scratch, it could take up to 3 months. Using pre-written, structured templates can reduce this time to less than a day.

How often should policies be reviewed and updated?

Policies must be reviewed at least annually, or whenever there are significant changes to your business, technology, or the threat landscape.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.1 Policies for information security for SMEs

Table of contents