Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 5.1: Policies for Information Security

ISO 27001 Annex A 5.1: Policies for Information Security

Last updated Sep 6, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Policies for Information Security

The Ultimate Guide to ISO 27001 Policies

In this ultimate guide to the ISO 27001 Annex A 5.1 Policies for Information Security you will learn

What are Policies for Information Security
What information security policies you need
How to write policies for ISO 27001
ISO 27001 policy templates you can download and use straight away
An implementation guide
An implementation checklist
An audit checklist

The Ultimate Guide to ISO 27001 Policies
What are ISO 27001 Policies?
What is ISO 27001 Annex A 5.1?
Watch the Tutorial
Implementation Guide
How to implement ISO 27001 Annex A 5.1 Policies for Information Security
ISO 27001 Policy Templates
How to comply
What the auditor will check
How to audit ISO 27001 Annex A 5.1 Policies
Top 3 Mistakes People Make and How To Avoid Them
ISO 27001 Annex A 5.1 Policies FAQ
Related ISO 27001 Controls and Further Resources
Controls and Attribute Values

What are ISO 27001 Policies?

ISO 27001 policies are statements of what you do for information security and are used to communicate to staff what must be done and to customers what you do.

Policies are a foundation stone of an information security management system. They are approved by senior management and outline an organisation’s approach to safeguarding sensitive data. Furthermore, they include both high-level and low-level guidelines, ensuring that all employees understand their responsibilities in maintaining data confidentiality, integrity, and availability. Subsequently, policy reviews, stakeholder communication, and a formal change management process are crucial for maintaining the effectiveness of this critical element of an organisation’s information security management system.

Basically they are intended to ensure the ongoing suitability, adequacy, and effectiveness of management direction and support for information security, aligning with all applicable business, legal, statutory, regulatory, and contractual requirements.

What is ISO 27001 Annex A 5.1?

ISO 27001 Annex A 5.1 Policies for Information Security is an ISO 27001 control that requires an organisation to have an information security policy and topic specific policies in place, communicated, reviewed and acknowledged.

I like this change from the old ISO 27001:2013 version as it calls out explicitly now that a pack or suite of policies will be required rather than just the headline information security policy.

Purpose

The purpose of the Annex A 5.1 Policies for Information Security is to ensure the suitability, adequacy and effectiveness of managements direction and support for information security.

Definition

ISO 27001 defines ISO 27001 Annex A 5.1 as:

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
ISO 27001:2022 Annex A 5.1 Policies for Information Security

Get the ISO 27001 Certification Kit >

Watch the Tutorial

In the video ISO 27001 Annex A 5.1 Policies for Information Security Explained I show you how to implement it and how to pass the audit.

Implementation Guide

You are going to have to

work out what policies you actually require
write them
sign them off
publish them
have them acknowledged by staff
review them at regular intervals

The absolute best way to do this is download the prewritten ISO 27001 Policy Pack and follow the guide in the ISO 27001 Policies Ultimate Guide.

ISO 27001 Policies Ultimate Reference Guide

In this ISO 27001 Policies Ultimate Guide I show you what the requirement is for ISO 27001 and the detailed requirements for the new ISO 27001 standard of controls.

The following is compliance guidance for Policies for Information Security.

How to implement ISO 27001 Annex A 5.1 Policies for Information Security

Organisations must have an information security policy approved by top management. This policy outlines the organisation’s approach to managing information security.

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 policies for information security

Assign ownership
The Senior leadership team is responsible for developing, approving, and implementing appropriate information security policies.
Address policy requirements
The policy should address:

Business needs: Align with business strategies and requirements.
Legal and contractual obligations: Comply with all relevant laws, regulations, and contracts.
Security risks: Consider current and potential threats to information security.
Include policy statements
The policy should include statements on:

Defining information security: Clearly define what constitutes information security for the organisation.
Setting security objectives: Establish clear information security goals or a framework for setting them.
Guiding principles: Outline principles for all information security activities.
Compliance: Commit to meeting all applicable information security requirements.
Continuous improvement: Commit to ongoing improvement of the information security management system.
Responsibilities: Assign responsibility for information security management to specific roles.
Handling exceptions: Establish procedures for handling exceptions to security policies.
Include topic specific policies
Topic-specific policies provide more detailed guidance on implementing specific security controls. These policies should align with and support the main information security policy.
Examples of topic-specific policies include:
Access control
Physical security
Asset management
Data transfer
Device security
Network security
Incident management
Data backup
Cryptography
Data classification
Vulnerability management
Secure development
Approve policies
Top management must approve any changes to the main policy.
Review policies
Relevant personnel with the necessary authority and expertise should develop, review, and approve topic-specific policies.
Regular policy reviews are essential. These reviews should assess:
Changes to the organisation’s business strategy.
Changes in the organisation’s technology.
Updates to laws, regulations, and contracts.
Evolving security risks and threats.
Lessons learned from security incidents.
Management reviews and audits should inform policy review processes.
Communicate Policies
Communication is key. Policies must be communicated to all relevant personnel and stakeholders in a clear, accessible, and understandable format. Recipients should acknowledge their understanding and agreement to comply.

The organisation can choose the format and names for these policy documents. Topic-specific policies can be called standards, directives, or other suitable names.

When distributing policies outside the organisation, care must be taken to protect confidential information

Supplementary Guidance

Topic-specific policies can vary across organisations.

	Information security policy	Topic-specific policy
Level of detail	General or high-level	Specific and detailed
Documented and formally approved by	Top management	Appropriate level of management

Table 1: Information Security Policy vs. Topic-Specific Policies

ISO 27001 Policy Templates

ISO 27001 Annex A 5.1 Policy Templates are already fully populated and ready to go.

How to comply

To comply with ISO 27001 Annex A 5.1 Policies for Information Security you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

Write an ISO 27001 information security policy
Supplement that information security policy with topic specific policies
Ensure your policies are classified and have document mark up
Have the policies approved by management and have evidence of that happening
Publish the policies to a place everyone that needs to see them can see them
Tell those people where those policies are
Communicate your policies as part of your communication plan and document you did it
Get people to acknowledge the policies and keep evidence that they have
Plan to review your policies at least annually or if significant change occurs
Keep records of your policy review and the changes

What the auditor will check

The auditor is going to check a number of areas for compliance with Annex A 5.1. Lets go through them

1. That you can link policy to requirements

What this means is that you need to show that your policies are linked

to the business strategy, which you recorded and evidenced in the ISO 27001 organisation overview template.
to the law, regulations and contracts , which you recorded in the ISO 27001 legal register.
to risks, which you recorded in your ISO 27001 risk register.

2. That your policy includes required statements

For the main ISO 27001 information security policy there are some required statements that need to be included. You need to

define information security and the confidentiality, integrity and availability definition
include your information security objectives
include principles that will guide on information security activities activities
include a commitment to satisfy applicable requirements related to information security
have a commitment to continually improving your information security management system
assign responsibilities for information security management to defined roles
cover how you handle exemptions and exceptions.

3. That top management approved the policy

The audit will look to see that the main ISO 27001 information security policy and the topic specific policies have been approved and signed off by top management. The level will have been defined in your ISO 27001 Roles and Responsibilities Template document in line with ISO 27001 Annex A 5.2 Roles and Responsibilities

How to audit ISO 27001 Annex A 5.1 Policies

These are the practical audit steps that you can take to audit ISO 27001 policies. This is what the ISO 27001 certification auditor will check.

1. Review the Information Security Policy

Examine the policy’s scope, objectives, and commitment to information security.
Verify that it addresses confidentiality, integrity, and availability of information.
Check for alignment with organisational goals, risk assessments, and legal/regulatory requirements.

2. Assess Supporting Policies

Review supporting policies (e.g., access control, data classification, incident response).
Ensure consistency and alignment with the overarching information security policy.
Check for completeness, clarity, and relevance to the organisation’s specific needs.

3. Evaluate Policy Communication and Dissemination

Verify methods used to communicate and disseminate policies to employees (e.g., intranet, email, workshops).
Assess the effectiveness of communication channels in reaching all relevant personnel.
Check for evidence of employee acknowledgement of policy understanding.

4. Examine Policy Implementation and Enforcement

Observe how policies are integrated into daily business processes and activities.
Interview employees to understand their awareness and adherence to policies.
Check for evidence of consistent enforcement of policies across the organisation.

5. Review Policy Exception Handling

Assess the process for evaluating and approving requests for exceptions to policies.
Verify that exceptions are properly documented, justified, and reviewed.
Check for consistency and fairness in the handling of exception requests.

6. Analyse Policy Review and Updates

Examine the frequency and effectiveness of policy reviews.
Verify that policies are updated to address changes in technology, threats, and business needs.
Check for documentation of policy changes and approvals.

7. Assess Policy Compliance Monitoring

Review the methods used to monitor compliance with information security policies (e.g., audits, reviews, incident reports).
Evaluate the effectiveness of monitoring activities in identifying and addressing non-compliance.
Check for corrective and preventive actions taken to address identified issues.

8. Interview Key Personnel

Conduct interviews with key personnel involved in policy development, implementation, and enforcement (e.g., senior management, information security officers, employees). Gather their perspectives on the effectiveness and relevance of information security policies.

9. Check for Compliance with Legal and Regulatory Requirements

Verify that information security policies comply with all applicable laws and regulations.
Assess the organisation’s ability to demonstrate compliance with relevant legal and regulatory requirements.

10. Evaluate Overall Effectiveness

Assess the overall effectiveness of the information security policy framework in achieving its objectives.
Identify areas for improvement and make recommendations for enhancing the effectiveness of the policy framework.

Top 3 Mistakes People Make and How To Avoid Them

In my experience, the top 3 mistakes people make for ISO 27001 Policies for Information Security are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Did someone join last month and forget to do it? Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

ISO 27001 Annex A 5.1 Policies FAQ

What policies do I need for ISO 27001?

The list of policies you need can be found here in the High Table Ultimate Guide to ISO 27001 Policies.

What is the purpose of an Information Security Policy?

The primary purpose is to establish a framework for managing information security within an organisation. It outlines the organisation’s commitment to protecting its information assets from various threats.

How do I decide which policies I need for ISO 27001?

You decide what policies you need by first completing your ISO 27001 Statement of Applicability and then identify in conjunction with the ISO 27001 standard the required policies for your implementation.

Where is a list of required policies for ISO 27001?

The list of policies you need can be found here in the High Table Ultimate Guide to ISO 27001 Policies.

Are there free policy templates for ISO 27001?

There are policy templates for ISO 27001 Annex A 5.1 located in the High Table ISO 27001 Policy Templates Toolkit.

How do I download an ISO 27001 policy template example PDF?

All of the ISO 27001 Policies have free, example PDF’s that you can download in the the High Table ISO 27001 Policy Templates Toolkit.

Do I have to satisfy ISO 27001 Annex A 5.1 for ISO 27001 Certification?

Yes. Whilst the ISO 27001 Annex A clauses are for consideration to be included in your ISO 27001 Statement of Applicability there is no reason we can think of that would allow you to exclude ISO 27001 Annex A 5.1. Policies are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO 27001.

Can I write polices for ISO 27001 myself?

Yes. You can write the policies for ISO 27001 Annex A 5.1 yourself. You will need a copy of the standard and approximately 3 months of time to do it. It would be advantageous to have a background in information security management systems. Alternatively you can download the ISO 27001 Policy Templates Toolkit.

Where can I get policy templates for ISO 27001 Annex A 5.1?

ISO 27001 templates for ISO 27001 Annex A 5.1 are located in the High Table ISO 27001 Policy Templates Toolkit.

How hard is ISO 27001 Annex A 5.1?

ISO 27001 Annex A 5.1 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. Policies are statements of what you do so as long as you know what you do, or will do, you are in a good place. We would recommend templates to fast track your implementation.

How long will ISO 27001 Annex A 5.1 take me?

ISO 27001 Annex A 5.1 will take approximately 3 months to complete if you are starting from nothing and doing it yourself. With an ISO 27001 Policy Template bundle it should take you less than 1 day.

How much will ISO 27001 Annex A 5.1 cost me?

The cost of ISO 27001 Annex A 5.1 will depend how you go about it. If you do it yourself it will be free but will take you about 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template toolkit then you are looking at a couple of hundred pounds / dollars.

Why is ISO 27001 Policies for Information Security Important?

ISO 27001 Annex A 5.1 Information Security Policies is important because people need to know what is expected of them. Policies are statements of what you do. They are not statements of how you do it. How you do it is covered in process documents.
The policies tell people what is expected of them and what they should do.
From a HR perspective you have no come back if someone does something wrong unless you have told them what they should do right and the consequences for getting it wrong.
If you don’t tell me, I don’t know.
No matter how simple, straightforward, obvious or common sense YOU think it is, someone, somewhere will disagree and there is nothing you can do about it unless you have told them.

Who is responsible for ISO 27001 Policies for Information Security?

The senior leadership team is responsible for the information security policies. As the policies set out the direction and what must be done it is the responsibility of the senior leadership to set and agree that direction.

What are the benefits of ISO 27001 Policies for Information Security?

The following are benefits of implementing ISO 27001 Annex A 5.1:
1. Improved security: People will know what is expected of them reducing the likelihood and impact of an attack
2. Reduced risk: Having direction on how you do things will reduce risk
3. Improved compliance: Standards and regulations require information security policies to be in place
4. Reputation Protection: In the event of a breach having effective policies will reduce the potential for fines and reduce the PR impact of an event

What are the key elements of an Information Security Policy?

The key elements of an information security policy are:
Scope: Defines the boundaries of the policy (e.g., which parts of the organisation, types of information).
Objectives: States the desired outcomes of the information security program (e.g., confidentiality, integrity, availability).
Responsibilities: Clearly defines the roles and responsibilities of management, employees, and other stakeholders.
Compliance: Outlines compliance with relevant laws, regulations, and standards (e.g., GDPR, PCI DSS).

How many policies are required for ISO 27001?

ISO 27001 doesn’t specify a specific number of policies. It requires an overarching Information Security Policy and supporting policies as needed to address identified risks.

What are some examples of supporting policies?

Examples of support ISO 27001 policies include:
1. Access Control Policy
2. Data Classification Policy
3. Incident Response Policy
4. Remote Access Policy
5. Bring Your Own Device (BYOD) Policy
6. Email Security Policy
7. Social Media Policy

How should policies be communicated and disseminated?

There are many ways to communicate policies. Common examples include:
1. Intranet
2. Email
3. Workshops/Training Sessions
4. Employee Handbooks
5. Meetings
6. Posters
7. Security Awareness Campaigns

How do I ensure employee understanding and acknowledgement of policies?

To ensure employees understand and acknowledge policies:
1. Require employees to sign acknowledgement forms.
2. Incorporate policy awareness into training programs.
3. Use online training modules with quizzes to test understanding.

How often should policies be reviewed and updated?

At least annually, or more frequently if there are significant changes (e.g., new technologies, regulatory updates, security incidents).

What happens if an employee violates an information security policy?

Disciplinary action may be taken, depending on the severity of the violation. Consequences can range from warnings to termination of employment.

How can I ensure that policies are integrated into business processes?

Integrating policies into business processes is achieved by:
1. Develop standard operating procedures (SOPs) that incorporate security controls.
2. Provide regular training and guidance to employees on how to implement policies in their daily work.
3. Conduct regular audits and assessments to monitor compliance.

What are the benefits of having a strong information security policy framework?

The following are benefits of having an information security policy framework in place:
1. Reduced risk of data breaches and cyberattacks
2. Improved data protection and compliance
3. Enhanced organisational reputation and trust
4. Increased employee awareness and security-conscious behaviour
5. Improved operational efficiency and productivity

What is the difference between ISO 27001 Annex A 5.1 and ISO 27002 Control 5.1?

ISO 27001 Annex A 5.1 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 5.1 is the implementation guidance for the control.

Are Policies for Information Security required for ISO 27001 certification?

Yes, ISO 27001 Annex A 5.1 Policies for Information Security is a required information security control for ISO 27001 certification.

The complete guide to ISO/IEC 27002:2022

ISO 27001 Policies Ultimate Guide

ISO 27001 Information Security Policy Beginner’s Guide

ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security

Controls and Attribute Values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Governance	Governance and Ecosystem
	Integrity			Resilience
	Availability

Tags: Availability Confidentiality Governance Governance and Ecosystem Integrity Preventive Resilience

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Jumpstart Kit

ISO 27001 Consultant Toolkit

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Annex A 5.1: Policies for Information Security

The Ultimate Guide to ISO 27001 Policies

Table of contents

What are ISO 27001 Policies?