ISO27001 Annex A 5.1 Policies Beginner’s Guide

ISO27001 Annex A 5.1 Policies Beginner’s Guide

ISO27002: 2022 Clause 5.1 Policies

In this article I lay bare ISO27001 Annex A 5.1 / ISO27002:2022 Clause 5.1 Policies.

A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Annex A 5.6

ISO 27001 Annex A 5.1 Policies Beginner's Guide

What is ISO27001 Annex A 5.1?

ISO27001 Annex A 5.1 Information Security Policies is an ISO27002: 2022 control that requires an organisation to have an information security policy and topic specific policies in place, communicated, reviewed and acknowledged.

I like this change from the old ISO27001: 2013 version as it calls out explicitly now that a pack or suite of policies will be required rather than just the headline information security policy.

ISO27001 Annex A 5.1 Definition

The ISO27001 standard defines ISO27001 Annex A 5.1 Information Security Policies as:

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

ISO27001 Annex A 5.1

ISO27001 Annex A 5.1 Implementation Guide

You are going to have to

  • work out what policies you actually require
  • write them
  • sign them off
  • publish them
  • have them acknowledged by staff
  • review them at regular intervals

The absolute best way to do this is download the prewritten ISO27001 Policy Pack and follow the guide on How To Implement Policies.

If you are resolutely dead set on going through the pain of this yourself you are going to need copies of the relevant standards for information security, about 1 to 2 months of your life dedicated to this and a lot, and I mean a lot, of patience.

ISO27001 Annex A 5.1 Templates

If you want to write these yourself I totally commend you. And pity you in equal measure. There are over 25 information security policies and you can could save months of effort with these templates that take 25 years of experience and distill it in a pack of prewritten best practice awesomeness.

ISO27001 Policy Templates Pack Green

How to comply with ISO27001 Annex A 5.1

To comply with ISO27001 Annex A 5.1 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

  • Write an information security policy
  • Supplement that information security policy with topic specific policies
  • Ensure your policies are classified and have document mark up
  • Have the policies approved by management and have evidence of that happening
  • Publish the policies to a place everyone that needs to see them can see them
  • Tell those people where those policies are
  • Communicate your policies as part of your communication plan and document you did it
  • Get people to acknowledge the policies and keep evidence that they have
  • Plan to review your policies at least annually or if significant change occurs
  • Keep records of your policy review and the changes

How to pass an audit of ISO27001 Annex A 5.1

To pass an audit of ISO27001 Annex A 5.1 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas. Lets go through them

What this means is that you need to show that your policies are linked

  • to the law, regulations and contracts (which you recorded in the legal register).

#2 That your policy includes required statements

For the main information security policy there are some required statements that need to be included. You need to

  • define information security and the confidentiality, integrity and availability definition
  • include your information security objectives
  • include principles that will guide on information security activities activities
  • include a commitment to satisfy applicable requirements related to information security
  • have a commitment to continually improving your information security management system
  • assign responsibilities for information security management to defined roles
  • cover how you handle exemptions and exceptions.

#3 That top management approved the policy

Top 3 Annex ISO27001 A 5.1 Mistakes People Make

The top 3 Mistakes People Make For ISO27001 Annex A 5.1 are

#1 You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans, minutes of meetings, records of acknowledgement, records of approval. If it isn’t written down it didn’t happen.

#2 One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the policies are? Have they acknowledged them? Did someone join last month and forget to do it? Check!

#3 Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Why is ISO27001 Annex A 5.1 Important?

ISO27001 Annex A 5.1 Information Security Policies is important because people need to know what is expected of them. Policies are statements of what you do. They are not statements of how you do it. How you do it is covered in process documents.

The policies tell people what is expected of them and what they should do.

From a HR perspective you have no come back if someone does something wrong unless you have told them what they should do right and the consequences for getting it wrong.

If you don’t tell me, I don’t know.

No matter how simple, straightforward, obvious or common sense YOU think it is, someone, somewhere will disagree and there is nothing you can do about it unless you have told them.

ISO27001 Policies Ultimate Reference Guide

ISO27001 Policy Templates

How to deploy and implement ISO27001 Policies Video Tutorial

How to deploy and implement ISO 27001 policies

ISO27001 Annex A 5.1 FAQ

What policies do I need for ISO27001 Annex A 5.1?

The list of policies you need can be found here:

How do I decide which policies I need for ISO27001 Annex A 5.1?

You decide what policies you need by first completing your Statement of Applicability and then identify in conjunction with the ISO27001 standard the required policies for your implementation.

Where is a list of required policies for ISO27001 Annex A 5.1?

The list of policies you need can be found here:

Are there free templates for ISO27001 Annex A 5.1?

There are templates for ISO27001 Annex A 5.1 located here:

ISO27001 Annex A 5.1 sample PDF?

ISO27001 Annex A 5.1 Sample PDF:

Do I have to satisfy ISO27001 Annex A 5.1 for ISO27001 Certification?

Yes. Whilst the ISO27001 Annex A clauses are for consideration to be included in your Statement of Applicability there is no reason we can think of that would allow you to exclude ISO27001 Annex A 5.1. Policies are a fundamental part of any governance, risk and compliance framework. They are a fundamental part of any information security management system. They are explicitly required for ISO27001.

Can I write polices for ISO27001 Annex A 5.1 myself?

Yes. You can write the policies for ISO27001 Annex A 5.1 yourself. You will need a copy of the standard and approximately 3 months of time to do it. It would be advantageous to have a background in information security management systems. Alternatively you can download them here:

Where can I get templates for ISO27001 Annex A 5.1?

ISO27001 templates for ISO27001 Annex A 5.1 are located here:

How hard is ISO27001 Annex A 5.1?

ISO27001 Annex A 5.1 is not particularly hard. It can take a lot of time if you are doing it yourself but it is not technically very hard. Policies are statements of what you do so as long as you know what you do, or will do, you are in a good place. We would recommend templates to fast track your implementation.

How long will ISO27001 Annex A 5.1 take me?

ISO27001 Annex A 5.1 will take approximately 3 months to complete if you are starting from nothing and doing it yourself. With an ISO27001 Policy Template bundle it should take you less than 1 day.

How much will ISO27001 Annex A 5.1 cost me?

The cost of ISO27001 Annex A 5.1 will depend how you go about it. If you do it yourself it will be free but will take you about 3 months so the cost is lost opportunity cost as you tie up resource doing something that can easily be downloaded. If you download an ISO Policy Template toolkit then you are looking at a couple of hundred pounds / dollars.

Matrix of controls and attribute values

Control typeInformation
security properties
Security domains

See Also


ISO/IEC 27001 Information Security Management

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart