Making sure your business follows its own rules for security. It means everyone must obey the policies and standards that protect important information. This helps keep data safe from harm, loss, or theft.
Examples
- Employee training: An employee learns to spot a fake email (phishing) because the company’s security policy requires training.
- Password rules: A worker creates a strong password for a new account because the company has a policy that all passwords must be complex.
- Access control: A manager only lets certain people view sensitive files, as stated in the company’s security rules.
Context
This control is about putting your security plan into action. You can have great rules on paper, but they won’t work unless people actually follow them. This requires clear policies, training for all staff, and a way to check that everyone is doing what they should. It ensures that security is a part of daily work, not just a plan that sits on a shelf.
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to compliance with standards and policies:
- ISO 27001:2022 Annex A 5.1: Policies for Information Security: This is the main control that says an organization must have security policies. It’s the “what” that the compliance control is the “how” to.
- ISO 27001:2022 Annex A 6.3: Information Security Awareness Education and Training: This control is about teaching people how to follow the security policies. It is a key part of making sure compliance happens.
- ISO 27001:2022 Annex A 8.1: User Endpoint Device Security: This control deals with securing computers, phones, and other devices people use. It often includes policies that people must follow to keep their devices safe.
- ISO 27001:2022 Annex A 5.15 Access Control: This control focuses on managing who can access what information. It is directly tied to the policies that a user must comply with to gain and keep access.