ISO 27001 Policies: Briefing on Compliance & Annex A 5.1

Briefing on ISO 27001:2022 Policies and Compliance

ISO 27001 policies under the 2022 standard are fundamental strategic assets, not merely operational burdens. A robust policy framework is the foundation of an effective Information Security Management System (ISMS), transforming security from a reactive cost centre into a proactive business enabler. This guide outlines how to structure, implement, and maintain policies to provide a commercial advantage, accelerate revenue, and enhance corporate reputation.

The 2022 version of the standard, particularly through Clause 5.2 and Annex A 5.1, mandates a specific two-tiered policy structure. This consists of a high-level, overarching Information Security Policy that sets the tone from top management, and a suite of modular, Topic-Specific Policies. Successful certification hinges on a rigorous lifecycle: development, review, approval, communication, and acknowledgement.

Briefing on ISO 27001:2022 Policies and Compliance
The Strategic Role of ISO 27001 Policies
- From Compliance Burden to Competitive Advantage
- The Five Pillars of Strategic Value
The ISO 27001:2022 Policy Framework
- Core Distinction: Policy vs. Procedure
- Policy Hierarchy and Architecture
Implementation and Lifecycle Management
- A Step-by-Step Implementation Plan
Audit Preparedness and Key Evidence
- The Auditor’s Checklist
- Top 3 Common Pitfalls to Avoid
Ensuring Ongoing Compliance: ISO 27001 Annex A 5.36
- The Review Process

The Strategic Role of ISO 27001 Policies

ISO 27001 policies are the bedrock of an ISMS, providing formal direction and commitment from leadership. When implemented effectively, this framework transcends a simple compliance exercise to become a competitive differentiator.

From Compliance Burden to Competitive Advantage

A well-structured policy framework moves information security from a reactive function to a proactive business enabler. The primary benefits include:

Commercial Advantage: Policies are frequently requested during sales cycles and client due diligence. A comprehensive framework removes friction from the sales process.
Enhanced Reputation: Independent verification through ISO 27001 certification instils trust in customers and stakeholders.
Accelerated Growth: A robust security posture, clearly articulated through policies, leads to a more fortified market position.

The Five Pillars of Strategic Value

Effective policies deliver tangible value by:

Setting Clear Expectations: Establishing a consistent security baseline and removing ambiguity for staff.
Reducing Risk: Mitigating incidents caused by human error through clear guidance.
Ensuring Compliance: Meeting mandatory requirements for ISO 27001 and other legal or contractual obligations.
Protecting Reputation: Reducing potential fines and mitigating negative PR in the event of a breach.
Providing HR Recourse: Establishing a formal basis for disciplinary action. As the adage goes, “If you don’t tell me, I don’t know.”

The ISO 27001:2022 Policy Framework

The standard outlines a clear structure for an organisation’s policy dossier. A critical distinction is made between high-level strategic intent and detailed operational instructions.

Core Distinction: Policy vs. Procedure

A fundamental concept is the separation of policies from procedures. This strategic distinction allows policies to be shared with external parties (auditors, clients) without revealing sensitive internal operational details.

Policy: A high-level statement of what must be done and why. It is a strategic directive from top management.
Procedure: A detailed set of steps detailing how something is done. It is the instruction manual for implementing the policy’s intent.

Policy Hierarchy and Architecture

The ISO 27001:2022 standard formalises a two-tiered approach:

Main Information Security Policy: The keystone document setting the overall tone, objectives, and leadership commitment.
Topic-Specific Policies: Modular policies providing detailed guidance on specific controls (e.g., Access Control, Cryptography). This allows for targeted communication where staff only receive relevant policies.

Feature	Main Information Security Policy	Topic-Specific Policy
Level of Detail	General or High-level	Specific and Detailed
Approval	Top Management	Appropriate Level of Management
Target Audience	All Employees/Stakeholders	Specific Roles/Departments

Implementation and Lifecycle Management

A structured, cyclical process is required to develop, deploy, and maintain policies effectively, ensuring they remain living documents integrated into the organisation’s culture.

A Step-by-Step Implementation Plan

Determine Required Policies: Identify necessary policies based on the Statement of Applicability and business risks.
Draft the Content: Write concise, principle-based documents.
Assign Clear Ownership: Designate a named individual as the owner for every policy to drive accountability.
Secure Management Approval: Obtain and document formal approval from top management (e.g., signed minutes).
Publish and Communicate: Make policies accessible (e.g., intranet) and execute a communication plan.
Obtain Staff Acknowledgement: Retain evidence that personnel have read and understood the policies.
Integrate and Train: Incorporate policies into HR onboarding and ongoing training.
Schedule Regular Reviews: Plan for reviews at least annually or upon significant change.

Audit Preparedness and Key Evidence

Auditors focus on objective evidence to verify that an organisation’s policy framework is implemented, enforced, and effective. They will scrutinise the framework to ensure policies are not “shelfware.”

The Auditor’s Checklist

Key areas of examination include:

Foundation and Linkage: Policies must link to business strategy, the legal register, and the risk register.
Management Approval: Signed meeting minutes or formal sign-off documents must prove leadership commitment.
Communication and Acknowledgement: Records must demonstrate dissemination and staff acknowledgement.
Implementation: Staff interviews and observations will confirm if policies are followed in daily operations.
Lifecycle Management: Document control records must show annual reviews and consistent versioning.
Exception Handling: A formal process for justifying and approving policy exceptions must be in place.

Top 3 Common Pitfalls to Avoid

Lack of Evidence: The auditor’s mantra is, “If it isn’t written down, it didn’t happen.”
Inconsistent Team Compliance: New starters often miss acknowledging policies. Ensure a pre-audit check of 100% staff acknowledgement.
Poor Document Control: Mismatched version numbers or review dates older than 12 months are red flags.

Ensuring Ongoing Compliance: ISO 27001 Annex A 5.36

ISO 27001 Annex A 5.36 requires that an organisation’s compliance with its own security policies is regularly reviewed. This is a preventative control designed to catch non-compliance or policy drift before it leads to a security incident.

The Review Process

Compliance reviews are an ongoing cycle, not a one-time event.

Frequency: Reviews must be planned periodically (recommended annually) and triggered by significant changes such as new legislation (e.g., GDPR) or new business ventures.
Execution: Reviews can be conducted by internal teams or third-party consultants. Strict independence is not required for 5.36, allowing for functional feedback.
Documentation: All findings must be formally recorded. Non-compliance must be fed into the corrective action process and risk register. A clear paper trail of review plans, findings, and remediation is non-negotiable audit evidence.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Policies Compliance Briefing