Part 24 - Clause A5.1 Information security policies
The controls listed in Annex A of ISO 27001 are just great.
They essentially tell you what you should do to minimise (or eliminate) the risks associated with your information security management system (ISMS).
For me, one of the reasons I highly recommended certification to ISO 27001 is the power of the controls listed in Annex A.
So let’s get started with Annex A5.
A.5.1 Management direction for information security
As with most standards getting Management “buy-in” and setting a managerial direction is key to a successful implementation of your ISMS.
In the second blog I described how to create, establish and implement a policy. The main takeaways were:
- The Policy must be communicated, understood and applied.
- Management needs to show commitment to the Policy.
- Commitment needs to be shown at all levels of the organisation.
- The Policy does not need to be complicated.
Here at Mango, our manual just links through to the information security policy that was created in Part 15 above.
The second part of A5 is that the policies need to be reviewed at planned intervals or if significant changes occur.
Again here at Mango we created an event to review the information security policy annually to check for the suitability, adequacy and effectiveness of the policy.
Meeting this clause is easy. You have done the work already in Parts 14 and 15.
- Just link this section to the policy created previously.
- Set an event to review the policy (typically an annual review is fine).
View previous blogs in this series "ISO 27001 Information Security Management Standard":